ci: Fix about permissions

.github/workflows/staging-apply.yaml

@@ -85,8 +85,8 @@ jobs:
         name: Authenticate to Google Cloud
         uses: "google-github-actions/auth@v1"
         with:
-          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/ci-pool/providers/ci-provider"
-          service_account: "staging-deploy-from-github-act@pulsate-staging-400117.iam.gserviceaccount.com"
+          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/github/providers/github-provider"
+          service_account: "github-actions@pulsate-staging-400117.iam.gserviceaccount.com"
           token_format: "access_token"
 
       - name: Upload Configuration

.github/workflows/staging-plan.yml

@@ -26,8 +26,8 @@ jobs:
         name: Authenticate to Google Cloud
         uses: "google-github-actions/auth@v1"
         with:
-          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/ci-pool/providers/ci-provider"
-          service_account: "staging-deploy-from-github-act@pulsate-staging-400117.iam.gserviceaccount.com"
+          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/github/providers/github-provider"
+          service_account: "github-actions@pulsate-staging-400117.iam.gserviceaccount.com"
           token_format: "access_token"
 
       - name: Upload Configuration

.gitignore

@@ -0,0 +1,4 @@
+# Terraform
+.terraform
+*.tfstate
+*.tfstate.backup

staging/main.tf

@@ -3,41 +3,35 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.83.0"
+      version = "~> 4.83.0"
     }
   }
-  backend "gcs" {
-    prefix = "terraform/state"
-  }
 }
 
 provider "google" {
-  project      = var.project
+  project      = var.project_id
   region       = var.location
+  zone         = var.zone
   access_token = var.access_token
 }
 
 resource "google_project_service" "default" {
-  project = var.project
   service = "iamcredentials.googleapis.com"
 }
 
 resource "google_service_account" "github_actions" {
-  project      = var.project
   account_id   = "github-actions"
   display_name = "A service account for GitHub Actions"
   description  = "link to Workload Identity Pool used by github actions"
 }
 
 resource "google_iam_workload_identity_pool" "github" {
-  project                   = var.project
   workload_identity_pool_id = "github"
   display_name              = "github"
   description               = "Workload Identity Pool for GitHub Actions"
 }
 
 resource "google_iam_workload_identity_pool_provider" "github" {
-  project                            = var.project
   workload_identity_pool_id          = google_iam_workload_identity_pool.github.workload_identity_pool_id
   workload_identity_pool_provider_id = "github-provider"
   display_name                       = "github actions provider"
@@ -80,7 +74,7 @@ data "google_container_engine_versions" "gke_version" {
 
 resource "google_container_cluster" "primary" {
   name     = "pulsate-gke-cluster"
-  location = var.location
+  location = var.zone
 
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default
@@ -94,12 +88,22 @@ resource "google_container_cluster" "primary" {
 
 resource "google_container_node_pool" "primary_nodes" {
   name     = google_container_cluster.primary.name
-  location = var.location
+  location = var.zone
   cluster  = google_container_cluster.primary.name
 
   version    = data.google_container_engine_versions.gke_version.release_channel_latest_version["STABLE"]
   node_count = var.gke_num_nodes
 
+  management {
+    auto_repair  = true
+    auto_upgrade = true
+  }
+
+  network_config {
+    create_pod_range     = false
+    enable_private_nodes = false
+  }
+
   node_config {
     oauth_scopes = [
       "https://www.googleapis.com/auth/logging.write",
@@ -116,5 +120,16 @@ resource "google_container_node_pool" "primary_nodes" {
     metadata = {
       disable-legacy-endpoints = "true"
     }
+
+    shielded_instance_config {
+      enable_integrity_monitoring = true
+      enable_secure_boot          = false
+    }
+  }
+
+  upgrade_settings {
+    max_surge       = 1
+    max_unavailable = 0
+    strategy        = "SURGE"
   }
 }

staging/terraform.tfvars

@@ -2,9 +2,9 @@ project    = "pulsate-staging"
 project_id = "pulsate-staging-400117"
 repo_name  = "approvers/pulsate"
 location   = "asia-northeast1"
+zone       = "asia-northeast1-a"
 container_images = [{
   name  = "hello"
   image = "ghcr.io/approvers/services/hello"
 }]
-service_account_name = "staging-deploy-from-github-act@pulsate-staging-400117.iam.gserviceaccount.com"
-gke_num_nodes        = 1
+gke_num_nodes = 1

staging/variables.tf

@@ -22,11 +22,17 @@ variable "repo_name" {
 }
 
 variable "location" {
-  description = "A location of a cloud run instance"
+  description = "A location of using service"
   type        = string
   default     = "asia-northeast1"
 }
 
+variable "zone" {
+  description = "A zone of a GKE cluster"
+  type        = string
+  default     = "asia-northeast1-a"
+}
+
 variable "container_images" {
   description = "docker container images"
   type = list(object({
@@ -36,12 +42,6 @@ variable "container_images" {
   default = []
 }
 
-variable "service_account_name" {
-  description = "Email address of the IAM service account"
-  type        = string
-  default     = ""
-}
-
 variable "gke_num_nodes" {
   description = "Total node count on GKE pool"
   type        = number