Feat/#10: Application Deploy

.github/workflows/cd.yml

@@ -32,6 +32,11 @@ jobs:
               - 'dev-team-account/**'
             stage:
               - 'stage-team-account/**'
+            security:
+              - 'security-team-account/**'
+            management:
+              - 'management-team-account/**'
+
 
 
       - name: Build Matrix from Filter (with subdirs)
@@ -51,18 +56,66 @@ jobs:
             ["prod"]="ROLE_ARN_PROD"
             ["dev"]="ROLE_ARN_DEV"
             ["stage"]="ROLE_ARN_STAGE"
+            ["security"]="ROLE_ARN_SECURITY"
+            ["management"]="ROLE_ARN_MANAGEMENT"
 
           )
 
-          MATRIX_ITEMS=()
+          declare -A DEPENDENCY_MAP=(
+            ["prod-team-account/vpc"]=""
+            ["prod-team-account/iam"]=""
+            ["prod-team-account/acm"]=""
+            ["operation-team-account/ecr"]="prod-team-account/deploy/iam"
+            ["prod-team-account/alb"]="prod-team-account/deploy/vpc prod-team-account/deploy/acm"
+            ["prod-team-account/ecs"]="prod-team-account/deploy/vpc prod-team-account/deploy/iam prod-team-account/deploy/alb operation-team-account/deploy/ecr"
+            ["prod-team-account/codedeploy"]="prod-team-account/deploy/ecs"
+          )
 
-          # 변경된 경로에 따라 matrix 구성
-          for KEY in "${!ROLE_MAP[@]}"; do
-            VAR_NAME="FILTER_OUTPUTS_${KEY}"
-            VALUE="${!VAR_NAME}"
 
-            if [ "$VALUE" = "true" ]; then
-              BASE_DIR="${KEY}-team-account"
+          # Push 이벤트에 포함된 변경된 파일 목록을 호출
+          echo "Comparing changes between ${{ github.event.before }} and ${{ github.event.after }}"
+          CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.event.after }})
+
+          # 변경된 파일이 속한 서비스 폴더(backend.tf가 있는 폴더) 목록 검색
+          CHANGED_DIRS=()
+          for file in $CHANGED_FILES; do
+            dir=$(dirname "$file")
+            while [ "$dir" != "." ]; do
+              if [ -f "$dir/backend.tf" ]; then
+                CHANGED_DIRS+=("$dir"); break;
+              fi;
+              dir=$(dirname "$dir");
+            done
+          done
+          CHANGED_DIRS=($(echo "${CHANGED_DIRS[@]}" | tr ' ' '\n' | sort -u))
+
+          if [ ${#CHANGED_DIRS[@]} -eq 0 ]; then
+            echo "No terraform project directories with changes found."; echo "matrix=[]" >> $GITHUB_OUTPUT; exit 0;
+          fi
+          echo "Changed project directories: ${CHANGED_DIRS[@]}"
+
+          # 변경된 폴더와 정의된 의존성을 기반으로 배포 순서를 결정
+          TSORT_INPUT=""
+          ALL_DIRS_TO_CONSIDER="${CHANGED_DIRS[@]}"
+          for DIR in "${CHANGED_DIRS[@]}"; do
+            dependencies=${DEPENDENCY_MAP[$DIR]}
+            for DEP in $dependencies; do
+              TSORT_INPUT+="$DEP $DIR\n"; ALL_DIRS_TO_CONSIDER+=" $DEP";
+            done
+          done
+          ALL_DIRS_TO_CONSIDER=($(echo "$ALL_DIRS_TO_CONSIDER" | tr ' ' '\n' | sort -u))
+
+          ORDERED_DIRS=$(echo -e "$TSORT_INPUT" | tsort 2>/dev/null || echo "$ALL_DIRS_TO_CONSIDER")
+          echo "Calculated execution order: $ORDERED_DIRS"
+
+          # 실행할 최종 매트릭스를 JSON 형식으로 생성
+          MATRIX_ITEMS=()
+
+          for DIR in $ORDERED_DIRS; do
+            if [[ " ${CHANGED_DIRS[@]} " =~ " ${DIR} " ]]; then
+              ACCOUNT_PREFIX=$(echo $DIR | cut -d- -f1)
+              ROLE_KEY="${ROLE_MAP[$ACCOUNT_PREFIX]}"
+              MATRIX_ITEMS+=("{\"dir\":\"$DIR\",\"role_key\":\"$ROLE_KEY\"}")
 
               # 루트 디렉터리 검사
               TF_COUNT_ROOT=$(find "$BASE_DIR" -maxdepth 1 -name '*.tf' | wc -l)
@@ -79,15 +132,15 @@ jobs:
                   fi
                 fi
               done
+
             fi
           done
 
           # 최종 matrix JSON 출력
           if [ ${#MATRIX_ITEMS[@]} -eq 0 ]; then
             echo "matrix=[]" >> $GITHUB_OUTPUT
           else
-            JSON="[$(IFS=,; echo "${MATRIX_ITEMS[*]}")]"
-            echo "matrix=$JSON" >> $GITHUB_OUTPUT
+            JSON="[$(IFS=,; echo "${MATRIX_ITEMS[*]}")]"; echo "matrix=$JSON" >> $GITHUB_OUTPUT;
           fi
 
   terraform-apply:
@@ -96,9 +149,10 @@ jobs:
     runs-on: ubuntu-latest
 
     strategy:
-      matrix: # matrix 기반 반복 실행
+      fail-fast: true
+      max-parallel: 1
+      matrix:
         include: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
-      fail-fast: false # 하나 실패해도 나머지 job은 계속 진행
 
     steps:
       - name: Checkout repository

.github/workflows/ci.yml

@@ -1,4 +1,5 @@
-name: Application-Deployment CI
+name: Application-DeploymentCI
+
 
 on:
   pull_request:
@@ -66,6 +67,7 @@ jobs:
                   echo "$DIR|$ROLE_KEY" >> $TMP_FILE
                 fi
               fi
+
             fi
           done
 

.gitignore

@@ -16,4 +16,4 @@
 *.tfstate.backup.*
 *.tfstate.backup.json
 *.tfstate.backup.json.*
-.terraform.lock.hcl
+.terraform.lock.hcl

operation-team-account/deploy/ecr/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "cloudfence-operation-state"
+    key            = "deploy/ecr.tfstate"
+    region         = "ap-northeast-2"
+    dynamodb_table = "s3-operation-lock"
+    encrypt        = true
+  }
+}

operation-team-account/deploy/ecr/main.tf

@@ -0,0 +1,62 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+}
+
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+data "terraform_remote_state" "iam" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-prod-state"
+    key    = "deploy/iam.tfstate"
+    region = "ap-northeast-2"
+  }
+}
+
+# operation-team-account의 ECR 리포지토리 생성 및 정책 설정
+data "aws_iam_policy_document" "ecr_repo_policy_document" {
+  statement {
+    sid    = "AllowCrossAccountPush"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      # prod 계정의 역할 ARN은 변수로 전달
+      identifiers = [data.terraform_remote_state.iam.outputs.github_actions_role_arn]
+    }
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:GetAuthorizationToken"
+    ]
+  }
+}
+
+
+# ECR 리포지토리 생성
+resource "aws_ecr_repository" "app_ecr_repo" {
+  name                 = var.project_name
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+# 정책을 리포지토리에 연결
+resource "aws_ecr_repository_policy" "app_ecr_repo_policy" {
+  repository = aws_ecr_repository.app_ecr_repo.name
+  policy     = data.aws_iam_policy_document.ecr_repo_policy_document.json
+}

operation-team-account/deploy/ecr/outputs.tf

@@ -0,0 +1,4 @@
+output "repository_url" {
+  description = "The URL of the ECR repository"
+  value       = aws_ecr_repository.app_ecr_repo.repository_url
+}

operation-team-account/deploy/ecr/variables.tf

@@ -0,0 +1,5 @@
+variable "project_name" {
+  description = "The name of the project"
+  type        = string
+  default     = "cloudfence"
+}

prod-team-account/deploy/acm/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "cloudfence-prod-state"
+    key            = "deploy/acm.tfstate"
+    region         = "ap-northeast-2"
+    dynamodb_table = "s3-prod-lock"
+    encrypt        = true
+  }
+}

prod-team-account/deploy/acm/main.tf

@@ -0,0 +1,44 @@
+terraform {
+  required_providers {
+    aws = { source = "hashicorp/aws", version = "~> 5.0" }
+  }
+}
+
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+# ACM 인증서 요청
+resource "aws_acm_certificate" "cert" {
+  domain_name               = var.domain_name
+  subject_alternative_names = ["*.${var.domain_name}"]
+  validation_method         = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# DNS 검증을 위한 Route 53 레코드 생성
+resource "aws_route53_record" "cert_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.zone_id
+}
+
+# DNS 검증이 완료될 때까지 대기하고 인증서 발급 완료
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
+}

prod-team-account/deploy/acm/outputs.tf

@@ -0,0 +1,4 @@
+output "certificate_arn" {
+  description = "The ARN of the validated ACM certificate"
+  value       = aws_acm_certificate_validation.cert.certificate_arn
+}

prod-team-account/deploy/acm/variables.tf

@@ -0,0 +1,11 @@
+variable "domain_name" {
+  description = "The domain name for the SSL certificate"
+  type        = string
+  default     = "cloudfence.cloud"
+}
+
+variable "zone_id" {
+  description = "The Route 53 Hosted Zone ID for the domain"
+  type        = string
+  default     = "Z0324594CRM7IYDEWX83"
+}

prod-team-account/deploy/alb/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "cloudfence-prod-state"
+    key            = "deploy/alb.tfstate"
+    region         = "ap-northeast-2"
+    dynamodb_table = "s3-prod-lock"
+    encrypt        = true
+  }
+}