From a36905037781fe0cb6a24d98223587c55b086e45 Mon Sep 17 00:00:00 2001 From: Yeonri Date: Tue, 5 May 2026 21:27:04 +0900 Subject: [PATCH] =?UTF-8?q?refactor:=20Parameter=20Store=20=EA=B8=B0?= =?UTF-8?q?=EB=B0=98=20Terraform=20=EC=9E=85=EB=A0=A5=EA=B0=92=20=EC=A0=84?= =?UTF-8?q?=ED=99=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/terraform-apply.yml | 26 +----- .github/workflows/terraform-plan.yml | 26 +----- environment/global/main.tf | 26 +++--- environment/global/ssm.tf | 66 +++++++++++++ environment/global/variables.tf | 61 ------------ environment/monitoring/main.tf | 20 ++-- environment/monitoring/ssm.tf | 46 +++++++++ environment/monitoring/variables.tf | 45 --------- environment/prod/main.tf | 54 +++++------ environment/prod/provider.tf | 4 +- environment/prod/ssm.tf | 124 ++++++++++++++++++++++++ environment/prod/variables.tf | 130 -------------------------- environment/stage/main.tf | 34 +++---- environment/stage/ssm.tf | 77 +++++++++++++++ environment/stage/variables.tf | 75 --------------- 15 files changed, 390 insertions(+), 424 deletions(-) create mode 100644 environment/global/ssm.tf delete mode 100644 environment/global/variables.tf create mode 100644 environment/monitoring/ssm.tf delete mode 100644 environment/monitoring/variables.tf create mode 100644 environment/prod/ssm.tf delete mode 100644 environment/prod/variables.tf create mode 100644 environment/stage/ssm.tf delete mode 100644 environment/stage/variables.tf diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml index c197776..c9f712c 100644 --- a/.github/workflows/terraform-apply.yml +++ b/.github/workflows/terraform-apply.yml @@ -35,25 +35,18 @@ jobs: global: - 'environment/global/**' - 'modules/shared_resources/**' - - 'config/secrets/shared_resources.tfvars' prod: - 'environment/prod/**' - 'modules/app_stack/**' - 'modules/common/**' - - 'config/secrets/prod.tfvars' - - 'config/secrets/app_stack.tfvars' stage: - 'environment/stage/**' - 'modules/app_stack/**' - 'modules/common/**' - - 'config/secrets/stage.tfvars' - - 'config/secrets/app_stack.tfvars' monitoring: - 'environment/monitoring/**' - 'modules/monitoring_stack/**' - 'modules/common/**' - - 'config/secrets/monitoring.tfvars' - - 'config/secrets/monitoring_stack.tfvars' apply-bootstrap: needs: detect-changes @@ -106,9 +99,7 @@ jobs: run: terraform init - name: Terraform Apply working-directory: environment/global - run: | - terraform apply -auto-approve \ - -var-file="../../config/secrets/shared_resources.tfvars" + run: terraform apply -auto-approve apply-prod: needs: [detect-changes, apply-bootstrap] @@ -198,10 +189,7 @@ jobs: run: terraform init - name: Terraform Apply working-directory: environment/prod - run: | - terraform apply -auto-approve \ - -var-file="../../config/secrets/prod.tfvars" \ - -var-file="../../config/secrets/app_stack.tfvars" + run: terraform apply -auto-approve - name: Stop SSM Tunnel if: always() run: kill $SSM_PID 2>/dev/null || true @@ -232,10 +220,7 @@ jobs: run: terraform init - name: Terraform Apply working-directory: environment/stage - run: | - terraform apply -auto-approve \ - -var-file="../../config/secrets/stage.tfvars" \ - -var-file="../../config/secrets/app_stack.tfvars" + run: terraform apply -auto-approve apply-monitoring: needs: [detect-changes, apply-bootstrap] @@ -263,7 +248,4 @@ jobs: run: terraform init - name: Terraform Apply working-directory: environment/monitoring - run: | - terraform apply -auto-approve \ - -var-file="../../config/secrets/monitoring.tfvars" \ - -var-file="../../config/secrets/monitoring_stack.tfvars" + run: terraform apply -auto-approve diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 870f6e3..acb2cda 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -36,25 +36,18 @@ jobs: global: - 'environment/global/**' - 'modules/shared_resources/**' - - 'config/secrets/shared_resources.tfvars' prod: - 'environment/prod/**' - 'modules/app_stack/**' - 'modules/common/**' - - 'config/secrets/prod.tfvars' - - 'config/secrets/app_stack.tfvars' stage: - 'environment/stage/**' - 'modules/app_stack/**' - 'modules/common/**' - - 'config/secrets/stage.tfvars' - - 'config/secrets/app_stack.tfvars' monitoring: - 'environment/monitoring/**' - 'modules/monitoring_stack/**' - 'modules/common/**' - - 'config/secrets/monitoring.tfvars' - - 'config/secrets/monitoring_stack.tfvars' plan-bootstrap: needs: detect-changes @@ -141,9 +134,7 @@ jobs: id: plan working-directory: environment/global run: | - terraform plan -no-color \ - -var-file="../../config/secrets/shared_resources.tfvars" \ - 2>&1 | tee plan_output.txt + terraform plan -no-color 2>&1 | tee plan_output.txt echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT - name: Upload Plan Artifact if: always() @@ -267,10 +258,7 @@ jobs: id: plan working-directory: environment/prod run: | - terraform plan -no-color \ - -var-file="../../config/secrets/prod.tfvars" \ - -var-file="../../config/secrets/app_stack.tfvars" \ - 2>&1 | tee plan_output.txt + terraform plan -no-color 2>&1 | tee plan_output.txt echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT - name: Stop SSM Tunnel if: always() @@ -334,10 +322,7 @@ jobs: id: plan working-directory: environment/stage run: | - terraform plan -no-color \ - -var-file="../../config/secrets/stage.tfvars" \ - -var-file="../../config/secrets/app_stack.tfvars" \ - 2>&1 | tee plan_output.txt + terraform plan -no-color 2>&1 | tee plan_output.txt echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT - name: Upload Plan Artifact if: always() @@ -398,10 +383,7 @@ jobs: id: plan working-directory: environment/monitoring run: | - terraform plan -no-color \ - -var-file="../../config/secrets/monitoring.tfvars" \ - -var-file="../../config/secrets/monitoring_stack.tfvars" \ - 2>&1 | tee plan_output.txt + terraform plan -no-color 2>&1 | tee plan_output.txt echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT - name: Upload Plan Artifact if: always() diff --git a/environment/global/main.tf b/environment/global/main.tf index 5701eb6..4ff0b8a 100644 --- a/environment/global/main.tf +++ b/environment/global/main.tf @@ -2,22 +2,22 @@ module "shared_resources" { source = "../../modules/shared_resources" providers = { - aws = aws + aws = aws } - s3_upload_bucket_name = var.s3_upload_bucket_name + s3_upload_bucket_name = local.s3_upload_bucket_name - resizing_img_func_name = var.resizing_img_func_name - resizing_img_func_role = var.resizing_img_func_role - resizing_img_func_handler = var.resizing_img_func_handler - resizing_img_func_runtime = var.resizing_img_func_runtime - resizing_img_func_layers = var.resizing_img_func_layers + resizing_img_func_name = local.resizing_img_func_name + resizing_img_func_role = local.resizing_img_func_role + resizing_img_func_handler = local.resizing_img_func_handler + resizing_img_func_runtime = local.resizing_img_func_runtime + resizing_img_func_layers = local.resizing_img_func_layers - thumbnail_generating_func_name = var.thumbnail_generating_func_name - thumbnail_generating_func_role = var.thumbnail_generating_func_role - thumbnail_generating_func_handler = var.thumbnail_generating_func_handler - thumbnail_generating_func_runtime = var.thumbnail_generating_func_runtime - thumbnail_generating_func_layers = var.thumbnail_generating_func_layers + thumbnail_generating_func_name = local.thumbnail_generating_func_name + thumbnail_generating_func_role = local.thumbnail_generating_func_role + thumbnail_generating_func_handler = local.thumbnail_generating_func_handler + thumbnail_generating_func_runtime = local.thumbnail_generating_func_runtime + thumbnail_generating_func_layers = local.thumbnail_generating_func_layers - upload_cdn_web_acl_id = var.upload_cdn_web_acl_id + upload_cdn_web_acl_id = local.upload_cdn_web_acl_id } diff --git a/environment/global/ssm.tf b/environment/global/ssm.tf new file mode 100644 index 0000000..7530390 --- /dev/null +++ b/environment/global/ssm.tf @@ -0,0 +1,66 @@ +locals { + parameter_prefix = "/solid-connection/infra/global" +} + +data "aws_ssm_parameter" "s3_upload_bucket_name" { + name = "${local.parameter_prefix}/s3-upload-bucket-name" +} + +data "aws_ssm_parameter" "upload_cdn_web_acl_id" { + name = "${local.parameter_prefix}/upload-cdn-web-acl-id" +} + +data "aws_ssm_parameter" "resizing_img_func_name" { + name = "${local.parameter_prefix}/resizing-img-func-name" +} + +data "aws_ssm_parameter" "resizing_img_func_role" { + name = "${local.parameter_prefix}/resizing-img-func-role" +} + +data "aws_ssm_parameter" "resizing_img_func_handler" { + name = "${local.parameter_prefix}/resizing-img-func-handler" +} + +data "aws_ssm_parameter" "resizing_img_func_runtime" { + name = "${local.parameter_prefix}/resizing-img-func-runtime" +} + +data "aws_ssm_parameter" "resizing_img_func_layers" { + name = "${local.parameter_prefix}/resizing-img-func-layers" +} + +data "aws_ssm_parameter" "thumbnail_generating_func_name" { + name = "${local.parameter_prefix}/thumbnail-generating-func-name" +} + +data "aws_ssm_parameter" "thumbnail_generating_func_role" { + name = "${local.parameter_prefix}/thumbnail-generating-func-role" +} + +data "aws_ssm_parameter" "thumbnail_generating_func_handler" { + name = "${local.parameter_prefix}/thumbnail-generating-func-handler" +} + +data "aws_ssm_parameter" "thumbnail_generating_func_runtime" { + name = "${local.parameter_prefix}/thumbnail-generating-func-runtime" +} + +data "aws_ssm_parameter" "thumbnail_generating_func_layers" { + name = "${local.parameter_prefix}/thumbnail-generating-func-layers" +} + +locals { + s3_upload_bucket_name = data.aws_ssm_parameter.s3_upload_bucket_name.value + upload_cdn_web_acl_id = data.aws_ssm_parameter.upload_cdn_web_acl_id.value + resizing_img_func_name = data.aws_ssm_parameter.resizing_img_func_name.value + resizing_img_func_role = data.aws_ssm_parameter.resizing_img_func_role.value + resizing_img_func_handler = data.aws_ssm_parameter.resizing_img_func_handler.value + resizing_img_func_runtime = data.aws_ssm_parameter.resizing_img_func_runtime.value + resizing_img_func_layers = jsondecode(data.aws_ssm_parameter.resizing_img_func_layers.value) + thumbnail_generating_func_name = data.aws_ssm_parameter.thumbnail_generating_func_name.value + thumbnail_generating_func_role = data.aws_ssm_parameter.thumbnail_generating_func_role.value + thumbnail_generating_func_handler = data.aws_ssm_parameter.thumbnail_generating_func_handler.value + thumbnail_generating_func_runtime = data.aws_ssm_parameter.thumbnail_generating_func_runtime.value + thumbnail_generating_func_layers = jsondecode(data.aws_ssm_parameter.thumbnail_generating_func_layers.value) +} diff --git a/environment/global/variables.tf b/environment/global/variables.tf deleted file mode 100644 index b994d24..0000000 --- a/environment/global/variables.tf +++ /dev/null @@ -1,61 +0,0 @@ -# [S3 버킷 관련 변수] -variable "s3_upload_bucket_name" { - description = "Name of the upload S3 bucket" - type = string -} - -# [Lambda 관련 변수] -variable "resizing_img_func_name" { - description = "Image Resizing function name for uploaded s3 file" - type = string -} - -variable "resizing_img_func_role" { - description = "Image Resizing function role for uploaded s3 file" - type = string -} - -variable "resizing_img_func_handler" { - description = "Image Resizing function handler for uploaded s3 file" - type = string -} - -variable "resizing_img_func_runtime" { - description = "Image Resizing function runtime for uploaded s3 file" - type = string -} - -variable "thumbnail_generating_func_name" { - description = "Thumbnail generating function name for uploaded s3 file" - type = string -} - -variable "thumbnail_generating_func_role" { - description = "Thumbnail generating function role for uploaded s3 file" - type = string -} - -variable "thumbnail_generating_func_handler" { - description = "Thumbnail generating function handler for uploaded s3 file" - type = string -} - -variable "thumbnail_generating_func_runtime" { - description = "Thumbnail generating function runtime for uploaded s3 file" - type = string -} - -variable "resizing_img_func_layers" { - description = "Layers For Image Resizing func" - type = list(string) -} - -variable "thumbnail_generating_func_layers" { - description = "Layers For Image Resizing func" - type = list(string) -} - -variable "upload_cdn_web_acl_id" { - description = "WAF Web ACL Id for Upload Cloudfront CDN" - type = string -} diff --git a/environment/monitoring/main.tf b/environment/monitoring/main.tf index 778cd4d..715520f 100644 --- a/environment/monitoring/main.tf +++ b/environment/monitoring/main.tf @@ -7,23 +7,23 @@ module "monitoring_stack" { # 기존 app_stack 모듈을 재사용하거나, 모니터링 전용 모듈이 있다면 경로 수정 source = "../../modules/monitoring_stack" - env_name = "monitoring" - vpc_id = data.aws_vpc.default.id + env_name = "monitoring" + vpc_id = data.aws_vpc.default.id - ami_id = var.ami_id + ami_id = local.ami_id - key_name = var.key_name + key_name = local.key_name - instance_type = var.monitoring_instance_type + instance_type = local.monitoring_instance_type - private_ip = var.private_ip + private_ip = local.private_ip # Nginx 및 도메인 설정 - domain_name = var.domain_name - cert_email = var.cert_email - nginx_conf_name = var.nginx_conf_name + domain_name = local.domain_name + cert_email = local.cert_email + nginx_conf_name = local.nginx_conf_name # Grafana(3000), Prometheus(9090), Loki(3100) 포트 개방 - monitoring_ingress_rules = var.monitoring_ingress_rules + monitoring_ingress_rules = local.monitoring_ingress_rules } diff --git a/environment/monitoring/ssm.tf b/environment/monitoring/ssm.tf new file mode 100644 index 0000000..c7f1b8e --- /dev/null +++ b/environment/monitoring/ssm.tf @@ -0,0 +1,46 @@ +locals { + parameter_prefix = "/solid-connection/infra/monitoring" +} + +data "aws_ssm_parameter" "ami_id" { + name = "${local.parameter_prefix}/ami-id" +} + +data "aws_ssm_parameter" "monitoring_instance_type" { + name = "${local.parameter_prefix}/monitoring-instance-type" +} + +data "aws_ssm_parameter" "key_name" { + name = "${local.parameter_prefix}/key-name" +} + +data "aws_ssm_parameter" "private_ip" { + name = "${local.parameter_prefix}/private-ip" +} + +data "aws_ssm_parameter" "domain_name" { + name = "${local.parameter_prefix}/domain-name" +} + +data "aws_ssm_parameter" "cert_email" { + name = "${local.parameter_prefix}/cert-email" +} + +data "aws_ssm_parameter" "nginx_conf_name" { + name = "${local.parameter_prefix}/nginx-conf-name" +} + +data "aws_ssm_parameter" "monitoring_ingress_rules" { + name = "${local.parameter_prefix}/monitoring-ingress-rules" +} + +locals { + ami_id = data.aws_ssm_parameter.ami_id.value + monitoring_instance_type = data.aws_ssm_parameter.monitoring_instance_type.value + key_name = data.aws_ssm_parameter.key_name.value + private_ip = data.aws_ssm_parameter.private_ip.value + domain_name = data.aws_ssm_parameter.domain_name.value + cert_email = data.aws_ssm_parameter.cert_email.value + nginx_conf_name = data.aws_ssm_parameter.nginx_conf_name.value + monitoring_ingress_rules = jsondecode(data.aws_ssm_parameter.monitoring_ingress_rules.value) +} diff --git a/environment/monitoring/variables.tf b/environment/monitoring/variables.tf deleted file mode 100644 index b22341c..0000000 --- a/environment/monitoring/variables.tf +++ /dev/null @@ -1,45 +0,0 @@ -variable "ami_id" { - description = "AMI ID for the monitoring environment" - type = string -} - -variable "monitoring_instance_type" { - description = "Instance type for monitoring (e.g., t3.medium or larger recommended)" - type = string -} - -variable "key_name" { - description = "SSH Key pair name" - type = string -} - -variable "monitoring_ingress_rules" { - description = "Ingress rules for Grafana(3000), Prometheus(9090), Loki(3100)" - type = list(object({ - from_port = number - to_port = number - protocol = string - cidr_blocks = list(string) - description = string - })) -} - -variable "private_ip" { - description = "Fixed private ip for alloy config" - type = string -} - -variable "domain_name" { - description = "Domain name for Grafana dashboard (e.g., monitor.example.com)" - type = string -} - -variable "cert_email" { - description = "email for Domain Name Certbot" - type = string -} - -variable "nginx_conf_name" { - description = "Nginx conf name for the prod environment" - type = string -} diff --git a/environment/prod/main.tf b/environment/prod/main.tf index 320f5e4..a13ee7f 100644 --- a/environment/prod/main.tf +++ b/environment/prod/main.tf @@ -6,53 +6,53 @@ data "aws_vpc" "default" { module "prod_stack" { source = "../../modules/app_stack" - env_name = "prod" - vpc_id = data.aws_vpc.default.id + env_name = "prod" + vpc_id = data.aws_vpc.default.id - ami_id = var.ami_id + ami_id = local.ami_id # IAM Instance Profile (SSM + Parameter Store 접근) - ec2_iam_instance_profile = var.ec2_iam_instance_profile + ec2_iam_instance_profile = local.ec2_iam_instance_profile # 키페어 및 접속 허용 - key_name = var.key_name - + key_name = local.key_name + # 인스턴스 스펙 - instance_type = var.server_instance_type - db_instance_class = var.db_instance_class + instance_type = local.server_instance_type + db_instance_class = local.db_instance_class # 보안 그룹 규칙 - api_ingress_rules = var.api_ingress_rules - db_ingress_rules = var.db_ingress_rules + api_ingress_rules = local.api_ingress_rules + db_ingress_rules = local.db_ingress_rules # RDS 식별자 설정 - rds_identifier = var.rds_identifier - + rds_identifier = local.rds_identifier + # DB 계정 정보 - db_username = var.db_root_username - db_password = var.db_root_password + db_username = local.db_root_username + db_password = local.db_root_password # DB 엔진 및 암호화 설정 - db_engine_version = var.db_engine_version # MySQL 버전 지정 - db_parameter_group_name = var.db_parameter_group_name # MySQL 파라미터 그룹 지정 - kms_key_arn = var.kms_key_arn # KMS ARN 변수 전달 + db_engine_version = local.db_engine_version # MySQL 버전 지정 + db_parameter_group_name = local.db_parameter_group_name # MySQL 파라미터 그룹 지정 + kms_key_arn = local.kms_key_arn # KMS ARN 변수 전달 # 추가 유저마다 다른 권한 부여 - additional_db_users = var.additional_db_users + additional_db_users = local.additional_db_users # Nginx 및 도메인 설정 - domain_name = var.domain_name - cert_email = var.cert_email - nginx_conf_name = var.nginx_conf_name + domain_name = local.domain_name + cert_email = local.cert_email + nginx_conf_name = local.nginx_conf_name # ssh key 경로 전달 - ssh_key_path = var.ssh_key_path + ssh_key_path = local.ssh_key_path # Side Infra 관련 변수 전달 - work_dir = var.work_dir - alloy_env_name = var.alloy_env_name + work_dir = local.work_dir + alloy_env_name = local.alloy_env_name - redis_version = var.redis_version - redis_exporter_version = var.redis_exporter_version - alloy_version = var.alloy_version + redis_version = local.redis_version + redis_exporter_version = local.redis_exporter_version + alloy_version = local.alloy_version } diff --git a/environment/prod/provider.tf b/environment/prod/provider.tf index 52f4aec..a834737 100644 --- a/environment/prod/provider.tf +++ b/environment/prod/provider.tf @@ -34,6 +34,6 @@ provider "aws" { # MySQL Provider 설정 (SSH 터널링을 통해 로컬호스트로 접속) provider "mysql" { endpoint = "127.0.0.1:3306" - username = var.db_root_username - password = var.db_root_password + username = local.db_root_username + password = local.db_root_password } diff --git a/environment/prod/ssm.tf b/environment/prod/ssm.tf new file mode 100644 index 0000000..c0cf7bc --- /dev/null +++ b/environment/prod/ssm.tf @@ -0,0 +1,124 @@ +locals { + prod_parameter_prefix = "/solid-connection/infra/prod" + app_stack_parameter_prefix = "/solid-connection/infra/common/app-stack" +} + +data "aws_ssm_parameter" "ami_id" { + name = "${local.prod_parameter_prefix}/ami-id" +} + +data "aws_ssm_parameter" "server_instance_type" { + name = "${local.prod_parameter_prefix}/server-instance-type" +} + +data "aws_ssm_parameter" "db_instance_class" { + name = "${local.prod_parameter_prefix}/db-instance-class" +} + +data "aws_ssm_parameter" "rds_identifier" { + name = "${local.prod_parameter_prefix}/rds-identifier" +} + +data "aws_ssm_parameter" "db_engine_version" { + name = "${local.prod_parameter_prefix}/db-engine-version" +} + +data "aws_ssm_parameter" "db_parameter_group_name" { + name = "${local.prod_parameter_prefix}/db-parameter-group-name" +} + +data "aws_ssm_parameter" "db_root_username" { + name = "${local.prod_parameter_prefix}/db-root-username" +} + +data "aws_ssm_parameter" "db_root_password" { + name = "${local.prod_parameter_prefix}/db-root-password" + with_decryption = true +} + +data "aws_ssm_parameter" "additional_db_users" { + name = "${local.prod_parameter_prefix}/additional-db-users" + with_decryption = true +} + +data "aws_ssm_parameter" "key_name" { + name = "${local.prod_parameter_prefix}/key-name" +} + +data "aws_ssm_parameter" "kms_key_arn" { + name = "${local.prod_parameter_prefix}/kms-key-arn" +} + +data "aws_ssm_parameter" "domain_name" { + name = "${local.prod_parameter_prefix}/domain-name" +} + +data "aws_ssm_parameter" "cert_email" { + name = "${local.prod_parameter_prefix}/cert-email" +} + +data "aws_ssm_parameter" "nginx_conf_name" { + name = "${local.prod_parameter_prefix}/nginx-conf-name" +} + +data "aws_ssm_parameter" "ssh_key_path" { + name = "${local.prod_parameter_prefix}/ssh-key-path" +} + +data "aws_ssm_parameter" "work_dir" { + name = "${local.prod_parameter_prefix}/work-dir" +} + +data "aws_ssm_parameter" "alloy_env_name" { + name = "${local.prod_parameter_prefix}/alloy-env-name" +} + +data "aws_ssm_parameter" "api_ingress_rules" { + name = "${local.app_stack_parameter_prefix}/api-ingress-rules" +} + +data "aws_ssm_parameter" "ec2_iam_instance_profile" { + name = "${local.app_stack_parameter_prefix}/ec2-iam-instance-profile" +} + +data "aws_ssm_parameter" "db_ingress_rules" { + name = "${local.app_stack_parameter_prefix}/db-ingress-rules" +} + +data "aws_ssm_parameter" "redis_version" { + name = "${local.app_stack_parameter_prefix}/redis-version" +} + +data "aws_ssm_parameter" "redis_exporter_version" { + name = "${local.app_stack_parameter_prefix}/redis-exporter-version" +} + +data "aws_ssm_parameter" "alloy_version" { + name = "${local.app_stack_parameter_prefix}/alloy-version" +} + +locals { + ami_id = data.aws_ssm_parameter.ami_id.value + server_instance_type = data.aws_ssm_parameter.server_instance_type.value + db_instance_class = data.aws_ssm_parameter.db_instance_class.value + rds_identifier = data.aws_ssm_parameter.rds_identifier.value + db_engine_version = data.aws_ssm_parameter.db_engine_version.value + db_parameter_group_name = data.aws_ssm_parameter.db_parameter_group_name.value + db_root_username = data.aws_ssm_parameter.db_root_username.value + db_root_password = sensitive(data.aws_ssm_parameter.db_root_password.value) + additional_db_users = nonsensitive(jsondecode(data.aws_ssm_parameter.additional_db_users.value)) + key_name = data.aws_ssm_parameter.key_name.value + kms_key_arn = data.aws_ssm_parameter.kms_key_arn.value + domain_name = data.aws_ssm_parameter.domain_name.value + cert_email = data.aws_ssm_parameter.cert_email.value + nginx_conf_name = data.aws_ssm_parameter.nginx_conf_name.value + ssh_key_path = data.aws_ssm_parameter.ssh_key_path.value + work_dir = data.aws_ssm_parameter.work_dir.value + alloy_env_name = data.aws_ssm_parameter.alloy_env_name.value + api_ingress_rules = jsondecode(data.aws_ssm_parameter.api_ingress_rules.value) + ec2_iam_instance_profile = data.aws_ssm_parameter.ec2_iam_instance_profile.value + db_ingress_rules = jsondecode(data.aws_ssm_parameter.db_ingress_rules.value) + redis_version = data.aws_ssm_parameter.redis_version.value + redis_exporter_version = data.aws_ssm_parameter.redis_exporter_version.value + alloy_version = data.aws_ssm_parameter.alloy_version.value +} diff --git a/environment/prod/variables.tf b/environment/prod/variables.tf deleted file mode 100644 index 0a74365..0000000 --- a/environment/prod/variables.tf +++ /dev/null @@ -1,130 +0,0 @@ -variable "ec2_iam_instance_profile" { - description = "EC2에 연결할 IAM Instance Profile 이름" - type = string -} - -variable "ami_id" { - description = "AMI ID for the prod environment" - type = string -} - -variable "server_instance_type" { - description = "Server instance type for the prod environment" - type = string -} - -variable "db_instance_class" { - description = "DB instance class for the prod environment" - type = string -} - -variable "api_ingress_rules" { - description = "List of ingress rules for API Server" - type = list(object({ - from_port = number - to_port = number - protocol = string - cidr_blocks = list(string) - description = string - })) -} - -variable "db_ingress_rules" { - description = "List of ingress rules for DB Server" - type = list(object({ - from_port = number - to_port = number - protocol = string - description = string - })) -} - -variable "rds_identifier" { - description = "RDS identifier for the prod environment" - type = string -} - -variable "db_engine_version" { - description = "MySQL engine version for the prod environment" - type = string -} - -variable "db_parameter_group_name" { - description = "MySQL parameter group name for the prod environment" - type = string -} - -variable "db_root_username" { - description = "DB Username for prod" - type = string -} - -variable "db_root_password" { - description = "DB Password for prod" - type = string - sensitive = true -} - -variable "additional_db_users" { - description = "추가 DB 유저 및 권한 목록" - type = map(object({ - password = string - database = string - privileges = list(string) - })) -} - -variable "key_name" { - description = "Key pair name" - type = string -} - -variable "kms_key_arn" { - description = "Existing KMS Key ARN for prod DB Encryption" - type = string -} - -variable "domain_name" { - description = "Domain name for the prod environment" - type = string -} - -variable "cert_email" { - description = "email for Domain Name Certbot" - type = string -} - -variable "nginx_conf_name" { - description = "Nginx conf name for the prod environment" - type = string -} - -variable "ssh_key_path" { - description = "Path to the SSH private key file for remote-exec" - type = string -} - -variable "work_dir" { - description = "Working directory for the application" - type = string -} - -variable "alloy_env_name" { - description = "Alloy Env Name" - type = string -} - -variable "redis_version" { - description = "Docker image tag for Redis" - type = string -} - -variable "redis_exporter_version" { - description = "Docker image tag for Redis Exporter" - type = string -} - -variable "alloy_version" { - description = "Docker image tag for Grafana Alloy" - type = string -} diff --git a/environment/stage/main.tf b/environment/stage/main.tf index 3f3e129..4c13492 100644 --- a/environment/stage/main.tf +++ b/environment/stage/main.tf @@ -6,39 +6,39 @@ data "aws_vpc" "default" { module "stage_stack" { source = "../../modules/app_stack" - env_name = "stage" - vpc_id = data.aws_vpc.default.id + env_name = "stage" + vpc_id = data.aws_vpc.default.id - ami_id = var.ami_id + ami_id = local.ami_id # IAM Instance Profile (SSM + Parameter Store 접근) - ec2_iam_instance_profile = var.ec2_iam_instance_profile + ec2_iam_instance_profile = local.ec2_iam_instance_profile # 키페어 및 접속 허용 - key_name = var.key_name + key_name = local.key_name # 인스턴스 스펙 - instance_type = var.server_instance_type + instance_type = local.server_instance_type # RDS 미사용 (Docker container로 대체) - enable_rds = false + enable_rds = false # 보안 그룹 규칙 - api_ingress_rules = var.api_ingress_rules + api_ingress_rules = local.api_ingress_rules # Nginx 및 도메인 설정 - domain_name = var.domain_name - cert_email = var.cert_email - nginx_conf_name = var.nginx_conf_name + domain_name = local.domain_name + cert_email = local.cert_email + nginx_conf_name = local.nginx_conf_name # ssh key 경로 전달 - ssh_key_path = var.ssh_key_path + ssh_key_path = local.ssh_key_path # Side Infra 관련 변수 전달 - work_dir = var.work_dir - alloy_env_name = var.alloy_env_name + work_dir = local.work_dir + alloy_env_name = local.alloy_env_name - redis_version = var.redis_version - redis_exporter_version = var.redis_exporter_version - alloy_version = var.alloy_version + redis_version = local.redis_version + redis_exporter_version = local.redis_exporter_version + alloy_version = local.alloy_version } diff --git a/environment/stage/ssm.tf b/environment/stage/ssm.tf new file mode 100644 index 0000000..fd0e3a0 --- /dev/null +++ b/environment/stage/ssm.tf @@ -0,0 +1,77 @@ +locals { + stage_parameter_prefix = "/solid-connection/infra/stage" + app_stack_parameter_prefix = "/solid-connection/infra/common/app-stack" +} + +data "aws_ssm_parameter" "ami_id" { + name = "${local.stage_parameter_prefix}/ami-id" +} + +data "aws_ssm_parameter" "server_instance_type" { + name = "${local.stage_parameter_prefix}/server-instance-type" +} + +data "aws_ssm_parameter" "key_name" { + name = "${local.stage_parameter_prefix}/key-name" +} + +data "aws_ssm_parameter" "domain_name" { + name = "${local.stage_parameter_prefix}/domain-name" +} + +data "aws_ssm_parameter" "cert_email" { + name = "${local.stage_parameter_prefix}/cert-email" +} + +data "aws_ssm_parameter" "nginx_conf_name" { + name = "${local.stage_parameter_prefix}/nginx-conf-name" +} + +data "aws_ssm_parameter" "ssh_key_path" { + name = "${local.stage_parameter_prefix}/ssh-key-path" +} + +data "aws_ssm_parameter" "work_dir" { + name = "${local.stage_parameter_prefix}/work-dir" +} + +data "aws_ssm_parameter" "alloy_env_name" { + name = "${local.stage_parameter_prefix}/alloy-env-name" +} + +data "aws_ssm_parameter" "api_ingress_rules" { + name = "${local.app_stack_parameter_prefix}/api-ingress-rules" +} + +data "aws_ssm_parameter" "ec2_iam_instance_profile" { + name = "${local.app_stack_parameter_prefix}/ec2-iam-instance-profile" +} + +data "aws_ssm_parameter" "redis_version" { + name = "${local.app_stack_parameter_prefix}/redis-version" +} + +data "aws_ssm_parameter" "redis_exporter_version" { + name = "${local.app_stack_parameter_prefix}/redis-exporter-version" +} + +data "aws_ssm_parameter" "alloy_version" { + name = "${local.app_stack_parameter_prefix}/alloy-version" +} + +locals { + ami_id = data.aws_ssm_parameter.ami_id.value + server_instance_type = data.aws_ssm_parameter.server_instance_type.value + key_name = data.aws_ssm_parameter.key_name.value + domain_name = data.aws_ssm_parameter.domain_name.value + cert_email = data.aws_ssm_parameter.cert_email.value + nginx_conf_name = data.aws_ssm_parameter.nginx_conf_name.value + ssh_key_path = data.aws_ssm_parameter.ssh_key_path.value + work_dir = data.aws_ssm_parameter.work_dir.value + alloy_env_name = data.aws_ssm_parameter.alloy_env_name.value + api_ingress_rules = jsondecode(data.aws_ssm_parameter.api_ingress_rules.value) + ec2_iam_instance_profile = data.aws_ssm_parameter.ec2_iam_instance_profile.value + redis_version = data.aws_ssm_parameter.redis_version.value + redis_exporter_version = data.aws_ssm_parameter.redis_exporter_version.value + alloy_version = data.aws_ssm_parameter.alloy_version.value +} diff --git a/environment/stage/variables.tf b/environment/stage/variables.tf deleted file mode 100644 index e432b29..0000000 --- a/environment/stage/variables.tf +++ /dev/null @@ -1,75 +0,0 @@ -variable "ec2_iam_instance_profile" { - description = "EC2에 연결할 IAM Instance Profile 이름" - type = string -} - -variable "ami_id" { - description = "AMI ID for the stage environment" - type = string -} - -variable "server_instance_type" { - description = "Server instance type for the stage environment" - type = string -} - -variable "api_ingress_rules" { - description = "List of ingress rules for API Server" - type = list(object({ - from_port = number - to_port = number - protocol = string - cidr_blocks = list(string) - description = string - })) -} - -variable "key_name" { - description = "Key pair name" - type = string -} - -variable "domain_name" { - description = "Domain name for the stage environment" - type = string -} - -variable "cert_email" { - description = "email for Domain Name Certbot" - type = string -} - -variable "nginx_conf_name" { - description = "Nginx conf name for the stage environment" - type = string -} - -variable "ssh_key_path" { - description = "Path to the SSH private key file for remote-exec" - type = string -} - -variable "work_dir" { - description = "Working directory for the application" - type = string -} - -variable "alloy_env_name" { - description = "Alloy Env Name" - type = string -} - -variable "redis_version" { - description = "Docker image tag for Redis" - type = string -} - -variable "redis_exporter_version" { - description = "Docker image tag for Redis Exporter" - type = string -} - -variable "alloy_version" { - description = "Docker image tag for Grafana Alloy" - type = string -}