Feature/maintenance 2024 04 12 2141 (#6)

* .terraformignoreをinfrastructureからルートディレクトリに移動

* ファイルを追加し、自動アサインを設定します。

* .+/pnpm-lock.yamlを除外します。

* matrixディレクトリでLambdaパッケージを作成します。

* Slack通知アクションを追加する。

* Add terraform-validate-outcome as output, update setup-tflint

* Add bridgecrewio to custom-words.txt

* "不要なステップを削除"

* インフラストラクチャ共通の手動ワークフローを追加する

* 名前を更新: インフラストラクチャー - 共通

* 手動 - インフラストラクチャ - サンドボックスを追加します。

* ファイル名を変更してワークフロー名を修正する

* 新しいTFCMT設定ファイルを追加します。

* 手動インフラストラクチャ共通ファイルを更新。

* インフラチェックワークフローを追加

* 新規ワークフローファイルを追加します

* インフラストラクチャの設定を追加します。

* Update working directory path to 'infrastructure'.

* インフラ差分チェックのワークフローを追加

* 環境名入力を削除しました。

* インフラストラクチャワークフローを削除

* AWS_ENV_NAMEに変更を加える。

* Add word "infrastucture" to custom-words.txt

* AWS_ENV_NAMEを削除します。

* 環境変数env_nameを削除します。

* スラックのユーザー名を更新する。

* インフラチェックワークフローを削除しました

* Slack通知の設定を更新する。

* AWS アカウント ID、環境名、Slack Webhook URL を追加。

* AWS_ACCOUNT_IDをinputsから参照するように変更

* 更新インフラストラクチャパスの取得方法を修正する- 一部のパスを変更- プラン実行時の変更前のパスを修正

* AWSのセキュリティチェックをスキップ設定を追加

* 新しいtfcmとgithub-commentをセットアップします。

* amplifyモジュールの環境設定を更新する。

* terraformファイルの変更をチェックするスクリプトをリネーム<commit message> 更新：terraformファイルの変更チェックスクリプト

* Terraformバージョンを読み取るコマンドを修正

* Checkov.yamlのスキップチェックを更新する

* Update script file modes to 100755

.checkov.yaml

@@ -0,0 +1,62 @@
+---
+skip-check:
+#   - CKV_AWS_18 # Ensure the S3 bucket has access logging enabled
+#   - CKV_AWS_19 # Ensure all data stored in the S3 bucket is securely encrypted at rest
+#   - CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+#   - CKV_AWS_23 # Ensure every security groups rule has a description
+#   - CKV_AWS_28 # Ensure Dynamodb point in time recovery (backup) is enabled
+#   - CKV_AWS_41 # Ensure no hard coded AWS access key and secret key exists in provider
+#   - CKV_AWS_50 # X-ray tracing is enabled for Lambda
+#   - CKV_AWS_53 # Ensure S3 bucket has block public ACLS enabled
+#   - CKV_AWS_54 # Ensure S3 bucket has block public policy enabled
+#   - CKV_AWS_55 # Ensure S3 bucket has ignore public ACLs enabled
+#   - CKV_AWS_56 # Ensure S3 bucket has 'restrict_public_bucket' enabled
+#   - CKV_AWS_59 # Ensure there is no open access to back-end resources through API
+#   - CKV_AWS_66 # Ensure that CloudWatch Log Group specifies retention days
+#   - CKV_AWS_68 # CloudFront Distribution should have WAF enabled
+#   - CKV_AWS_73 # Ensure API Gateway has X-Ray Tracing enabled
+#   - CKV_AWS_107 # Ensure IAM policies does not allow credentials exposure
+#   - CKV_AWS_108 # Ensure IAM policies does not allow data exfiltration
+#   - CKV_AWS_109 # Ensure IAM policies does not allow permissions management / resource exposure without constraints
+#   - CKV_AWS_110 # Ensure IAM Ensure IAM policies does not allow privilege escalation
+#   - CKV_AWS_110 # Ensure IAM policies does not allow privilege escalation
+#   - CKV_AWS_111 # Ensure IAM policies does not allow write access without constraints
+#   - CKV_AWS_115 # Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+#   - CKV_AWS_116 # Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
+#   - CKV_AWS_117 # Ensure that AWS Lambda function is configured inside a VPC
+#   - CKV_AWS_119 # Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
+#   - CKV_AWS_120 # Ensure API Gateway caching is enabled
+#   - CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
+#   - CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
+#   - CKV_AWS_149 # Ensure that Secrets Manager secret is encrypted using KMS CMK
+#   - CKV_AWS_158 # Ensure that CloudWatch Log Group is encrypted by KMS
+#   - CKV_AWS_173 # Check encryption settings for Lambda environmental variable
+#   - CKV_AWS_174 # Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
+#   - CKV_AWS_181 # Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)
+#   - CKV_AWS_192 # Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
+#   - CKV_AWS_216 # Ensure Cloudfront distribution is enabled
+#   - CKV_AWS_233 # Ensure Create before destroy for ACM certificates
+#   - CKV_AWS_237 # Ensure Create before destroy for API GATEWAY
+#   - CKV_AWS_272 # Ensure AWS Lambda function is configured to validate code-signing
+#   - CKV_AWS_274 # Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+#   - CKV_AWS_300 # Ensure S3 lifecycle configuration sets period for aborting failed uploads
+#   - CKV_AWS_305 # Ensure CloudFront distribution has a default root object configured
+#   - CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
+#   - CKV_AWS_337 # Ensure SSM parameters are using KMS CMK
+#   - CKV_AWS_338 # Ensure CloudWatch log groups retains logs for at least 1 year
+#   - CKV_AWS_356 # Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+#   - CKV2_AWS_4 # Ensure API Gateway stage have logging level defined as appropriate
+#   - CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
+#   - CKV2_AWS_6 # Ensure that S3 bucket has a Public Access block
+#   - CKV2_AWS_16 # Ensure that Auto Scaling is enabled on your DynamoDB tables
+#   - CKV2_AWS_31 # Ensure WAF2 has a Logging Configuration
+#   - CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+#   - CKV2_AWS_34 # AWS SSM Parameter should be Encrypted
+#   - CKV2_AWS_38 # Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones
+#   - CKV2_AWS_39 # Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones
+#   - CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
+#   - CKV2_AWS_51 # Ensure AWS API Gateway endpoints uses client certificate authentication
+#   - CKV2_AWS_53 # Ensure AWS API gateway request is validated
+#   - CKV2_AWS_57 # Ensure Secrets Manager secrets should have automatic rotation enabled
+#   - CKV2_AWS_61 # Ensure that an S3 bucket has a lifecycle configuration
+#   - CKV2_AWS_62 # Ensure S3 buckets should have event notifications enabled

.cspell/custom-words.txt

@@ -126,3 +126,9 @@ getline
 CODEOWNERS
 asdfrc
 kentaro
+bridgecrewio
+infrastucture
+exfiltration
+jshell
+restrictable
+DNSSEC

.github/actions/setup-terraform/action.yml

@@ -13,9 +13,9 @@ runs:
   steps:
     - name: Get current Terraform version
       run: |
-        echo "TERRAFORM_VERSION=$(cat ./infrastructure/.terraform-version)" >> $GITHUB_ENV
+        echo "TERRAFORM_VERSION=$(cat .terraform-version)" >> $GITHUB_ENV
         echo '--------------------------'
-        echo $(cat ./infrastructure/.terraform-version)
+        echo $(cat .terraform-version)
 
       shell: bash
 

.github/actions/setup-tfcmt/action.yml

@@ -0,0 +1,25 @@
+---
+name: Setup tfcmt
+
+description: Setup tfcmt
+
+runs:
+  using: composite
+  steps:
+    - run: curl -LO https://github.com/suzuki-shunsuke/tfcmt/releases/download/v4.4.3/tfcmt_linux_amd64.tar.gz
+      shell: bash
+
+    - run: echo '9a5a6b85b22865b72a977a393284bd942ee4400476f52aed81096a0bb0bb3ca3  tfcmt_linux_amd64.tar.gz' | sha256sum --check
+      shell: bash
+
+    - run: sudo tar -C /usr/bin/ -zxf tfcmt_linux_amd64.tar.gz
+      shell: bash
+
+    - run: curl -LO https://github.com/suzuki-shunsuke/github-comment/releases/download/v3.1.0/github-comment_3.1.0_linux_amd64.tar.gz
+      shell: bash
+
+    - run: echo '8d065e8cd47b8913b7fb481fbf746553929197e3eea649a5fd1e7c6b5251d3ee  github-comment_3.1.0_linux_amd64.tar.gz' | sha256sum --check
+      shell: bash
+
+    - run: sudo tar -C /usr/bin/ -zxf github-comment_3.1.0_linux_amd64.tar.gz
+      shell: bash

.github/actions/slack-notification-failure/action.yml

@@ -0,0 +1,34 @@
+---
+name: Slack Notification (failure)
+
+description: 処理が失敗したときに Slack の指定のチャンネルに通知します。
+
+inputs:
+  AWS_ENV_NAME:
+    description: 環境名
+    required: true
+  AWS_ACCOUNT_ID:
+    description: AWS アカウント ID
+    required: true
+  MESSAGE:
+    description: 通知するメッセージ
+    required: true
+  SLACK_WEBHOOK:
+    description: Slack Webhook URL
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Slack Notification (failure)
+      continue-on-error: true
+      uses: rtCamp/action-slack-notify@v2
+      env:
+        SLACK_CHANNEL: '#ntf_time-capsule'
+        SLACK_COLOR: danger
+        SLACK_TITLE: '${{ inputs.AWS_ENV_NAME }}(${{ inputs.AWS_ACCOUNT_ID }}): ${{ inputs.MESSAGE }}'
+        SLACK_MESSAGE: '<!U0RFFAK9U> 確認してください'
+        SLACK_LINK_NAMES: 'true'
+        SLACK_USERNAME: CIBot
+        SLACK_ICON_EMOJI: ':x:'
+        SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}

.github/actions/terraform-apply/action.yml

@@ -4,6 +4,15 @@ name: Terraform Apply
 description: Terraform Apply
 
 inputs:
+  AWS_ACCOUNT_ID:
+    description: AWS アカウント ID
+    required: true
+  AWS_ENV_NAME:
+    description: 環境名
+    required: true
+  SLACK_WEBHOOK:
+    description: Slack Webhook URL
+    required: true
   working-directory:
     description: Terraform CLI 実行時のパス
     required: true
@@ -12,6 +21,23 @@ runs:
   using: composite
   steps:
     - name: Terraform Apply
+      continue-on-error: true
+      id: terraform-apply
       run: terraform apply -auto-approve
       working-directory: ${{ inputs.working-directory }}
       shell: bash
+
+    - name: Slack Notification (failure)
+      if: ${{ steps.terraform-apply.outcome == 'failure' }}
+      continue-on-error: true
+      uses: ./.github/actions/slack-notification-failure
+      with:
+        AWS_ACCOUNT_ID: ${{ inputs.AWS_ACCOUNT_ID }}
+        AWS_ENV_NAME: ${{ inputs.AWS_ENV_NAME }}
+        MESSAGE: "インフラのデプロイが失敗しました。\npath: `${{ inputs.working-directory }}`"
+        SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}
+
+    - name: failure
+      if: ${{ steps.terraform-apply.outcome == 'failure' }}
+      run: exit 1
+      shell: bash

.github/actions/terraform-plan/action.yml

@@ -4,22 +4,9 @@ name: Terraform Plan
 description: Terraform Plan
 
 inputs:
-  AWS_ACCOUNT_ID:
-    description: AWS アカウント ID
-    required: true
-  AWS_ENV_NAME:
-    description: 環境名
-    required: true
-  CHECK_DIFF:
-    description: 差分チェックを行うかどうか
-    required: true
-    default: '_false'
   github-token:
     description: サードパーティの Action を実行するための権限を付与するための認証用トークン
     required: true
-  SLACK_WEBHOOK:
-    description: Slack の Webhook URL
-    required: true
   working-directory:
     description: Terraform CLI 実行時のパス
     required: true
@@ -39,7 +26,7 @@ runs:
         working-directory: ${{ inputs.working-directory }}
 
     - name: Setup tfcmt
-      uses: itkq/actions-tfcmt/setup@main
+      uses: ./.github/actions/setup-tfcmt
 
     - name: Terraform Plan
       continue-on-error: true
@@ -59,7 +46,7 @@ runs:
         esac
 
         TARGET=$(echo ${{ inputs.working-directory }} | sed -e 's|^.*infrastructure/environments/||' | cut -c 1-36)
-        tfcmt --var target:$TARGET plan -patch -- cat tf_plan.txt
+        tfcmt --var target:$TARGET plan --patch --skip-no-changes -- cat tf_plan.txt
 
         echo "TF_PLAN_STATUS=$TF_PLAN_STATUS"
         echo "TF_PLAN_STATUS=$TF_PLAN_STATUS" >> $GITHUB_ENV
@@ -69,33 +56,7 @@ runs:
       working-directory: ${{ inputs.working-directory }}
       shell: bash
 
-    - name: Set Slack Message (Terraform Plan failure)
-      if: env.TF_PLAN_STATUS == 'has-diff' && inputs.CHECK_DIFF == '_true'
-      run: echo "ERROR_MSG=インフラのコードと実態のリソースに差分があります" >> "$GITHUB_ENV"
-      shell: bash
-
-    - name: Set Slack Message (another error)
+    - name: Terraform Plan (failure) -> Status
       if: steps.terraform-plan.outputs.exitcode == '1'
-      run: echo "ERROR_MSG=difference check CIがエラー終了しました" >> "$GITHUB_ENV"
+      run: exit 1
       shell: bash
-
-    # - name: DEBUG
-    #   run: |
-    #     echo "exitcode: ${{ steps.terraform-plan.outputs.exitcode }}"
-    #     echo "TF_PLAN_STATUS: ${{ env.TF_PLAN_STATUS }}"
-    #     echo "CHECK_DIFF: ${{ inputs.CHECK_DIFF }}"
-    #   shell: bash
-
-    - name: Slack Notification (failure)
-      continue-on-error: true
-      if: steps.terraform-plan.outputs.exitcode == '1' || (env.TF_PLAN_STATUS == 'has-diff' && inputs.CHECK_DIFF == '_true')
-      uses: rtCamp/action-slack-notify@v2
-      env:
-        SLACK_CHANNEL: '#ntf_gh_private-lab'
-        SLACK_COLOR: danger
-        SLACK_TITLE: '${{ inputs.AWS_ENV_NAME }}(${{ inputs.AWS_ACCOUNT_ID }}): ${{ env.ERROR_MSG }}'
-        SLACK_MESSAGE: "<!subteam^U0RFFAK9U> 確認してください。\npath: `${{ inputs.working-directory }}`"
-        SLACK_LINK_NAMES: 'true'
-        SLACK_USERNAME: github-bot
-        SLACK_ICON_EMOJI: ':x:'
-        SLACK_WEBHOOK: ${{ inputs.SLACK_WEBHOOK }}

.github/actions/terraform-validate/action.yml

@@ -10,23 +10,29 @@ inputs:
   working-directory:
     description: Terraform CLI 実行時のパス
     required: true
+outputs:
+  terraform-validate-outcome:
+    description: terraform validate の処理結果
+    value: ${{ steps.terraform-validate.outcome }}
 
 runs:
   using: composite
   steps:
     - name: Terraform Validate
+      id: terraform-validate
       run: terraform validate -no-color
       working-directory: ${{ inputs.working-directory }}
       shell: bash
 
-    - uses: actions/cache@v4
-      name: Cache plugin dir
+    - name: Cache plugin dir
+      id: cache-tflint
+      uses: actions/[email protected]
       with:
         path: ~/.tflint.d/plugins
         key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
 
     - name: Setup TFLint
-      uses: terraform-linters/setup-tflint@v4
+      uses: terraform-linters/setup-tflint@v4.0.0
       with:
         tflint_version: latest
 
@@ -35,7 +41,7 @@ runs:
       shell: bash
 
     - name: Init TFLint
-      run: tflint --init
+      run: tflint --chdir=${{ inputs.working-directory }} --init
       env:
         # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
         GITHUB_TOKEN: ${{ github.token }}
@@ -44,3 +50,10 @@ runs:
     - name: Run TFLint
       run: tflint --chdir=${{ inputs.working-directory }} --module
       shell: bash
+
+    - name: Checkov
+      uses: bridgecrewio/[email protected]
+      with:
+        framework: terraform
+        output_format: cli
+        directory: ${{ inputs.working-directory }}

.github/auto_assign.yml

@@ -0,0 +1,7 @@
+---
+# see: https://github.com/kentaro-m/auto-assign-action
+# addReviewers: true
+addAssignees: author
+# reviewers:
+#   - tqer39
+# numberOfReviewers: 0

.github/workflows/_manual-infrastructure-common.yml

@@ -0,0 +1,73 @@
+---
+name: manual - infrastructure - common
+
+on:
+  workflow_call:
+    inputs:
+      AWS_ACCOUNT_ID:
+        required: true
+        type: string
+      AWS_ENV_NAME:
+        required: true
+        type: string
+      OIDC_IAM_ROLE:
+        required: true
+        type: string
+      TF_PATH:
+        required: true
+        type: string
+      TF_TYPE:
+        required: true
+        type: string
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      id-token: write # For aws-actions/configure-aws-credentials
+      contents: read # For aws-actions/configure-aws-credentials
+      deployments: write # For bobheadxi/deployments
+      pull-requests: write # For bobheadxi/deployments
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: AWS Credential
+        uses: ./.github/actions/aws-credential
+        with:
+          oidc-iam-role: arn:aws:iam::${{ inputs.AWS_ACCOUNT_ID }}:role/${{ inputs.OIDC_IAM_ROLE }}
+
+      - name: Terraform Plan
+        uses: ./.github/actions/terraform-plan
+        with:
+          working-directory: ${{ inputs.TF_PATH }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Start Deployment
+        if: env.TF_PLAN_STATUS == 'has-diff' && github.ref == 'refs/heads/main'
+        uses: bobheadxi/deployments@v1
+        id: deployment
+        with:
+          step: start
+          token: ${{ secrets.GITHUB_TOKEN }}
+          env: ${{ env.AWS_ENV_NAME }}
+
+      - name: Terraform Apply
+        if: github.event.inputs.TF_TYPE == 'terraform apply'
+        uses: ./.github/actions/terraform-apply
+        with:
+          AWS_ACCOUNT_ID: ${{ inputs.AWS_ACCOUNT_ID }}
+          AWS_ENV_NAME: ${{ inputs.AWS_ENV_NAME }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          working-directory: ${{ inputs.TF_PATH }}
+
+      - name: Finish Deployment
+        if: env.TF_PLAN_STATUS == 'has-diff' && always() && github.ref == 'refs/heads/main'
+        uses: bobheadxi/deployments@v1
+        with:
+          step: finish
+          token: ${{ secrets.GITHUB_TOKEN }}
+          status: ${{ job.status }}
+          env: ${{ steps.deployment.outputs.env }}
+          deployment_id: ${{ steps.deployment.outputs.deployment_id }}