From a3bf2b7c721e9e3d29dde03f76f91b9b94b8a5a8 Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 15:27:42 +0900
Subject: [PATCH 01/18] =?UTF-8?q?fix:=20=EC=98=AC=EB=B0=94=EB=A5=B4?=
=?UTF-8?q?=EC=A7=80=20=EC=95=8A=EC=9D=80=20=EB=B2=84=ED=82=B7=EC=97=90=20?=
=?UTF-8?q?=EB=8C=80=ED=95=9C=20=EB=9E=8C=EB=8B=A4=20=EC=8B=A4=ED=96=89=20?=
=?UTF-8?q?=EA=B6=8C=ED=95=9C=20=EB=B6=80=EC=97=AC=20=EB=82=B4=EC=9A=A9=20?=
=?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
modules/shared_resources/lambda.tf | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules/shared_resources/lambda.tf b/modules/shared_resources/lambda.tf
index 2865d2f..e6248e3 100644
--- a/modules/shared_resources/lambda.tf
+++ b/modules/shared_resources/lambda.tf
@@ -44,7 +44,7 @@ resource "aws_lambda_permission" "allow_s3_resizing" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.resizing_img_func.function_name
principal = "s3.amazonaws.com"
- source_arn = aws_s3_bucket.default.arn
+ source_arn = aws_s3_bucket.upload.arn
}
resource "aws_lambda_permission" "allow_s3_thumbnail" {
@@ -52,12 +52,12 @@ resource "aws_lambda_permission" "allow_s3_thumbnail" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.thumbnail_generating_func.function_name
principal = "s3.amazonaws.com"
- source_arn = aws_s3_bucket.default.arn
+ source_arn = aws_s3_bucket.upload.arn
}
# 4. S3 Trigger Setting
resource "aws_s3_bucket_notification" "bucket_notification" {
- bucket = aws_s3_bucket.default.id
+ bucket = aws_s3_bucket.upload.id
lambda_function {
lambda_function_arn = aws_lambda_function.resizing_img_func.arn
From 29003a922144d0726890023590605a915ce6586f Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 15:46:16 +0900
Subject: [PATCH 02/18] =?UTF-8?q?fix:=20=EA=B8=B0=EC=A1=B4=20AWS=20?=
=?UTF-8?q?=EC=8B=A4=EC=A0=9C=20resource=EC=97=90=20=EB=A7=9E=EC=A7=80=20?=
=?UTF-8?q?=EC=95=8A=EB=8A=94=20stage=20rds=20=EB=B6=80=EB=B6=84=EC=97=90?=
=?UTF-8?q?=20=EB=8C=80=ED=95=9C=20=EC=A0=95=EC=9D=98=20=EC=A0=9C=EA=B1=B0?=
=?UTF-8?q?=20-=20app=5Fstack=EC=97=90=EC=84=9C=20rds=20=EB=B6=80=EB=B6=84?=
=?UTF-8?q?=EC=97=90=20=EB=8C=80=ED=95=9C=20enable=5Frds=20=EB=B3=80?=
=?UTF-8?q?=EC=88=98=20=EC=84=A0=EC=96=B8=20-=20=EA=B7=B8=EC=97=90=20?=
=?UTF-8?q?=EB=94=B0=EB=A5=B8=20prod/stage=EC=97=90=20=EB=8C=80=ED=95=9C?=
=?UTF-8?q?=20rds=20=EC=A1=B4=EC=9E=AC=20=EC=97=AC=EB=B6=80=20=EC=84=A4?=
=?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
environment/prod/provider.tf | 20 ++++++++++
environment/stage/main.tf | 30 ++++-----------
environment/stage/variables.tf | 55 ----------------------------
modules/app_stack/provider.tf | 7 ----
modules/app_stack/rds.tf | 8 ++--
modules/app_stack/security_groups.tf | 1 +
modules/app_stack/variables.tf | 14 +++++++
7 files changed, 48 insertions(+), 87 deletions(-)
diff --git a/environment/prod/provider.tf b/environment/prod/provider.tf
index 087653c..ff0b71f 100644
--- a/environment/prod/provider.tf
+++ b/environment/prod/provider.tf
@@ -1,3 +1,16 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.0"
+ }
+ mysql = {
+ source = "petoju/mysql"
+ version = ">= 3.0"
+ }
+ }
+}
+
provider "aws" {
region = "ap-northeast-2"
default_tags {
@@ -7,3 +20,10 @@ provider "aws" {
}
}
}
+
+# MySQL Provider 설정 (SSH 터널링을 통해 로컬호스트로 접속)
+provider "mysql" {
+ endpoint = "127.0.0.1:3306"
+ username = var.db_root_username
+ password = var.db_root_password
+}
diff --git a/environment/stage/main.tf b/environment/stage/main.tf
index f5c999e..b71629d 100644
--- a/environment/stage/main.tf
+++ b/environment/stage/main.tf
@@ -13,40 +13,26 @@ module "stage_stack" {
# 키페어 및 접속 허용
key_name = var.key_name
-
+
# 인스턴스 스펙
- instance_type = var.server_instance_type
- db_instance_class = var.db_instance_class
+ instance_type = var.server_instance_type
+
+ # RDS 미사용 (Docker container로 대체)
+ enable_rds = false
# 보안 그룹 규칙
api_ingress_rules = var.api_ingress_rules
- db_ingress_rules = var.db_ingress_rules
-
- # RDS 식별자 설정
- rds_identifier = var.rds_identifier
-
- # DB 계정 정보
- db_username = var.db_root_username
- db_password = var.db_root_password
-
- # DB 엔진 및 암호화 설정
- db_engine_version = var.db_engine_version # MySQL 버전 지정
- db_parameter_group_name = var.db_parameter_group_name # MySQL 파라미터 그룹 지정
- kms_key_arn = var.kms_key_arn # KMS ARN 변수 전달
-
- # 추가 유저마다 다른 권한 부여
- additional_db_users = var.additional_db_users
# Nginx 및 도메인 설정
- domain_name = var.domain_name
- cert_email = var.cert_email
+ domain_name = var.domain_name
+ cert_email = var.cert_email
nginx_conf_name = var.nginx_conf_name
# ssh key 경로 전달
ssh_key_path = var.ssh_key_path
# Side Infra 관련 변수 전달
- work_dir = var.work_dir
+ work_dir = var.work_dir
alloy_env_name = var.alloy_env_name
redis_version = var.redis_version
diff --git a/environment/stage/variables.tf b/environment/stage/variables.tf
index 5245959..19d4ae7 100644
--- a/environment/stage/variables.tf
+++ b/environment/stage/variables.tf
@@ -8,11 +8,6 @@ variable "server_instance_type" {
type = string
}
-variable "db_instance_class" {
- description = "DB instance class for the stage environment"
- type = string
-}
-
variable "api_ingress_rules" {
description = "List of ingress rules for API Server"
type = list(object({
@@ -24,61 +19,11 @@ variable "api_ingress_rules" {
}))
}
-variable "db_ingress_rules" {
- description = "List of ingress rules for DB Server"
- type = list(object({
- from_port = number
- to_port = number
- protocol = string
- description = string
- }))
-}
-
-variable "rds_identifier" {
- description = "RDS identifier for the stage environment"
- type = string
-}
-
-variable "db_engine_version" {
- description = "MySQL engine version for the stage environment"
- type = string
-}
-
-variable "db_parameter_group_name" {
- description = "MySQL parameter group name for the stage environment"
- type = string
-}
-
-variable "db_root_username" {
- description = "DB Username for stage"
- type = string
-}
-
-variable "db_root_password" {
- description = "DB Password for stage"
- type = string
- sensitive = true
-}
-
-variable "additional_db_users" {
- description = "추가 DB 유저 및 권한 목록"
- type = map(object({
- password = string
- database = string
- privileges = list(string)
- }))
-}
-
variable "key_name" {
description = "Key pair name"
type = string
}
-variable "kms_key_arn" {
- description = "Existing KMS Key ARN for stage DB Encryption"
- type = string
-}
-
variable "domain_name" {
description = "Domain name for the stage environment"
type = string
diff --git a/modules/app_stack/provider.tf b/modules/app_stack/provider.tf
index b1a1d17..c756fdc 100644
--- a/modules/app_stack/provider.tf
+++ b/modules/app_stack/provider.tf
@@ -14,10 +14,3 @@ terraform {
}
}
}
-
-# MySQL Provider 설정 (SSH 터널링을 통해 로컬호스트로 접속 가정)
-provider "mysql" {
- endpoint = "127.0.0.1:3306"
- username = var.db_username
- password = var.db_password
-}
diff --git a/modules/app_stack/rds.tf b/modules/app_stack/rds.tf
index 8f484c1..47d4f0d 100644
--- a/modules/app_stack/rds.tf
+++ b/modules/app_stack/rds.tf
@@ -1,5 +1,7 @@
# 5. RDS
resource "aws_db_instance" "default" {
+ count = var.enable_rds ? 1 : 0
+
identifier = var.rds_identifier
allocated_storage = 20
engine = "mysql"
@@ -10,7 +12,7 @@ resource "aws_db_instance" "default" {
parameter_group_name = var.db_parameter_group_name
copy_tags_to_snapshot = true
skip_final_snapshot = true
- vpc_security_group_ids = [aws_security_group.db_sg.id]
+ vpc_security_group_ids = [aws_security_group.db_sg[count.index].id]
storage_encrypted = true
kms_key_id = var.kms_key_arn
@@ -22,7 +24,7 @@ resource "aws_db_instance" "default" {
# 6. MySQL 추가 유저 생성
resource "mysql_user" "users" {
- for_each = var.additional_db_users
+ for_each = var.enable_rds ? var.additional_db_users : {}
user = each.key
host = "%"
@@ -33,7 +35,7 @@ resource "mysql_user" "users" {
# 7. MySQL 권한 부여
resource "mysql_grant" "user_grants" {
- for_each = var.additional_db_users
+ for_each = var.enable_rds ? var.additional_db_users : {}
user = each.key
host = "%"
diff --git a/modules/app_stack/security_groups.tf b/modules/app_stack/security_groups.tf
index 5ec8b31..6607c6b 100644
--- a/modules/app_stack/security_groups.tf
+++ b/modules/app_stack/security_groups.tf
@@ -51,6 +51,7 @@ resource "aws_security_group" "api_sg" {
# 2. RDS용 보안 그룹 (API Server만 믿음)
resource "aws_security_group" "db_sg" {
+ count = var.enable_rds ? 1 : 0
name = "sc-${var.env_name}-db-sg"
description = "Security Group for RDS"
vpc_id = var.vpc_id
diff --git a/modules/app_stack/variables.tf b/modules/app_stack/variables.tf
index 68d1013..6623013 100644
--- a/modules/app_stack/variables.tf
+++ b/modules/app_stack/variables.tf
@@ -6,8 +6,15 @@ variable "instance_type" {
description = "EC2 인스턴스 타입"
}
+variable "enable_rds" {
+ description = "RDS 사용 여부"
+ type = bool
+ default = true
+}
+
variable "db_instance_class" {
description = "RDS 인스턴스 타입"
+ default = null
}
variable "api_ingress_rules" {
@@ -29,18 +36,21 @@ variable "db_ingress_rules" {
protocol = string
description = string
}))
+ default = []
}
# [DB 관련 추가 변수]
variable "db_username" {
description = "DB 마스터 사용자명"
type = string
+ default = ""
}
variable "db_password" {
description = "DB 마스터 비밀번호"
type = string
sensitive = true
+ default = ""
}
# 추가할 DB 유저 목록
@@ -57,21 +67,25 @@ variable "additional_db_users" {
variable "db_engine_version" {
description = "MySQL 엔진 버전"
type = string
+ default = null
}
variable "db_parameter_group_name" {
description = "MySQL 엔진 파라미터 그룹"
type = string
+ default = null
}
variable "rds_identifier" {
description = "RDS DB Identifier"
type = string
+ default = null
}
variable "kms_key_arn" {
description = "RDS 스토리지 암호화를 위한 KMS Key ARN"
type = string
+ default = null
}
variable "vpc_id" {
From 42a548452e220f45ed19a81e68973e0bb03d8455 Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 17:21:16 +0900
Subject: [PATCH 03/18] =?UTF-8?q?feat:=20tfstate=20=EB=B2=84=ED=82=B7=20?=
=?UTF-8?q?=EA=B4=80=EB=A6=AC=20=EB=B0=8F=20Github=20Action=EC=9A=A9=20s3/?=
=?UTF-8?q?iam=20=EC=A0=95=EC=9D=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
bootstrap/iam.tf | 138 ++++++++++++++++++++++++++++++++++++++++++
bootstrap/outputs.tf | 17 ++++++
bootstrap/provider.tf | 21 +++++++
bootstrap/s3.tf | 56 +++++++++++++++++
4 files changed, 232 insertions(+)
create mode 100644 bootstrap/iam.tf
create mode 100644 bootstrap/outputs.tf
create mode 100644 bootstrap/provider.tf
create mode 100644 bootstrap/s3.tf
diff --git a/bootstrap/iam.tf b/bootstrap/iam.tf
new file mode 100644
index 0000000..af9c402
--- /dev/null
+++ b/bootstrap/iam.tf
@@ -0,0 +1,138 @@
+data "aws_caller_identity" "current" {}
+
+# =============================================
+# 개발자용 IAM Policy
+# =============================================
+
+# 로컬 terraform plan용: tfstate 읽기 + tflock 쓰기
+resource "aws_iam_policy" "developer_tfstate" {
+ name = "TerraformStateAccessPolicy"
+ description = "For local terraform plan: read tfstate + write/delete tflock"
+
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [
+ {
+ Effect = "Allow"
+ Action = ["s3:ListBucket"]
+ Resource = aws_s3_bucket.tfstate.arn
+ },
+ {
+ Effect = "Allow"
+ Action = ["s3:GetObject"]
+ Resource = "${aws_s3_bucket.tfstate.arn}/*"
+ },
+ {
+ Effect = "Allow"
+ Action = ["s3:PutObject", "s3:DeleteObject"]
+ Resource = "${aws_s3_bucket.tfstate.arn}/*.tfstate.tflock"
+ }
+ ]
+ })
+}
+
+# =============================================
+# GitHub Actions OIDC
+# =============================================
+
+resource "aws_iam_openid_connect_provider" "github" {
+ url = "https://token.actions.githubusercontent.com"
+ client_id_list = ["sts.amazonaws.com"]
+ thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+}
+
+resource "aws_iam_role" "github_actions" {
+ name = "GitHubActionsTerraformRole"
+ description = "IAM Role for GitHub Actions terraform plan/apply via OIDC"
+
+ assume_role_policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [{
+ Effect = "Allow"
+ Principal = { Federated = aws_iam_openid_connect_provider.github.arn }
+ Action = "sts:AssumeRoleWithWebIdentity"
+ Condition = {
+ StringEquals = {
+ "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+ }
+ StringLike = {
+ "token.actions.githubusercontent.com:sub" = "repo:solid-connection/solid-connection-infra:*"
+ }
+ }
+ }]
+ })
+}
+
+# GitHub Actions: tfstate 버킷 전체 접근
+resource "aws_iam_policy" "github_actions_tfstate" {
+ name = "GitHubActionsTfstatePolicy"
+ description = "For GitHub Actions terraform apply: full access to tfstate bucket"
+
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [{
+ Effect = "Allow"
+ Action = [
+ "s3:ListBucket",
+ "s3:GetObject",
+ "s3:PutObject",
+ "s3:DeleteObject"
+ ]
+ Resource = [
+ aws_s3_bucket.tfstate.arn,
+ "${aws_s3_bucket.tfstate.arn}/*"
+ ]
+ }]
+ })
+}
+
+# GitHub Actions: AWS 인프라 관리 (terraform apply)
+resource "aws_iam_policy" "github_actions_infra" {
+ name = "GitHubActionsTerraformInfraPolicy"
+ description = "For GitHub Actions terraform apply: AWS infrastructure management"
+
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [
+ {
+ Effect = "Allow"
+ Action = [
+ "ec2:*",
+ "rds:*",
+ "s3:*",
+ "cloudfront:*",
+ "lambda:*",
+ "acm:*",
+ "kms:DescribeKey",
+ "kms:GenerateDataKey",
+ "kms:Decrypt",
+ "kms:CreateGrant",
+ "iam:PassRole",
+ "iam:GetRole",
+ "iam:CreateRole",
+ "iam:DeleteRole",
+ "iam:AttachRolePolicy",
+ "iam:DetachRolePolicy",
+ "iam:ListRolePolicies",
+ "iam:ListAttachedRolePolicies",
+ "logs:CreateLogGroup",
+ "logs:DeleteLogGroup",
+ "logs:DescribeLogGroups",
+ "logs:ListTagsLogGroup",
+ "logs:PutRetentionPolicy"
+ ]
+ Resource = "*"
+ }
+ ]
+ })
+}
+
+resource "aws_iam_role_policy_attachment" "github_actions_tfstate" {
+ role = aws_iam_role.github_actions.name
+ policy_arn = aws_iam_policy.github_actions_tfstate.arn
+}
+
+resource "aws_iam_role_policy_attachment" "github_actions_infra" {
+ role = aws_iam_role.github_actions.name
+ policy_arn = aws_iam_policy.github_actions_infra.arn
+}
diff --git a/bootstrap/outputs.tf b/bootstrap/outputs.tf
new file mode 100644
index 0000000..1e2e891
--- /dev/null
+++ b/bootstrap/outputs.tf
@@ -0,0 +1,17 @@
+output "tfstate_bucket_arn" {
+ value = aws_s3_bucket.tfstate.arn
+}
+
+output "tfstate_bucket_name" {
+ value = aws_s3_bucket.tfstate.bucket
+}
+
+output "developer_tfstate_policy_arn" {
+ description = "개발자 IAM 유저에 attach할 tfstate 접근 Policy ARN"
+ value = aws_iam_policy.developer_tfstate.arn
+}
+
+output "github_actions_role_arn" {
+ description = "GitHub Actions workflow에서 사용할 IAM Role ARN"
+ value = aws_iam_role.github_actions.arn
+}
diff --git a/bootstrap/provider.tf b/bootstrap/provider.tf
new file mode 100644
index 0000000..b37dadc
--- /dev/null
+++ b/bootstrap/provider.tf
@@ -0,0 +1,21 @@
+terraform {
+ required_version = ">= 1.10.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = "ap-northeast-2"
+
+ default_tags {
+ tags = {
+ Project = "solid-connection"
+ ManagedBy = "terraform"
+ }
+ }
+}
diff --git a/bootstrap/s3.tf b/bootstrap/s3.tf
new file mode 100644
index 0000000..09159fc
--- /dev/null
+++ b/bootstrap/s3.tf
@@ -0,0 +1,56 @@
+resource "aws_s3_bucket" "tfstate" {
+ bucket = "solid-connection-tfstate"
+
+ lifecycle {
+ prevent_destroy = true
+ }
+}
+
+resource "aws_s3_bucket_versioning" "tfstate" {
+ bucket = aws_s3_bucket.tfstate.id
+
+ versioning_configuration {
+ status = "Enabled"
+ }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "tfstate" {
+ bucket = aws_s3_bucket.tfstate.id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
+ }
+ }
+}
+
+resource "aws_s3_bucket_public_access_block" "tfstate" {
+ bucket = aws_s3_bucket.tfstate.id
+
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "tfstate" {
+ bucket = aws_s3_bucket.tfstate.id
+
+ policy = jsonencode({
+ Version = "2012-10-17"
+ Statement = [{
+ Effect = "Deny"
+ Principal = "*"
+ Action = "s3:*"
+ Resource = [
+ aws_s3_bucket.tfstate.arn,
+ "${aws_s3_bucket.tfstate.arn}/*"
+ ]
+ Condition = {
+ Bool = { "aws:SecureTransport" = "false" }
+ }
+ }]
+ })
+
+ depends_on = [aws_s3_bucket_public_access_block.tfstate]
+}
From 1e3ab68520302914420166f70885c78641dab6cb Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 18:30:14 +0900
Subject: [PATCH 04/18] =?UTF-8?q?feat:=20tfstate=20=ED=8C=8C=EC=9D=BC?=
=?UTF-8?q?=EB=93=A4=EC=97=90=20=EB=8C=80=ED=95=9C=20=EA=B4=80=EB=A6=AC?=
=?UTF-8?q?=EB=A5=BC=20S3=20=EB=B0=B1=EC=97=94=EB=93=9C=EB=A1=9C=20?=
=?UTF-8?q?=EB=B3=80=EA=B2=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
bootstrap/provider.tf | 8 ++++++++
environment/global/provider.tf | 12 ++++++++++--
environment/monitoring/provider.tf | 23 +++++++++++++++++++++++
environment/prod/provider.tf | 10 ++++++++++
environment/stage/provider.tf | 19 +++++++++++++++++++
5 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/bootstrap/provider.tf b/bootstrap/provider.tf
index b37dadc..4e85df5 100644
--- a/bootstrap/provider.tf
+++ b/bootstrap/provider.tf
@@ -7,6 +7,14 @@ terraform {
version = ">= 5.0"
}
}
+
+ backend "s3" {
+ bucket = "solid-connection-tfstate"
+ key = "env/bootstrap/terraform.tfstate"
+ region = "ap-northeast-2"
+ use_lockfile = true
+ encrypt = true
+ }
}
provider "aws" {
diff --git a/environment/global/provider.tf b/environment/global/provider.tf
index 38fdf1e..fe58799 100644
--- a/environment/global/provider.tf
+++ b/environment/global/provider.tf
@@ -1,12 +1,20 @@
terraform {
- required_version = ">= 1.0.0"
+ required_version = ">= 1.10.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = ">= 5.0"
}
}
+
+ backend "s3" {
+ bucket = "solid-connection-tfstate"
+ key = "env/global/terraform.tfstate"
+ region = "ap-northeast-2"
+ use_lockfile = true
+ encrypt = true
+ }
}
provider "aws" {
diff --git a/environment/monitoring/provider.tf b/environment/monitoring/provider.tf
index 3c04703..08141c4 100644
--- a/environment/monitoring/provider.tf
+++ b/environment/monitoring/provider.tf
@@ -1,3 +1,26 @@
+terraform {
+ required_version = ">= 1.10.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.0"
+ }
+ cloudinit = {
+ source = "hashicorp/cloudinit"
+ version = "~> 2.3"
+ }
+ }
+
+ backend "s3" {
+ bucket = "solid-connection-tfstate"
+ key = "env/monitoring/terraform.tfstate"
+ region = "ap-northeast-2"
+ use_lockfile = true
+ encrypt = true
+ }
+}
+
provider "aws" {
region = "ap-northeast-2"
default_tags {
diff --git a/environment/prod/provider.tf b/environment/prod/provider.tf
index ff0b71f..52f4aec 100644
--- a/environment/prod/provider.tf
+++ b/environment/prod/provider.tf
@@ -1,4 +1,6 @@
terraform {
+ required_version = ">= 1.10.0"
+
required_providers {
aws = {
source = "hashicorp/aws"
@@ -9,6 +11,14 @@ terraform {
version = ">= 3.0"
}
}
+
+ backend "s3" {
+ bucket = "solid-connection-tfstate"
+ key = "env/prod/terraform.tfstate"
+ region = "ap-northeast-2"
+ use_lockfile = true
+ encrypt = true
+ }
}
provider "aws" {
diff --git a/environment/stage/provider.tf b/environment/stage/provider.tf
index 87dc788..3f6b867 100644
--- a/environment/stage/provider.tf
+++ b/environment/stage/provider.tf
@@ -1,3 +1,22 @@
+terraform {
+ required_version = ">= 1.10.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.0"
+ }
+ }
+
+ backend "s3" {
+ bucket = "solid-connection-tfstate"
+ key = "env/stage/terraform.tfstate"
+ region = "ap-northeast-2"
+ use_lockfile = true
+ encrypt = true
+ }
+}
+
provider "aws" {
region = "ap-northeast-2"
default_tags {
From 308b21d39641a180c83f30abdc41aa67e09df2f1 Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 21:26:42 +0900
Subject: [PATCH 05/18] =?UTF-8?q?refactor:=20prod/stage=20=ED=99=98?=
=?UTF-8?q?=EA=B2=BD=20terraform=20=EC=BD=94=EB=93=9C=20=EC=B5=9C=EC=8B=A0?=
=?UTF-8?q?=ED=99=94?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
bootstrap/iam.tf | 18 ++++++++++++++++++
config/secrets | 2 +-
environment/prod/main.tf | 3 +++
environment/prod/variables.tf | 5 +++++
environment/stage/main.tf | 3 +++
environment/stage/variables.tf | 5 +++++
modules/app_stack/ec2.tf | 1 +
modules/app_stack/variables.tf | 6 ++++++
8 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/bootstrap/iam.tf b/bootstrap/iam.tf
index af9c402..f1e2511 100644
--- a/bootstrap/iam.tf
+++ b/bootstrap/iam.tf
@@ -1,5 +1,18 @@
data "aws_caller_identity" "current" {}
+# =============================================
+# EC2 공유 IAM Role에 SSM 정책 부착
+# =============================================
+
+data "aws_iam_role" "ec2_shared" {
+ name = "SolidConnectionParameterStoreReadRole"
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_ssm" {
+ role = data.aws_iam_role.ec2_shared.name
+ policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
# =============================================
# 개발자용 IAM Policy
# =============================================
@@ -103,6 +116,11 @@ resource "aws_iam_policy" "github_actions_infra" {
"cloudfront:*",
"lambda:*",
"acm:*",
+ "ssm:StartSession",
+ "ssm:TerminateSession",
+ "ssm:DescribeSessions",
+ "ssm:GetConnectionStatus",
+ "ssm:DescribeInstanceInformation",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt",
diff --git a/config/secrets b/config/secrets
index 8e6a967..26908c3 160000
--- a/config/secrets
+++ b/config/secrets
@@ -1 +1 @@
-Subproject commit 8e6a96778a2977516ad0e7210fa7f24561b8f3e1
+Subproject commit 26908c36395083c99dbd1f20923d661ba8e0567e
diff --git a/environment/prod/main.tf b/environment/prod/main.tf
index 16d584d..320f5e4 100644
--- a/environment/prod/main.tf
+++ b/environment/prod/main.tf
@@ -11,6 +11,9 @@ module "prod_stack" {
ami_id = var.ami_id
+ # IAM Instance Profile (SSM + Parameter Store 접근)
+ ec2_iam_instance_profile = var.ec2_iam_instance_profile
+
# 키페어 및 접속 허용
key_name = var.key_name
diff --git a/environment/prod/variables.tf b/environment/prod/variables.tf
index 324438a..0a74365 100644
--- a/environment/prod/variables.tf
+++ b/environment/prod/variables.tf
@@ -1,3 +1,8 @@
+variable "ec2_iam_instance_profile" {
+ description = "EC2에 연결할 IAM Instance Profile 이름"
+ type = string
+}
+
variable "ami_id" {
description = "AMI ID for the prod environment"
type = string
diff --git a/environment/stage/main.tf b/environment/stage/main.tf
index b71629d..3f3e129 100644
--- a/environment/stage/main.tf
+++ b/environment/stage/main.tf
@@ -11,6 +11,9 @@ module "stage_stack" {
ami_id = var.ami_id
+ # IAM Instance Profile (SSM + Parameter Store 접근)
+ ec2_iam_instance_profile = var.ec2_iam_instance_profile
+
# 키페어 및 접속 허용
key_name = var.key_name
diff --git a/environment/stage/variables.tf b/environment/stage/variables.tf
index 19d4ae7..e432b29 100644
--- a/environment/stage/variables.tf
+++ b/environment/stage/variables.tf
@@ -1,3 +1,8 @@
+variable "ec2_iam_instance_profile" {
+ description = "EC2에 연결할 IAM Instance Profile 이름"
+ type = string
+}
+
variable "ami_id" {
description = "AMI ID for the stage environment"
type = string
diff --git a/modules/app_stack/ec2.tf b/modules/app_stack/ec2.tf
index 9b0d1c7..b49aa52 100644
--- a/modules/app_stack/ec2.tf
+++ b/modules/app_stack/ec2.tf
@@ -32,6 +32,7 @@ resource "aws_instance" "api_server" {
key_name = var.key_name
associate_public_ip_address = true
+ iam_instance_profile = var.ec2_iam_instance_profile
user_data_base64 = data.cloudinit_config.app_init.rendered
diff --git a/modules/app_stack/variables.tf b/modules/app_stack/variables.tf
index 6623013..33f8b1a 100644
--- a/modules/app_stack/variables.tf
+++ b/modules/app_stack/variables.tf
@@ -12,6 +12,12 @@ variable "enable_rds" {
default = true
}
+variable "ec2_iam_instance_profile" {
+ description = "EC2에 연결할 IAM Instance Profile 이름"
+ type = string
+ default = null
+}
+
variable "db_instance_class" {
description = "RDS 인스턴스 타입"
default = null
From bac30ef89eafcc7efa2008680a21387cd72b05ab Mon Sep 17 00:00:00 2001
From: Hexeong <123macanic@naver.com>
Date: Tue, 28 Apr 2026 21:27:53 +0900
Subject: [PATCH 06/18] =?UTF-8?q?feat:=20Github=20Action=20=EC=A0=95?=
=?UTF-8?q?=EC=9D=98=20-=20pr=EC=97=90=20=EB=8C=80=ED=95=9C=20terraform=20?=
=?UTF-8?q?plan=20=EA=B2=B0=EA=B3=BC=20=EC=83=9D=EC=84=B1=20-=20pr=20?=
=?UTF-8?q?=EB=A8=B8=EC=A7=80=EC=97=90=20=EB=8C=80=ED=95=9C=20terraform=20?=
=?UTF-8?q?apply=20=EC=9E=A1=20=EC=83=9D=EC=84=B1=20-=20coderabbitai?=
=?UTF-8?q?=EC=97=90=20=EB=8C=80=ED=95=9C=20=EC=9E=90=EB=8F=99=20=EC=BD=94?=
=?UTF-8?q?=EB=93=9C=20=EB=A6=AC=EB=B7=B0=20=EB=B9=84=ED=99=9C=EC=84=B1?=
=?UTF-8?q?=ED=99=94=20=EB=B0=8F=20terraform=20plan=20=EC=9D=B4=ED=9B=84?=
=?UTF-8?q?=20=EC=BD=94=EB=93=9C=20=EB=A6=AC=EB=B7=B0=20=ED=8A=B8=EB=A6=AC?=
=?UTF-8?q?=EA=B1=B0=20=EB=B0=9C=EB=8F=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.coderabbit.yaml | 18 ++
.github/workflows/terraform-apply.yml | 203 +++++++++++++++++
.github/workflows/terraform-plan.yml | 314 ++++++++++++++++++++++++++
3 files changed, 535 insertions(+)
create mode 100644 .coderabbit.yaml
create mode 100644 .github/workflows/terraform-apply.yml
create mode 100644 .github/workflows/terraform-plan.yml
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
new file mode 100644
index 0000000..384a507
--- /dev/null
+++ b/.coderabbit.yaml
@@ -0,0 +1,18 @@
+language: ko-KR
+
+reviews:
+ auto_review:
+ enabled: false
+
+ path_instructions:
+ - path: "**/*.tf"
+ instructions: |
+ 이 PR의 Terraform 코드 변경을 리뷰합니다.
+ PR 댓글에 올라온 각 환경의 "Terraform Plan" 결과를 반드시 확인하고, 코드 변경과 plan 결과가 일치하는지 검토하세요.
+
+ 다음 항목을 중점적으로 검토하세요:
+ - plan에 예상치 못한 resource destroy 또는 replace가 포함된 경우
+ - 보안 그룹(Security Group) 인바운드/아웃바운드 규칙 변경
+ - IAM 권한이 과도하게 부여된 경우 (최소 권한 원칙)
+ - 민감한 값(비밀번호, 키 등)이 코드에 하드코딩된 경우
+ - `lifecycle.ignore_changes` 설정이 의도에 맞게 사용되었는지
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
new file mode 100644
index 0000000..c86e266
--- /dev/null
+++ b/.github/workflows/terraform-apply.yml
@@ -0,0 +1,203 @@
+name: Terraform Apply
+
+on:
+ push:
+ branches: [main]
+
+permissions:
+ id-token: write
+ contents: read
+
+env:
+ TF_VERSION: "1.10.5"
+
+jobs:
+ detect-changes:
+ runs-on: ubuntu-latest
+ outputs:
+ bootstrap: ${{ steps.filter.outputs.bootstrap }}
+ global: ${{ steps.filter.outputs.global }}
+ prod: ${{ steps.filter.outputs.prod }}
+ stage: ${{ steps.filter.outputs.stage }}
+ monitoring: ${{ steps.filter.outputs.monitoring }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: dorny/paths-filter@v3
+ id: filter
+ with:
+ filters: |
+ bootstrap:
+ - 'bootstrap/**'
+ global:
+ - 'environment/global/**'
+ - 'modules/shared_resources/**'
+ prod:
+ - 'environment/prod/**'
+ - 'modules/app_stack/**'
+ - 'modules/common/**'
+ stage:
+ - 'environment/stage/**'
+ - 'modules/app_stack/**'
+ - 'modules/common/**'
+ monitoring:
+ - 'environment/monitoring/**'
+ - 'modules/monitoring_stack/**'
+ - 'modules/common/**'
+
+ apply-bootstrap:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.bootstrap == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Terraform Init
+ working-directory: bootstrap
+ run: terraform init
+ - name: Terraform Apply
+ working-directory: bootstrap
+ run: terraform apply -auto-approve
+
+ apply-global:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.global == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Terraform Init
+ working-directory: environment/global
+ run: terraform init
+ - name: Terraform Apply
+ working-directory: environment/global
+ run: |
+ terraform apply -auto-approve \
+ -var-file="../../config/secrets/shared_resources.tfvars"
+
+ apply-prod:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.prod == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Install Session Manager Plugin
+ run: |
+ curl -sL "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o session-manager-plugin.deb
+ sudo dpkg -i session-manager-plugin.deb
+ - name: Start SSM Tunnel to RDS
+ run: |
+ EC2_ID=$(aws ec2 describe-instances \
+ --filters "Name=tag:Name,Values=solid-connection-server-prod" "Name=instance-state-name,Values=running" \
+ --query 'Reservations[0].Instances[0].InstanceId' \
+ --output text)
+
+ RDS_HOST=$(aws rds describe-db-instances \
+ --query 'DBInstances[?contains(DBInstanceIdentifier, `prod`)].Endpoint.Address | [0]' \
+ --output text)
+
+ echo "Tunneling via $EC2_ID -> $RDS_HOST:3306"
+
+ aws ssm start-session \
+ --target "$EC2_ID" \
+ --document-name AWS-StartPortForwardingSessionToRemoteHost \
+ --parameters "{\"host\":[\"$RDS_HOST\"],\"portNumber\":[\"3306\"],\"localPortNumber\":[\"3306\"]}" &
+ echo "SSM_PID=$!" >> $GITHUB_ENV
+
+ timeout 30 bash -c 'until nc -z 127.0.0.1 3306 2>/dev/null; do sleep 1; done'
+ echo "SSM tunnel ready"
+ - name: Terraform Init
+ working-directory: environment/prod
+ run: terraform init
+ - name: Terraform Apply
+ working-directory: environment/prod
+ run: |
+ terraform apply -auto-approve \
+ -var-file="../../config/secrets/prod.tfvars" \
+ -var-file="../../config/secrets/app_stack.tfvars"
+ - name: Stop SSM Tunnel
+ if: always()
+ run: kill $SSM_PID 2>/dev/null || true
+
+ apply-stage:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.stage == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Terraform Init
+ working-directory: environment/stage
+ run: terraform init
+ - name: Terraform Apply
+ working-directory: environment/stage
+ run: |
+ terraform apply -auto-approve \
+ -var-file="../../config/secrets/stage.tfvars" \
+ -var-file="../../config/secrets/app_stack.tfvars"
+
+ apply-monitoring:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.monitoring == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Terraform Init
+ working-directory: environment/monitoring
+ run: terraform init
+ - name: Terraform Apply
+ working-directory: environment/monitoring
+ run: |
+ terraform apply -auto-approve \
+ -var-file="../../config/secrets/monitoring.tfvars"
diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml
new file mode 100644
index 0000000..7b9303d
--- /dev/null
+++ b/.github/workflows/terraform-plan.yml
@@ -0,0 +1,314 @@
+name: Terraform Plan
+
+on:
+ pull_request:
+ branches: [main]
+
+permissions:
+ id-token: write
+ contents: read
+ pull-requests: write
+
+env:
+ TF_VERSION: "1.10.5"
+
+jobs:
+ detect-changes:
+ runs-on: ubuntu-latest
+ outputs:
+ bootstrap: ${{ steps.filter.outputs.bootstrap }}
+ global: ${{ steps.filter.outputs.global }}
+ prod: ${{ steps.filter.outputs.prod }}
+ stage: ${{ steps.filter.outputs.stage }}
+ monitoring: ${{ steps.filter.outputs.monitoring }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: dorny/paths-filter@v3
+ id: filter
+ with:
+ filters: |
+ bootstrap:
+ - 'bootstrap/**'
+ global:
+ - 'environment/global/**'
+ - 'modules/shared_resources/**'
+ prod:
+ - 'environment/prod/**'
+ - 'modules/app_stack/**'
+ - 'modules/common/**'
+ stage:
+ - 'environment/stage/**'
+ - 'modules/app_stack/**'
+ - 'modules/common/**'
+ monitoring:
+ - 'environment/monitoring/**'
+ - 'modules/monitoring_stack/**'
+ - 'modules/common/**'
+
+ plan-bootstrap:
+ needs: detect-changes
+ if: needs.detect-changes.outputs.bootstrap == 'true'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ token: ${{ secrets.GH_PAT }}
+ - uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+ aws-region: ap-northeast-2
+ - uses: hashicorp/setup-terraform@v3
+ with:
+ terraform_version: ${{ env.TF_VERSION }}
+ terraform_wrapper: false
+ - name: Terraform Init
+ working-directory: bootstrap
+ run: terraform init
+ - name: Terraform Plan
+ id: plan
+ working-directory: bootstrap
+ run: |
+ terraform plan -no-color 2>&1 | tee plan_output.txt
+ echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
+ - name: Post Plan Comment
+ uses: actions/github-script@v7
+ with:
+ script: |
+ const fs = require('fs');
+ const output = fs.readFileSync('bootstrap/plan_output.txt', 'utf8');
+ const truncated = output.length > 60000 ? output.substring(0, 60000) + '\n...(truncated)' : output;
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: `## Terraform Plan: \`bootstrap\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\nShow Plan
\n\n\`\`\`\n${truncated}\n\`\`\`\n