GitHub ActionsからTerraform Planするお話

c$0/'*%&/5*"- (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩

c$0/'*%&/5*"- c$0/'*%&/5*"- ໨࣍ $*Ͱ1MBO͢ΔϝϦοτ $*Ͱ1MBO͢ΔͨΊͷઃఆ 1MBO࣮ߦͷྲྀΕ

c$0/'*%&/5*"- | CONFIDENTIAL 1MBO͢ΔϝϦοτ • ࣮ߦ؀ڥͷ࠶ݱੑΛ޲্ͤ͞ΒΕΔ • ΠϯϑϥͷҰ؏ੑҡ࣋ͱυϦϑτݕ஌͕ Ͱ͖Δ •
ґଘؔ܎ͷΞοϓσʔτ͕͠΍͘͢ͳΔ 3

c$0/'*%&/5*"- ࣮ߦ؀ڥͷ࠶ݱੑΛ޲্ͤ͞ΒΕΔ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ ͨ·ʹ͋Δ໰୊"͞Μͷ؀ڥͰ͸1MBOͰ͖Δͷʹɺ#͞Μͷ؀ڥͰ͸1MBOͰ͖ͳ͍ • ೝূͷ໰୊ • ݖݶͷ໰୊
• ؀ڥͷ໰୊ • WBSJBCMFTͷઃఆ஋ͷ໰୊ • FUDʜ (JU)VCͷೝূΤϥʔͰ஄͔Ε͍ͯΔ

c$0/'*%&/5*"- ࣮ߦ؀ڥͷ࠶ݱੑΛ޲্ͤ͞ΒΕΔ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ 1MBO͢ΔͨΊʹඞཁͳ؀ڥ͕໌ࣔ͞ΕΔΑ͏ʹͳΔ • $*্Ͱ1MBO͢ΔͨΊʹඞཁͳ४උΛશͯߦ͏ඞཁ͕͋Δ • ͦͷͨΊʹ͸1MBO͢ΔͨΊͷೝূɺݖݶɺ؀ڥΛ͢΂ͯ༻ҙ͠ઃఆ͍ͯ͠Δ͸ͣ

c$0/'*%&/5*"- ΠϯϑϥͷҰ؏ੑҡ࣋ͱυϦϑτݕ஌͕Ͱ͖Δ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ 5FSSBGPSNͷ಺༰ͱ࣮ࡍͷϦιʔεͷঢ়ଶ͕Ұக͍ͯ͠Δ͜ͱΛ֬ೝ͢Δػձ͕૿΍ͤΔ • Ұக͍ͯ͠ͳ͍ͱ"QQMZͰઃఆ͕ר͖໭ͬͯ͠·͏Մೳੑ • खಈͰมߋ͍ͯͨ͠ͷͰ͋Ε͹ඞཁͳมߋͰ͸
• ͜ͷঢ়ଶͰ͸৽نʹ։ൃ͢Δ͜ͱ͕೉͍͠ εέδϡʔϥʔ͕ແޮʹͳ͍ͬͯΔ͕ ͜Ε͸༗ޮʹͯ͠΋0, ͦΕͱ΋ແޮͷ··͕Α͍

c$0/'*%&/5*"- ґଘؔ܎ͷΞοϓσʔτ͕͠΍͘͢ͳΔ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ ओͳґଘؔ܎ͷ1SPWJEFSΛߋ৽ͤ͞ଓ͚ΒΕΔ • 1SPWJEFSͷߋ৽͕͋ͬͨࡍʹɺରԠ͕ඞཁ͔ͦͷ··ద༻Ͱ͖Δ͔൑அͰ͖Δ • 1MBOͰ/PDIBOHFTͰ͋Ε͹ద༻ͯ͠໰୊ͳ͍৔߹͕ଟ͍
• $IBOHF͕͋Ε͹࢓༷͕มΘ͍ͬͯΔՄೳੑ͕͋Δ • 3FOPWBUF΍%FQFOEBCPUͰࣗಈϚʔδ·Ͱ͍࣋ͬͯ͘͜ͱ΋Մೳ

c$0/'*%&/5*"- | CONFIDENTIAL $*Ͱ1MBO͢ΔͨΊͷઃఆ • ࣮ߦ؀ڥͷઃఆ • ೝূͷઃఆ • ݖݶͷઃఆ
8

c$0/'*%&/5*"- ࣮ߦ؀ڥͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • 5FSSBGPSN • AIBTIJDPSQTFUVQUFSSBGPSNAͷ"DUJPOTͰΠϯετʔϧՄೳ •
όʔδϣϯͷࢦఆ͸͓޷ΈͰʜ • EFUBJMFEFYJUDPEFͷΦϓγϣϯͱͷ૬ੑ͕ѱ͍Α͏ͳͷͰ UFSSBGPSN@XSBQQFS͸GBMTFʹ - uses: hashicorp/setup-terraform@v3 with: terraform_wrapper: 'false'

c$0/'*%&/5*"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • "84 • ABXTBDUJPOTDPOGJHVSFBXTDSFEFOUJBMTA ͷ"DUJPOΛ࢖༻͠
0*%$ʹΑΔೝূΛ࢖༻ • 8PSLGMPXʹ͓͚ΔQFSNJTTJPOTʹɺJEUPLFOXSJUFΛઃఆ͢Δ͜ͱ • NBTLBXTBDDPVOUJEΛUSVFʹ͢ΔͱΞΧ΢ϯτ൪߸ΛӅͯ͘͠ΕΔ - uses: aws-actions/configure-aws-credentials@v4 with: aws-region: 'us-east-1' role-to-assume: ${{ secrets.AWS_TERRAFORM_PLANNER_ROLE }} role-session-name: 'TerraformCheck' mask-aws-account-id: true retry-max-attempts: 3

c$0/'*%&/5*"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • (PPHMF$MPVE • AHPPHMFHJUIVCBDUJPOTBVUIAͷ"DUJPOΛ࢖༻͠0*%$ʹΑΔೝূΛ࢖༻ •
8PSLGMPXʹ͓͚ΔQFSNJTTJPOTʹɺJEUPLFOXSJUFΛઃఆ͢Δ͜ͱ • QSPKFDU*EΛӅ͍ͨ͠৔߹͸(JU)VC"DUJPOTͷ4FDSFUTʹొ࿥ͷ্ɺ 8PSLGMPXͷதͰ 4FDSFUΛࢀর͢Δඞཁ͕͋Δ • $IFDLPVUͨ͠௚Լʹೝূ༻ͷϑΝΠϧΛ࡞੒͢ΔͷͰ஫ҙ HIBDSFET DCKTPOͷΑ͏ͳϑΝΠϧ • ͜ͷϑΝΠϧ͕࿙Εͯ΋௚ͪʹӨڹ͕͋ΔΘ͚Ͱ͸ͳ͍ • ίϛοτࢦఆͳϑΝΠϧ͕૿͑ΔͷͰHJUEJGGͳͲͰҾ͔͔ͬΔ͜ͱ͕͋Δ - uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{secrets.GOOGLE_CLOUD_IDENTITY_PROVIDER}} service_account: ${{secrets.GOOGLE_CLOUD_TERRAFORM_PLANNER_SERVICE_ACCOUNT}}

c$0/'*%&/5*"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • (JU)VC • ABDUJPOTDSFBUFHJUIVCBQQUPLFOAͷ"DUJPOΛ࢖༻͠"QQ*EͱൿີݤͰ5PLFOΛ࡞੒ •
3FQPTJUPSZ΍0SHBOJ[BUJPOͷઃఆΛ͍ͨ͠ࡍʹ࢖༻͢Δ • "DUJPOTͷ4FDSFU΍&OWJSPONFOUͳͲ • 5FSSBGPSNଆͷ1SPWJEFSͷઃఆͰ"QQΛ࢖͏ઃఆʹ΋Ͱ͖Δ͕ɺJOTUBMMBUJPOJE͕ඞཁ ͳͷͰ஫ҙ - id: generate-token uses: actions/create-github-app-token@v2 with: app-id: ${{ steps.get-secrets.outputs.app_id }} # from Secret Manager private-key: ${{ steps.get-secrets.outputs.pem }} # from Secret Manager owner: ${{ github.repository_owner }}

c$0/'*%&/5*"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • ଞ • αʔϏεʹΑͬͯҟͳΔ͕ɺ"1*,FZͳͲΛઃఆ •
"1* ,FZ͸"DUJPOTͷ4FDSFU΍ɺΫϥ΢υͷ4FDSFU.BOBHFSͳͲ͔Β࣋ͬͯ͘Δ ͜ͱʹͳΓͦ͏ • "84ʹอଘ͍ͯ͠Ε͹ɺFQIFNFSBM CMPDLͰҾͬு͖ͬͯͯɺ1SPWJEFSͷઃఆʹ࢖༻ ͢Δ͜ͱ΋Ͱ͖Δ • (PPHMF $MPVEͷ4FDSFU.BOBHFS͸FQIFNFSBM SFTPVSDFͷ࣮૷͕ͳ͍ʜ ephemeral "aws_ssm_parameter" "cloudflare_token" { arn = local.cloudflare_token_arn } provider "cloudflare" { api_token = ephemeral.aws_ssm_parameter.cloudflare_token.value }

c$0/'*%&/5*"- ݖݶͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • ඞཁͳݖݶ • 4UBUFϑΝΠϧͷಡΈࠐΈॻ͖ࠐΈͷݖݶ •
"QQMZ͢ΔͳΒॻ͖ࠐΈ͕ඞਢɻ1MBO͚ͩͳΒಡΈࠐΈͰ0, • ,.4Ͱ҉߸Խ͍ͯ͠ΔͳΒͦͷؔ࿈΋ඞཁ • -PDLʹؔ͢Δݖݶ • 1MBO࣌ʹ-PDL͠ͳ͍ MPDLGBMTF ͳΒෆཁ • ॻ͖ࠐΈͷݖݶͰ͋Δ͜ͱ͕ଟ͍ • "84ͳΒ4͔%ZOBNP%# • (PPHMF $MPVEͳΒ$MPVE4UPSBHF • 1MBO͢ΔϦιʔεʹؔ͢Δݖݶ

c$0/'*%&/5*"- ݖݶͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • 1MBO͢ΔϦιʔεʹؔ͢Δݖݶ • ࠷খݖݶͷݪଇΛकΕΔͷͰ͋Ε͹ͦΕ͕Ұ൪ •
ϚωʔδυͳݖݶΛઃఆ͢Δͷ͕؆୯ ΞΫηεͤͨ͘͞ͳ͍΋ͷ͸%FOZ͢ΔͳͲ • "84ͳΒ3FBE0OMZ"DDFTTͷϙϦγʔ • 44.1BSBNFUFSͷ಺༰͕ಡΊΔͷͰ஫ҙ • (PPHMF$MPVEͳΒӾཡऀͷϩʔϧ • ͲͪΒ΋4FDSFU.BOBHFSͷ಺༰͸ಡΊͳ͍ • ࣮ࡍʹ࢖͏ࡍʹ͸Α͘ௐ͔ࠪͯ͠Β

c$0/'*%&/5*"- | CONFIDENTIAL 1MBO࣮ߦͷྲྀΕ ೝূͷ४උ UFSSBGPSNJOJU UFSSBGPSNQMBO
16

c$0/'*%&/5*"- ೝূͷ४උ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ • ͜Ε·ͰͰઃఆͨ͠ೝূΛ࢖༻͍ͯ͘͠

c$0/'*%&/5*"- UFSSBGPSNJOJU (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ ͜ΕͰ(#ऑͷ1SPWJEFS͕഑ஔ͞ΕΔɻ"84 1SPWJEFS͕.#Ҏ্

c$0/'*%&/5*"- UFSSBGPSNJOJU (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ • 1SPWJEFSΛμ΢ϯϩʔυ͍ͯ͘͠ • ਺ඦ.#͋ΔͷͰɺ௨৴ྔʹ͸ؾΛ෇͚Δ •
4FMG)PTUFE3VOOFSͷ৔߹ͳͲ • 1SPWJEFSΛΩϟογϡ͢Δͱμ΢ϯϩʔυճ਺͕ݮΔ • 5'@1-6(*/@$"$)&@%*3 ͷࢦఆͰ࢖༻Մೳ

c$0/'*%&/5*"- UFSSBGPSNQMBO (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ UFSSBGPSNQMBOEFUBJMFEFYJUDPEF MPDLGBMTF • ϑΝΠϧʹॻ͖ग़͢৔߹͸ OPDPMPS΋͚ͭΔͷ͕͓͢͢Ί
• MPDL͢Δઃఆͩͱɺ3FOPWBUFͳͲͰҰ੪ʹ1SPWJEFS͕ߋ৽͞Εͨࡍʹ1MBOʹࣦഊ͢Δ

c$0/'*%&/5*"- | CONFIDENTIAL 21

GitHub ActionsからTerraform Planするお話

GitHub ActionsからTerraform Planするお話

Kohei Kojima

More Decks by Kohei Kojima

Other Decks in Technology

Featured

Transcript

c$0/'%&/5"- (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩

c$0/'%&/5"- c$0/'%&/5"- ໨࣍ $Ͱ1MBO͢ΔϝϦοτ $Ͱ1MBO͢ΔͨΊͷઃఆ 1MBO࣮ߦͷྲྀΕ

c$0/'%&/5"- | CONFIDENTIAL 1MBO͢ΔϝϦοτ • ࣮ߦ؀ڥͷ࠶ݱੑΛ޲্ͤ͞ΒΕΔ • ΠϯϑϥͷҰ؏ੑҡ࣋ͱυϦϑτݕ஌͕ Ͱ͖Δ •

c$0/'%&/5"- ࣮ߦ؀ڥͷ࠶ݱੑΛ޲্ͤ͞ΒΕΔ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ ͨ·ʹ͋Δ໰୊"͞Μͷ؀ڥͰ͸1MBOͰ͖Δͷʹɺ#͞Μͷ؀ڥͰ͸1MBOͰ͖ͳ͍ • ೝূͷ໰୊ • ݖݶͷ໰୊

c$0/'%&/5"- ґଘؔ܎ͷΞοϓσʔτ͕͠΍͘͢ͳΔ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO͢ΔϝϦοτ ओͳґଘؔ܎ͷ1SPWJEFSΛߋ৽ͤ͞ଓ͚ΒΕΔ • 1SPWJEFSͷߋ৽͕͋ͬͨࡍʹɺରԠ͕ඞཁ͔ͦͷ··ద༻Ͱ͖Δ͔൑அͰ͖Δ • 1MBOͰ/PDIBOHFTͰ͋Ε͹ద༻ͯ͠໰୊ͳ͍৔߹͕ଟ͍

c$0/'%&/5"- | CONFIDENTIAL $*Ͱ1MBO͢ΔͨΊͷઃఆ • ࣮ߦ؀ڥͷઃఆ • ೝূͷઃఆ • ݖݶͷઃఆ

c$0/'%&/5"- ࣮ߦ؀ڥͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • 5FSSBGPSN • AIBTIJDPSQTFUVQUFSSBGPSNAͷ"DUJPOTͰΠϯετʔϧՄೳ •

c$0/'%&/5"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • "84 • ABXTBDUJPOTDPOGJHVSFBXTDSFEFOUJBMTA ͷ"DUJPOΛ࢖༻͠

c$0/'%&/5"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$Ͱ1MBO͢ΔͨΊͷઃఆ • (PPHMF$MPVE • AHPPHMFHJUIVCBDUJPOTBVUIAͷ"DUJPOΛ࢖༻͠0%$ʹΑΔೝূΛ࢖༻ •

c$0/'%&/5"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$Ͱ1MBO͢ΔͨΊͷઃఆ • (JU)VC • ABDUJPOTDSFBUFHJUIVCBQQUPLFOAͷ"DUJPOΛ࢖༻͠"QQEͱൿີݤͰ5PLFOΛ࡞੒ •

c$0/'%&/5"- ೝূͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$Ͱ1MBO͢ΔͨΊͷઃఆ • ଞ • αʔϏεʹΑͬͯҟͳΔ͕ɺ"1,FZͳͲΛઃఆ •

c$0/'%&/5"- ݖݶͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • ඞཁͳݖݶ • 4UBUFϑΝΠϧͷಡΈࠐΈॻ͖ࠐΈͷݖݶ •

c$0/'%&/5"- ݖݶͷઃఆ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c$*Ͱ1MBO͢ΔͨΊͷઃఆ • 1MBO͢ΔϦιʔεʹؔ͢Δݖݶ • ࠷খݖݶͷݪଇΛकΕΔͷͰ͋Ε͹ͦΕ͕Ұ൪ •

c$0/'%&/5"- | CONFIDENTIAL 1MBO࣮ߦͷྲྀΕ ೝূͷ४උ UFSSBGPSNJOJU UFSSBGPSNQMBO

c$0/'%&/5"- ೝূͷ४උ (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ • ͜Ε·ͰͰઃఆͨ͠ೝূΛ࢖༻͍ͯ͘͠

c$0/'%&/5"- UFSSBGPSNJOJU (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ ͜ΕͰ(#ऑͷ1SPWJEFS͕഑ஔ͞ΕΔɻ"84 1SPWJEFS͕.#Ҏ্

c$0/'%&/5"- UFSSBGPSNJOJU (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ • 1SPWJEFSΛμ΢ϯϩʔυ͍ͯ͘͠ • ਺ඦ.#͋ΔͷͰɺ௨৴ྔʹ͸ؾΛ෇͚Δ •

c$0/'%&/5"- UFSSBGPSNQMBO (JU)VC"DUJPOT͔Β5FSSBGPSN1MBO͢Δ͓࿩ c1MBO࣮ߦͷྲྀΕ UFSSBGPSNQMBOEFUBJMFEFYJUDPEF MPDLGBMTF • ϑΝΠϧʹॻ͖ग़͢৔߹͸ OPDPMPS΋͚ͭΔͷ͕͓͢͢Ί

c$0/'%&/5"- | CONFIDENTIAL 21