各種バージョンアップ

.github/actions/setup/action.yaml

@@ -25,7 +25,7 @@ runs:
       # v3.0.0 ref. https://github.com/hashicorp/setup-terraform/releases/tag/v3.0.0
       uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36
       with:
-        terraform_version: "1.9.1"
+        terraform_version: "1.10.3"
 
     - name: auth for Google Cloud
       if: ${{ inputs.auth_gcloud == 'true' }}

.github/actions/slack/action.yaml

@@ -5,9 +5,6 @@ inputs:
   conclusion:
     description: the outcome of the jobs (e.g. 'success', 'failure')
     required: true
-  channel_id:
-    description: Slack channel ID
-    required: true
   webhook_url:
     description: SLACK_WEBHOOK_URL
     required: true
@@ -17,40 +14,25 @@ runs:
   steps:
     - name: send workflow result to slack channel
       # slackapi/slack-github-actionはコミットハッシュによる指定ができないのでバージョンで固定
-      uses: slackapi/slack-github-action@v1.26.0
+      uses: slackapi/slack-github-action@2.0.0
       with:
-        channel-id: ${{ inputs.channel_id }}
+        webhook-type: incoming-webhook
         payload: |
-          {
-            "attachments": [
-              {
-                "pretext": "",
-                "color": "${{ inputs.conclusion == 'success' && '36a64f' || 'f26268' }}",
-                "fields": [
-                  {
-                    "title": "Workflow",
-                    "short": true,
-                    "value": "${{ env.WORKFLOW }}"
-                  },
-                  {
-                    "title": "Action URL",
-                    "short": true,
-                    "value": "${{ env.ACTION_URL }}"
-                  },
-                  {
-                    "title": "Title",
-                    "short": true,
-                    "value": "${{ env.PR_TITLE }}"
-                  },
-                  {
-                    "title": "Pull Request URL",
-                    "short": true,
-                    "value": "${{ env.PR_URL }}"
-                  }
-                ]
-              }
-            ]
-          }
+          attachments:
+            - color: "${{ inputs.conclusion == 'success' && '36a64f' || 'f26268' }}"
+              fields:
+                - title: "Workflow"
+                  short: true
+                  value: "${{ env.WORKFLOW }}"
+                - title: "Action URL"
+                  short: true
+                  value: "${{ env.ACTION_URL }}"
+                - title: "Title"
+                  short: true
+                  value: "${{ env.PR_TITLE }}"
+                - title: "Pull Request URL"
+                  short: true
+                  value: "${{ env.PR_URL }}"
       env:
         # PRタイトルなどの任意入力可能な値は、シェルやTypeScript実行ステップで参照するとインジェクション攻撃に使用されるケースがある
         # これは環境変数を間に挟むことで無害化できる
@@ -62,4 +44,3 @@ runs:
         PR_TITLE: ${{ github.event.pull_request.title }}
         PR_URL: ${{ github.event.pull_request.html_url || github.event.head_commit.url }}
         SLACK_WEBHOOK_URL: ${{ inputs.webhook_url }}
-        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

.github/workflows/prod.yaml

@@ -15,14 +15,14 @@ permissions: {}
 jobs:
   apply:
     if: github.event.pull_request.merged == true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
       pull-requests: write
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: setup terraform and gcloud CLI
         uses: ./.github/actions/setup
@@ -40,17 +40,16 @@ jobs:
 
   slack:
     if: always() && github.event.pull_request.merged == true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: apply
     permissions:
       contents: read
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: send the workflow result to the slack channel
         uses: ./.github/actions/slack
         with:
           conclusion: ${{ needs.apply.result }}
-          channel_id: ${{ vars.SLACK_CHANNEL_ID }}
           webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/release.yaml

@@ -11,12 +11,12 @@ permissions: {}
 
 jobs:
   main:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       # v6.0.0 ref. https://github.com/release-drafter/release-drafter/releases/tag/v6.0.0
       - name: generate a release note and a version tag
@@ -29,17 +29,16 @@ jobs:
 
   slack:
     if: always()
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: main
     permissions:
       contents: read
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: send the workflow result to the slack channel
         uses: ./.github/actions/slack
         with:
           conclusion: ${{ needs.main.result }}
-          channel_id: ${{ vars.SLACK_CHANNEL_ID }}
           webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/stg.yaml

@@ -18,14 +18,14 @@ jobs:
   # なお'== true'を消したくなるが、思わぬ挙動に遭遇するケースがあるので慣例に従った方がいい
   apply:
     if: github.event.pull_request.merged == true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
       pull-requests: write
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: setup terraform and gcloud CLI
         uses: ./.github/actions/setup
@@ -43,17 +43,16 @@ jobs:
 
   slack:
     if: always() && github.event.pull_request.merged == true
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: apply
     permissions:
       contents: read
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: send the workflow result to the slack channel
         uses: ./.github/actions/slack
         with:
           conclusion: ${{ needs.apply.result }}
-          channel_id: ${{ vars.SLACK_CHANNEL_ID }}
           webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/test.yaml

@@ -21,23 +21,23 @@ concurrency:
 permissions: {}
 
 env:
-  # v0.50.3 ref. https://github.com/terraform-linters/tflint/releases/tag/v0.50.3
-  TFLINT_VERSION: e34bda7f398c139d7bc528261ee96998c10e79c8
-  OPA_VERSION: 0.64.1
-  CONFTEST_VERSION: 0.51.0
-  REGAL_VERSION: 0.21.3
-  TRIVY_VERSION: 0.51.1
+  # v0.54.0 ref. https://github.com/terraform-linters/tflint/releases/tag/v0.54.0
+  TFLINT_VERSION: b77539470949bf637f827a0d292ac880c94ec4ba
+  OPA_VERSION: 1.0.0
+  CONFTEST_VERSION: 0.56.0
+  REGAL_VERSION: 0.29.2
+  TRIVY_VERSION: 0.57.0
 
 jobs:
   validation:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       # プロジェクトのチェックアウト(ジョブ毎に実行必須)
       - name: checkout project
         # @vXのようなバージョン指定にすると、最新バージョンでセキュリティ的に問題があるアクションを意図せず使用してしまう可能性がある
         # よって@vX.Y.Zにすればリスクは軽減するが、それでもバージョンは自由に作り直せるのでより厳密にコミットハッシュを指定
-        # v4.1.1 ref. https://github.com/actions/checkout/releases/tag/v4.1.1
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        # v4.2.2 ref. hhttps://github.com/actions/checkout/releases/tag/v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       # テストコード実行対象モジュールリストを定義する.github/data/test_matrix.yamlとterraform/modulesディレクトリが
       # 同期されている状態かチェックするスクリプトを実行
@@ -72,8 +72,8 @@ jobs:
       # 既にインストール済みのConftestがキャッシュに存在する場合restore
       - name: cache conftest CLI
         id: conftest-cache
-        # v4.0.2 ref. https://github.com/actions/cache/releases/tag/v4.0.2
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
+        # v4.2.0 ref. https://github.com/actions/cache/releases/tag/v4.2.0
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           path: /usr/local/bin/conftest
           key: conftest-${{ env.CONFTEST_VERSION }}
@@ -95,7 +95,7 @@ jobs:
       # 既にインストール済みのTFLintがキャッシュに存在する場合restore
       - name: cache tflint CLI
         id: tflint-cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           path: |
             /usr/local/bin/tflint
@@ -118,7 +118,7 @@ jobs:
       # 既にインストール済みのTrivyがキャッシュに存在する場合restore
       - name: cache trivy CLI
         id: trivy-cache
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           path: |
             /usr/local/bin/trivy
@@ -152,14 +152,14 @@ jobs:
 
   test-prep:
     needs: validation
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # gcloudの認証で使用するWorkload Identity Providerで必要なパーミッション
     permissions:
       id-token: write
       contents: read
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       # terraform CLIのインストールおよびgcloudの認証を実行
       - name: setup terraform and gcloud CLI
@@ -178,7 +178,7 @@ jobs:
 
   test:
     needs: test-prep
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       id-token: write
       contents: read
@@ -191,7 +191,7 @@ jobs:
         shard: [modules1, modules2]
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: setup terraform and gcloud CLI
         uses: ./.github/actions/setup
@@ -211,15 +211,15 @@ jobs:
 
   plan:
     needs: test
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # 'pull-requests: write'はアクションからPRにコメントを書き込む際に必要
     permissions:
       id-token: write
       contents: read
       pull-requests: write
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: setup terraform and gcloud CLI
         uses: ./.github/actions/setup
@@ -238,18 +238,17 @@ jobs:
 
   slack:
     if: always()
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: plan
     permissions:
       contents: read
     steps:
       - name: checkout project
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       # ワークフローの実行結果をSlackの指定したチャネルに通知
       - name: send the workflow result to the slack channel
         uses: ./.github/actions/slack
         with:
           conclusion: ${{ needs.plan.result }}
-          channel_id: ${{ vars.SLACK_CHANNEL_ID }}
           webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

.regal/config.yaml

@@ -34,4 +34,4 @@ rules:
 capabilities:
   from:
     engine: opa
-    version: v0.63.0
+    version: v0.69.0

.trivyignore.yaml

@@ -1,6 +1,9 @@
 # avd-gcp-0001を除外したい場合、大文字でAVD-GCP-0001と指定しないと除外できない
 # コードに`#trivy:ignore`コメントを追加することでも特定のルールチェックを行わないようにすることが可能
 misconfigurations:
+  # FIXME 以下の2つのチェックはTrivyバージョンアップ時に新たに追加されたチェックで後ほど対応予定
+  - id: AVD-GCP-0015
+  - id: AVD-GCP-0017
 
 secrets:
 

README.md

@@ -108,14 +108,14 @@ $ ./apply_destroy.sh destroy
 このプロジェクトの開発では以下のツールを利用しています。
 
 - [tfenv](https://github.com/tfutils/tfenv?tab=readme-ov-file#installation) v3.0.0
-- [TFLint](https://github.com/terraform-linters/tflint?tab=readme-ov-file#installation) 0.50.3
-- [pre-commit](https://pre-commit.com/#install) v3.7.0
-- [OPA](https://www.openpolicyagent.org/docs/latest/#1-download-opa) v0.64.1
-- [Regal](https://github.com/StyraInc/regal?tab=readme-ov-file#download-regal) v0.21.3
-- [Conftest](https://www.conftest.dev/install/) v0.51.0
+- [TFLint](https://github.com/terraform-linters/tflint?tab=readme-ov-file#installation) 0.54.0
+- [pre-commit](https://pre-commit.com/#install) v4.0.1
+- [OPA](https://www.openpolicyagent.org/docs/latest/#1-download-opa) v1.0.0
+- [Regal](https://github.com/StyraInc/regal?tab=readme-ov-file#download-regal) v0.29.2
+- [Conftest](https://www.conftest.dev/install/) v0.56.0
 - [Trivy](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) v0.51.1
-- [jq](https://github.com/jqlang/jq?tab=readme-ov-file#installation) 1.6
-- [yq](https://github.com/mikefarah/yq?tab=readme-ov-file#install) 4.43.1
+- [jq](https://github.com/jqlang/jq?tab=readme-ov-file#installation) jq 1.7.1
+- [yq](https://github.com/mikefarah/yq?tab=readme-ov-file#install) v4.44.6
 
 各ツールのインストール手順は公式ドキュメントを参照してください。
 

scripts/README.md

@@ -56,9 +56,11 @@ $ gcloud components install beta
 $ cd /path/to/infra-testing-google-sample
 $ vi scripts/_config.sh
 # 以下の設定を記述
-#!/bin/bash
+#!/usr/bin/env bash
 
 # 組織のID
+# ORGとORG_DOMAINの値は以下のコマンドで確認できる
+# $ gcloud organizations list
 readonly ORG="123456789012"
 # 組織のドメイン
 readonly ORG_DOMAIN="foo-bar-12345.com"

scripts/_utils.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 function join() {
   local IFS="$1"

scripts/check_test_matrix.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -eu
 

scripts/conftest.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -eu