Added some workflow files of actions Issue#2

[hikarunakatani]

• Added tfsec step
• Added terraform apply step
• Changed CI process to be triggered when pull request is opened

[hikarunakatani]

Should modify AWS IAM role of OIDC so that it can accept actions from branches other than main

[github-actions[bot]]

Plan Result

CI link

Plan: 22 to add, 0 to change, 0 to destroy.

• Create
  • aws_cloudwatch_event_rule.ecr_push_rule
  • aws_cloudwatch_event_target.ecr_push_target
  • aws_cloudwatch_log_group.main
  • aws_ecr_repository.main
  • aws_ecs_cluster.main
  • aws_ecs_cluster_capacity_providers.this
  • aws_ecs_service.main
  • aws_ecs_task_definition.service
  • aws_iam_role.ecs_task_exec
  • aws_iam_role.ecs_task_role
  • aws_iam_role.lambda_execution_role
  • aws_lambda_function.invoke_task
  • aws_lambda_permission.allow_eventbridge
  • aws_s3_bucket.dataset
  • aws_s3_bucket_policy.bucket_policy
  • aws_security_group.ecs
  • aws_security_group.vpc_endpoint
  • aws_subnet.private1a
  • aws_vpc.main
  • aws_vpc_endpoint.ecr_api
  • aws_vpc_endpoint.ecr_dkr
  • aws_vpc_endpoint.s3

Change Result (Click me)

```hcl # data.aws_iam_policy_document.bucket_policy will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "bucket_policy" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:DeleteObject", + "s3:GetObject", + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + principals { + identifiers = [ + (known after apply), ] + type = "AWS" } } } # aws_cloudwatch_event_rule.ecr_push_rule will be created + resource "aws_cloudwatch_event_rule" "ecr_push_rule" { + arn = (known after apply) + description = "Trigger an ECS task when an image is pushed to ECR" + event_bus_name = "default" + event_pattern = jsonencode( { + detail = { + action-type = [ + "PUSH", ] + repository-name = [ + "cifar10-mlops-repository", ] } + detail-type = [ + "ECR Image Action", ] + source = [ + "aws.ecr", ] } ) + id = (known after apply) + is_enabled = true + name = "cifar10-mlops-run-ecs-task" + name_prefix = (known after apply) + tags_all = (known after apply) } # aws_cloudwatch_event_target.ecr_push_target will be created + resource "aws_cloudwatch_event_target" "ecr_push_target" { + arn = (known after apply) + event_bus_name = "default" + id = (known after apply) + rule = "cifar10-mlops-run-ecs-task" + target_id = "run-index-py-function" } # aws_cloudwatch_log_group.main will be created + resource "aws_cloudwatch_log_group" "main" { + arn = (known after apply) + id = (known after apply) + name = "cifar10-mlops-log-group" + name_prefix = (known after apply) + retention_in_days = 0 + skip_destroy = false + tags_all = (known after apply) } # aws_ecr_repository.main will be created + resource "aws_ecr_repository" "main" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "cifar10-mlops-repository" + registry_id = (known after apply) + repository_url = (known after apply) + tags_all = (known after apply) + image_scanning_configuration { + scan_on_push = true } } # aws_ecs_cluster.main will be created + resource "aws_ecs_cluster" "main" { + arn = (known after apply) + id = (known after apply) + name = "cifar10-mlops-cluster" + tags_all = (known after apply) + setting { + name = "containerInsights" + value = "enabled" } } # aws_ecs_cluster_capacity_providers.this will be created + resource "aws_ecs_cluster_capacity_providers" "this" { + capacity_providers = [ + "FARGATE", ] + cluster_name = "cifar10-mlops-cluster" + id = (known after apply) + default_capacity_provider_strategy { + base = 0 + capacity_provider = "FARGATE" + weight = 0 } } # aws_ecs_service.main will be created + resource "aws_ecs_service" "main" { + cluster = (known after apply) + deployment_maximum_percent = 200 + deployment_minimum_healthy_percent = 100 + desired_count = 1 + enable_ecs_managed_tags = false + enable_execute_command = false + iam_role = (known after apply) + id = (known after apply) + launch_type = (known after apply) + name = "cifar10-mlops-service" + platform_version = "LATEST" + scheduling_strategy = "REPLICA" + tags_all = (known after apply) + task_definition = (known after apply) + triggers = (known after apply) + wait_for_steady_state = false + capacity_provider_strategy { + base = 0 + capacity_provider = "FARGATE" + weight = 100 } + deployment_circuit_breaker { + enable = true + rollback = true } + network_configuration { + assign_public_ip = true + security_groups = (known after apply) + subnets = (known after apply) } } # aws_ecs_task_definition.service will be created + resource "aws_ecs_task_definition" "service" { + arn = (known after apply) + arn_without_revision = (known after apply) + container_definitions = (known after apply) + cpu = "2048" + execution_role_arn = (known after apply) + family = "cifar10-mlops-task" + id = (known after apply) + memory = "8192" + network_mode = "awsvpc" + requires_compatibilities = [ + "FARGATE", ] + revision = (known after apply) + skip_destroy = false + tags_all = (known after apply) + task_role_arn = (known after apply) } # aws_iam_role.ecs_task_exec will be created + resource "aws_iam_role" "ecs_task_exec" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", ] + max_session_duration = 3600 + name = "ecs_task_exec" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) } # aws_iam_role.ecs_task_role will be created + resource "aws_iam_role" "ecs_task_role" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "ecs_task_role" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) + inline_policy { + name = "allow_logs" + policy = jsonencode( { + Statement = [ + { + Action = [ + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", ] + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) } } # aws_iam_role.lambda_execution_role will be created + resource "aws_iam_role" "lambda_execution_role" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "cifar10-mlops-lambda-execution-role" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) + inline_policy { + name = "lambda_execution_policy" + policy = jsonencode( { + Statement = [ + { + Action = [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", ] + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) } } # aws_lambda_function.invoke_task will be created + resource "aws_lambda_function" "invoke_task" { + architectures = (known after apply) + arn = (known after apply) + filename = "lambda_function.zip" + function_name = "cifar10-mlops-invoke-task" + handler = "invoke_task.lambda_handler" + id = (known after apply) + invoke_arn = (known after apply) + last_modified = (known after apply) + memory_size = 128 + package_type = "Zip" + publish = false + qualified_arn = (known after apply) + qualified_invoke_arn = (known after apply) + reserved_concurrent_executions = -1 + role = (known after apply) + runtime = "python3.9" + signing_job_arn = (known after apply) + signing_profile_version_arn = (known after apply) + skip_destroy = false + source_code_hash = "Do2pUs/pluxzzLPoDo2Kyij7T4pLwn2Q88OH4sdYFG8=" + source_code_size = (known after apply) + tags_all = (known after apply) + timeout = 3 + version = (known after apply) } # aws_lambda_permission.allow_eventbridge will be created + resource "aws_lambda_permission" "allow_eventbridge" { + action = "lambda:InvokeFunction" + function_name = "cifar10-mlops-invoke-task" + id = (known after apply) + principal = "events.amazonaws.com" + source_arn = (known after apply) + statement_id = "AllowExecutionFromEventBridge" + statement_id_prefix = (known after apply) } # aws_s3_bucket.dataset will be created + resource "aws_s3_bucket" "dataset" { + acceleration_status = (known after apply) + acl = (known after apply) + arn = (known after apply) + bucket = "cifar10-mlops-bucket" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = false + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags_all = (known after apply) + website_domain = (known after apply) + website_endpoint = (known after apply) } # aws_s3_bucket_policy.bucket_policy will be created + resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # aws_security_group.ecs will be created + resource "aws_security_group" "ecs" { + arn = (known after apply) + description = "Security group for training task" + egress = [ + { + cidr_blocks = [] + description = "" + from_port = 443 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = (known after apply) + self = false + to_port = 443 }, ] + id = (known after apply) + ingress = (known after apply) + name = "cifar10-mlops-ecs-securitygroup" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = (known after apply) + vpc_id = (known after apply) } # aws_security_group.vpc_endpoint will be created + resource "aws_security_group" "vpc_endpoint" { + arn = (known after apply) + description = "Security group for VPC Endpoint" + egress = [ + { + cidr_blocks = [ + "10.0.0.0/16", ] + description = "" + from_port = 443 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 443 }, ] + id = (known after apply) + ingress = [ + { + cidr_blocks = [ + "10.0.0.0/16", ] + description = "" + from_port = 443 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 443 }, ] + name = "cifar10-mlops-vpc-endpoint-securitygroup" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = (known after apply) + vpc_id = (known after apply) } # aws_subnet.private1a will be created + resource "aws_subnet" "private1a" { + arn = (known after apply) + assign_ipv6_address_on_creation = false + availability_zone = "ap-northeast-1a" + availability_zone_id = (known after apply) + cidr_block = "10.0.1.0/24" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false + id = (known after apply) + ipv6_cidr_block_association_id = (known after apply) + ipv6_native = false + map_public_ip_on_launch = false + owner_id = (known after apply) + private_dns_hostname_type_on_launch = (known after apply) + tags = { + "Name" = "cifar10-mlops-subnet-private-ap-northeast-1a" } + tags_all = { + "Name" = "cifar10-mlops-subnet-private-ap-northeast-1a" } + vpc_id = (known after apply) } # aws_vpc.main will be created + resource "aws_vpc" "main" { + arn = (known after apply) + cidr_block = "10.0.0.0/16" + default_network_acl_id = (known after apply) + default_route_table_id = (known after apply) + default_security_group_id = (known after apply) + dhcp_options_id = (known after apply) + enable_dns_hostnames = (known after apply) + enable_dns_support = true + enable_network_address_usage_metrics = (known after apply) + id = (known after apply) + instance_tenancy = "default" + ipv6_association_id = (known after apply) + ipv6_cidr_block = (known after apply) + ipv6_cidr_block_network_border_group = (known after apply) + main_route_table_id = (known after apply) + owner_id = (known after apply) + tags = { + "Name" = "cifar10-mlops-vpc" } + tags_all = { + "Name" = "cifar10-mlops-vpc" } } # aws_vpc_endpoint.ecr_api will be created + resource "aws_vpc_endpoint" "ecr_api" { + arn = (known after apply) + cidr_blocks = (known after apply) + dns_entry = (known after apply) + id = (known after apply) + ip_address_type = (known after apply) + network_interface_ids = (known after apply) + owner_id = (known after apply) + policy = (known after apply) + prefix_list_id = (known after apply) + private_dns_enabled = false + requester_managed = (known after apply) + route_table_ids = (known after apply) + security_group_ids = (known after apply) + service_name = "com.amazonaws.ap-northeast-1.ecr.api" + state = (known after apply) + subnet_ids = (known after apply) + tags_all = (known after apply) + vpc_endpoint_type = "Interface" + vpc_id = (known after apply) } # aws_vpc_endpoint.ecr_dkr will be created + resource "aws_vpc_endpoint" "ecr_dkr" { + arn = (known after apply) + cidr_blocks = (known after apply) + dns_entry = (known after apply) + id = (known after apply) + ip_address_type = (known after apply) + network_interface_ids = (known after apply) + owner_id = (known after apply) + policy = (known after apply) + prefix_list_id = (known after apply) + private_dns_enabled = false + requester_managed = (known after apply) + route_table_ids = (known after apply) + security_group_ids = (known after apply) + service_name = "com.amazonaws.ap-northeast-1.ecr.dkr" + state = (known after apply) + subnet_ids = (known after apply) + tags_all = (known after apply) + vpc_endpoint_type = "Interface" + vpc_id = (known after apply) } # aws_vpc_endpoint.s3 will be created + resource "aws_vpc_endpoint" "s3" { + arn = (known after apply) + cidr_blocks = (known after apply) + dns_entry = (known after apply) + id = (known after apply) + ip_address_type = (known after apply) + network_interface_ids = (known after apply) + owner_id = (known after apply) + policy = (known after apply) + prefix_list_id = (known after apply) + private_dns_enabled = false + requester_managed = (known after apply) + route_table_ids = (known after apply) + security_group_ids = (known after apply) + service_name = "com.amazonaws.ap-northeast-1.s3" + state = (known after apply) + subnet_ids = (known after apply) + tags_all = (known after apply) + vpc_endpoint_type = "Interface" + vpc_id = (known after apply) } Plan: 22 to add, 0 to change, 0 to destroy. ```