fix

.github/actions/aws-apply/action.yaml

@@ -8,6 +8,12 @@ inputs:
   aws-role-arn:
     description: "ARN of the role to assume to update health check"
     required: true
+  gcp-project:
+    description: "GCP Project ID"
+    required: true
+  gcp-project-number:
+    description: "GCP Project Number"
+    required: true
   gh-token:
     description: "GitHub Token"
     required: true
@@ -17,6 +23,13 @@ runs:
   steps:
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
+    - name: Authenticate to Google Cloud # secret managerだけはGCPを使うため必要
+      uses: "google-github-actions/auth@v2"
+      with:
+        project_id: ${{ inputs.gcp-project }}
+        create_credentials_file: true
+        workload_identity_provider: "projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/pool/providers/repo-github-actions"
+        service_account: "terraform-github-actions@${{ inputs.gcp-project }}.iam.gserviceaccount.com"
     - name: configure-aws-credentials
       uses: aws-actions/configure-aws-credentials@master
       with:

.github/actions/aws-plan/action.yaml

@@ -8,6 +8,12 @@ inputs:
   aws-role-arn:
     description: "ARN of the role to assume to update health check"
     required: true
+  gcp-project:
+    description: "GCP Project ID"
+    required: true
+  gcp-project-number:
+    description: "GCP Project Number"
+    required: true
   gh-token:
     description: "GitHub Token"
     required: true
@@ -17,6 +23,13 @@ runs:
   steps:
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
+    - name: Authenticate to Google Cloud # secret managerだけはGCPを使うため必要
+      uses: "google-github-actions/auth@v2"
+      with:
+        project_id: ${{ inputs.gcp-project }}
+        create_credentials_file: true
+        workload_identity_provider: "projects/${{ inputs.gcp-project-number }}/locations/global/workloadIdentityPools/pool/providers/repo-github-actions"
+        service_account: "terraform-github-actions@${{ inputs.gcp-project }}.iam.gserviceaccount.com"
     - name: configure-aws-credentials
       uses: aws-actions/configure-aws-credentials@master
       with:

.github/workflows/prd-deploy.yaml

@@ -65,6 +65,8 @@ jobs:
           env: "production"
           aws-region: ${{ vars.AWS_REGION }}
           aws-role-arn: ${{ vars.AWS_GITHUB_ACTIONS_ROLE_ARN }}
+          gcp_project: ${{ vars.PRD_GCP_PROJECT }}
+          gcp_project_number: ${{ vars.PRD_GCP_PROJECT_NUMBER }}
           gh-token: ${{ secrets.GITHUB_TOKEN }}
   service-monitor:
     runs-on: ubuntu-latest

.github/workflows/stg-deploy.yaml

@@ -181,6 +181,8 @@ jobs:
           env: "staging"
           aws-region: ${{ vars.AWS_REGION }}
           aws-role-arn: ${{ vars.AWS_GITHUB_ACTIONS_ROLE_ARN }}
+          gcp_project: ${{ vars.STG_GCP_PROJECT }}
+          gcp_project_number: ${{ vars.STG_GCP_PROJECT_NUMBER }}
           gh-token: ${{ secrets.GITHUB_TOKEN }}
   aws-apply-main:
     runs-on: ubuntu-latest
@@ -195,4 +197,6 @@ jobs:
           env: "staging"
           aws-region: ${{ vars.AWS_REGION }}
           aws-role-arn: ${{ vars.AWS_GITHUB_ACTIONS_ROLE_ARN }}
+          gcp_project: ${{ vars.STG_GCP_PROJECT }}
+          gcp_project_number: ${{ vars.STG_GCP_PROJECT_NUMBER }}
           gh-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tf-plan.yaml

@@ -71,6 +71,8 @@ jobs:
           env: "production"
           aws-region: ${{ vars.AWS_REGION }}
           aws-role-arn: ${{ vars.AWS_GITHUB_ACTIONS_ROLE_ARN }}
+          gcp-project: ${{ vars.PRD_GCP_PROJECT }}
+          gcp-project-number: ${{ vars.PRD_GCP_PROJECT_NUMBER }}
           gh-token: ${{ secrets.GITHUB_TOKEN }}
   aws-plan-stg:
     runs-on: ubuntu-latest
@@ -85,4 +87,6 @@ jobs:
           env: "staging"
           aws-region: ${{ vars.AWS_REGION }}
           aws-role-arn: ${{ vars.AWS_GITHUB_ACTIONS_ROLE_ARN }}
+          gcp-project: ${{ vars.STG_GCP_PROJECT }}
+          gcp-project-number: ${{ vars.STG_GCP_PROJECT_NUMBER }}
           gh-token: ${{ secrets.GITHUB_TOKEN }}