From a3372944f927f9f831136c98fbfc38f1812af748 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Mon, 7 Jul 2025 11:19:31 +0900 Subject: [PATCH 1/7] =?UTF-8?q?vpc=20=EC=84=A4=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd.yml | 3 ++- prod-team-account/alb/main.tf | 3 ++- prod-team-account/vpc/main.tf | 8 ++++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 9ede438..cd947c2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -61,8 +61,9 @@ jobs: declare -A DEPENDENCY_MAP=( ["prod-team-account/vpc"]="" ["prod-team-account/iam"]="" + ["prod-team-account/acm"]="" ["operation-team-account/ecr"]="prod-team-account/iam" - ["prod-team-account/alb"]="prod-team-account/vpc" + ["prod-team-account/alb"]="prod-team-account/vpc prod-team-account/acm" ["prod-team-account/ecs"]="prod-team-account/vpc prod-team-account/iam prod-team-account/alb operation-team-account/ecr" ["prod-team-account/codedeploy"]="prod-team-account/ecs" ) diff --git a/prod-team-account/alb/main.tf b/prod-team-account/alb/main.tf index b8b4ace..a4ada77 100644 --- a/prod-team-account/alb/main.tf +++ b/prod-team-account/alb/main.tf @@ -71,6 +71,7 @@ resource "aws_wafv2_web_acl" "alb_waf" { } # ALB +#tfsec:ignore:aws-alb-not-public resource "aws_lb" "alb" { name = "${var.project_name}-alb" internal = false @@ -133,7 +134,7 @@ resource "aws_lb_listener" "https" { load_balancer_arn = aws_lb.alb.arn port = 443 protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-2016-08" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" certificate_arn = data.terraform_remote_state.acm.outputs.certificate_arn default_action { type = "forward" diff --git a/prod-team-account/vpc/main.tf b/prod-team-account/vpc/main.tf index 1f5e919..d2d1cd9 100644 --- a/prod-team-account/vpc/main.tf +++ b/prod-team-account/vpc/main.tf @@ -23,6 +23,7 @@ resource "aws_vpc" "vpc" { } # subnet(public) +#tfsec:ignore:aws-ec2-subnet-public-ip resource "aws_subnet" "public1" { vpc_id = aws_vpc.vpc.id cidr_block = "10.0.1.0/24" @@ -33,6 +34,7 @@ resource "aws_subnet" "public1" { } } +#tfsec:ignore:aws-ec2-subnet-public-ip resource "aws_subnet" "public2" { vpc_id = aws_vpc.vpc.id cidr_block = "10.0.2.0/24" @@ -135,14 +137,15 @@ resource "aws_route_table_association" "private2" { } # security_group +#tfsec:ignore:aws-ec2-security-group-public-ip-ingress resource "aws_security_group" "alb_sg" { name = "${var.project_name}-alb-sg" description = "Security group for ALB" vpc_id = aws_vpc.vpc.id ingress { - from_port = 80 - to_port = 80 + from_port = 443 + to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] description = "Allow HTTP" @@ -158,6 +161,7 @@ resource "aws_security_group" "alb_sg" { } # ECS +#tfsec:ignore:aws-ec2-security-group-public-ip-ingress resource "aws_security_group" "ecs_sg" { name = "${var.project_name}-ecs-sg" description = "Security group for ECS tasks" From 9a2195e7ece7e562f30c89c1bd6156be95bb451d Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Mon, 7 Jul 2025 11:26:05 +0900 Subject: [PATCH 2/7] =?UTF-8?q?=EC=98=A4=ED=83=80=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/alb/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/prod-team-account/alb/outputs.tf b/prod-team-account/alb/outputs.tf index 6f12284..db59ab3 100644 --- a/prod-team-account/alb/outputs.tf +++ b/prod-team-account/alb/outputs.tf @@ -5,7 +5,7 @@ output "dns_name" { output "listener_arn" { description = "The ARN of the ALB listener" - value = aws_lb_listener.http.arn + value = aws_lb_listener.https.arn } output "blue_target_group_name" { @@ -21,4 +21,4 @@ output "green_target_group_name" { output "blue_target_group_arn" { description = "The ARN of the blue target group" value = aws_lb_target_group.blue.arn -} \ No newline at end of file +} From 276fb2f26bb771b37cb559c9b998a5cc0002c32f Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Mon, 7 Jul 2025 11:28:37 +0900 Subject: [PATCH 3/7] =?UTF-8?q?acm=20backend=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/acm/backend.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/prod-team-account/acm/backend.tf b/prod-team-account/acm/backend.tf index d8f9527..ea45e0d 100644 --- a/prod-team-account/acm/backend.tf +++ b/prod-team-account/acm/backend.tf @@ -4,5 +4,6 @@ terraform { key = "prod-team-account/acm/terraform.tfstate" region = "ap-northeast-2" dynamodb_table = "s3-prod-lock" + encrypt = true } } \ No newline at end of file From 90ca48c238ee9995e542f812021d48ef2b73f708 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Tue, 8 Jul 2025 23:04:24 +0900 Subject: [PATCH 4/7] =?UTF-8?q?tfsec=20scan=20=EB=AC=B8=EC=A0=9C=20?= =?UTF-8?q?=ED=95=B4=EA=B2=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/acm/backend.tf | 2 +- prod-team-account/acm/main.tf | 10 +++++----- prod-team-account/alb/main.tf | 32 ++++++++++++++++---------------- prod-team-account/vpc/main.tf | 13 ++++++++----- 4 files changed, 30 insertions(+), 27 deletions(-) diff --git a/prod-team-account/acm/backend.tf b/prod-team-account/acm/backend.tf index ea45e0d..7e1e3a0 100644 --- a/prod-team-account/acm/backend.tf +++ b/prod-team-account/acm/backend.tf @@ -1,7 +1,7 @@ terraform { backend "s3" { bucket = "cloudfence-prod-state" - key = "prod-team-account/acm/terraform.tfstate" + key = "prod-team-account/acm/terraform.tfstate" region = "ap-northeast-2" dynamodb_table = "s3-prod-lock" encrypt = true diff --git a/prod-team-account/acm/main.tf b/prod-team-account/acm/main.tf index f3f22fb..bd352b1 100644 --- a/prod-team-account/acm/main.tf +++ b/prod-team-account/acm/main.tf @@ -10,9 +10,9 @@ provider "aws" { # ACM 인증서 요청 resource "aws_acm_certificate" "cert" { - domain_name = var.domain_name + domain_name = var.domain_name subject_alternative_names = ["*.${var.domain_name}"] - validation_method = "DNS" + validation_method = "DNS" lifecycle { create_before_destroy = true @@ -23,9 +23,9 @@ resource "aws_acm_certificate" "cert" { resource "aws_route53_record" "cert_validation" { for_each = { for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type } } diff --git a/prod-team-account/alb/main.tf b/prod-team-account/alb/main.tf index a4ada77..175df3d 100644 --- a/prod-team-account/alb/main.tf +++ b/prod-team-account/alb/main.tf @@ -15,9 +15,9 @@ provider "aws" { data "terraform_remote_state" "acm" { backend = "s3" config = { - bucket = "cloudfence-prod-state" - key = "prod-team-account/acm/terraform.tfstate" - region = "ap-northeast-2" + bucket = "cloudfence-prod-state" + key = "prod-team-account/acm/terraform.tfstate" + region = "ap-northeast-2" } } @@ -71,7 +71,8 @@ resource "aws_wafv2_web_acl" "alb_waf" { } # ALB -#tfsec:ignore:aws-alb-not-public +# 외부 사용자를 위한 로드 밸런서이므로 외부에 노출해야해서 tfsec 경고 무시 +#tfsec:ignore:aws-elb-alb-not-public resource "aws_lb" "alb" { name = "${var.project_name}-alb" internal = false @@ -80,8 +81,8 @@ resource "aws_lb" "alb" { subnets = data.terraform_remote_state.vpc.outputs.public_subnet_ids - drop_invalid_header_fields = true - enable_deletion_protection = true + drop_invalid_header_fields = true + enable_deletion_protection = true tags = { @@ -129,17 +130,16 @@ resource "aws_lb_target_group" "green" { } # ALB 리스너 - resource "aws_lb_listener" "https" { - load_balancer_arn = aws_lb.alb.arn - port = 443 - protocol = "HTTPS" - ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" - certificate_arn = data.terraform_remote_state.acm.outputs.certificate_arn - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.blue.arn - } + load_balancer_arn = aws_lb.alb.arn + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" + certificate_arn = data.terraform_remote_state.acm.outputs.certificate_arn + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.blue.arn + } } resource "aws_lb_listener" "http_redirect" { diff --git a/prod-team-account/vpc/main.tf b/prod-team-account/vpc/main.tf index d2d1cd9..378c705 100644 --- a/prod-team-account/vpc/main.tf +++ b/prod-team-account/vpc/main.tf @@ -23,7 +23,8 @@ resource "aws_vpc" "vpc" { } # subnet(public) -#tfsec:ignore:aws-ec2-subnet-public-ip +# public 서브넷은 외부에서 접근 가능하도록 tfsec 경고 무시 +#tfsec:ignore:aws-ec2-no-public-ip-subnet resource "aws_subnet" "public1" { vpc_id = aws_vpc.vpc.id cidr_block = "10.0.1.0/24" @@ -34,7 +35,7 @@ resource "aws_subnet" "public1" { } } -#tfsec:ignore:aws-ec2-subnet-public-ip +#tfsec:ignore:aws-ec2-no-public-ip-subnet resource "aws_subnet" "public2" { vpc_id = aws_vpc.vpc.id cidr_block = "10.0.2.0/24" @@ -137,7 +138,8 @@ resource "aws_route_table_association" "private2" { } # security_group -#tfsec:ignore:aws-ec2-security-group-public-ip-ingress +# ALB를 위한 security group에서는 외부 사용자를위해 HTTP(443) 포트만 열고 이후 tfsec 경고 무시 +#tfsec:ignore:aws-ec2-no-public-ingress-sgr resource "aws_security_group" "alb_sg" { name = "${var.project_name}-alb-sg" description = "Security group for ALB" @@ -155,13 +157,14 @@ resource "aws_security_group" "alb_sg" { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + destination_security_group_id = aws_security_group.ecs_sg.id } } # ECS -#tfsec:ignore:aws-ec2-security-group-public-ip-ingress +# ECS의 security group은 ALB에서 오는 트래픽만 허용하고, 외부로의 모든 트래픽을 허용하므로 tfsec 경고 무시 +#tfsec:ignore:aws-ec2-no-public-egress-sgr resource "aws_security_group" "ecs_sg" { name = "${var.project_name}-ecs-sg" description = "Security group for ECS tasks" From c24adba3f294112bf4e6748559122f84a38a7a45 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Tue, 8 Jul 2025 23:25:32 +0900 Subject: [PATCH 5/7] =?UTF-8?q?security=5Fgroup=20egress=20=EC=84=A4?= =?UTF-8?q?=EC=A0=95=20=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/alb/main.tf | 2 +- prod-team-account/vpc/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/prod-team-account/alb/main.tf b/prod-team-account/alb/main.tf index 175df3d..daf0621 100644 --- a/prod-team-account/alb/main.tf +++ b/prod-team-account/alb/main.tf @@ -142,7 +142,7 @@ resource "aws_lb_listener" "https" { } } -resource "aws_lb_listener" "http_redirect" { +resource "aws_lb_listener" "https_redirect" { load_balancer_arn = aws_lb.alb.arn port = 80 protocol = "HTTP" diff --git a/prod-team-account/vpc/main.tf b/prod-team-account/vpc/main.tf index 378c705..26b48a4 100644 --- a/prod-team-account/vpc/main.tf +++ b/prod-team-account/vpc/main.tf @@ -157,7 +157,7 @@ resource "aws_security_group" "alb_sg" { from_port = 0 to_port = 0 protocol = "-1" - destination_security_group_id = aws_security_group.ecs_sg.id + security_groups = [aws_security_group.ecs_sg.id] } } From d2a4f9dc68a6327ba248de371390d00470be67c5 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Tue, 8 Jul 2025 23:36:43 +0900 Subject: [PATCH 6/7] =?UTF-8?q?security=5Fgroup=20=EC=A2=85=EC=86=8D?= =?UTF-8?q?=EC=84=B1=20=EB=AC=B8=EC=A0=9C=20=ED=95=B4=EA=B2=B0=EA=B2=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/alb/main.tf | 1 + prod-team-account/vpc/main.tf | 37 +++++++++++++++++++---------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/prod-team-account/alb/main.tf b/prod-team-account/alb/main.tf index daf0621..df345c6 100644 --- a/prod-team-account/alb/main.tf +++ b/prod-team-account/alb/main.tf @@ -1,3 +1,4 @@ +# test terraform { required_providers { aws = { diff --git a/prod-team-account/vpc/main.tf b/prod-team-account/vpc/main.tf index 26b48a4..13773df 100644 --- a/prod-team-account/vpc/main.tf +++ b/prod-team-account/vpc/main.tf @@ -138,7 +138,7 @@ resource "aws_route_table_association" "private2" { } # security_group -# ALB를 위한 security group에서는 외부 사용자를위해 HTTP(443) 포트만 열고 이후 tfsec 경고 무시 +# ALB를 위한 security group에서는 외부 사용자를위해 HTTPS(443) 포트만 열고 이후 tfsec 경고 무시 #tfsec:ignore:aws-ec2-no-public-ingress-sgr resource "aws_security_group" "alb_sg" { name = "${var.project_name}-alb-sg" @@ -150,16 +150,8 @@ resource "aws_security_group" "alb_sg" { to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - description = "Allow HTTP" + description = "Allow HTTPS" } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - security_groups = [aws_security_group.ecs_sg.id] - } - } # ECS @@ -170,18 +162,29 @@ resource "aws_security_group" "ecs_sg" { description = "Security group for ECS tasks" vpc_id = aws_vpc.vpc.id - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - security_groups = [aws_security_group.alb_sg.id] - } - egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } +} + +# Security Group Rules +resource "aws_security_group_rule" "alb_egress" { + type = "egress" + from_port = 80 + to_port = 80 + protocol = "tcp" + source_security_group_id = aws_security_group.alb_sg.id + security_groups = [aws_security_group.ecs_sg.id] +} +resource "aws_security_group_rule" "ecs_ingress" { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + source_security_group_id = aws_security_group.ecs_sg.id + security_groups = [aws_security_group.alb_sg.id] } \ No newline at end of file From dbdb7c5250093d397fd671e98548361a077e16c5 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Wed, 9 Jul 2025 00:01:46 +0900 Subject: [PATCH 7/7] =?UTF-8?q?security=5Fgroup=20=EC=98=A4=EB=A5=98=20?= =?UTF-8?q?=ED=95=B4=EA=B2=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- prod-team-account/alb/main.tf | 1 - prod-team-account/vpc/main.tf | 33 ++++++++++++++------------------- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/prod-team-account/alb/main.tf b/prod-team-account/alb/main.tf index df345c6..daf0621 100644 --- a/prod-team-account/alb/main.tf +++ b/prod-team-account/alb/main.tf @@ -1,4 +1,3 @@ -# test terraform { required_providers { aws = { diff --git a/prod-team-account/vpc/main.tf b/prod-team-account/vpc/main.tf index 13773df..59a1e78 100644 --- a/prod-team-account/vpc/main.tf +++ b/prod-team-account/vpc/main.tf @@ -152,6 +152,13 @@ resource "aws_security_group" "alb_sg" { cidr_blocks = ["0.0.0.0/0"] description = "Allow HTTPS" } + + egress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } } # ECS @@ -162,6 +169,13 @@ resource "aws_security_group" "ecs_sg" { description = "Security group for ECS tasks" vpc_id = aws_vpc.vpc.id + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + security_groups = [aws_security_group.alb_sg.id] + } + egress { from_port = 0 to_port = 0 @@ -169,22 +183,3 @@ resource "aws_security_group" "ecs_sg" { cidr_blocks = ["0.0.0.0/0"] } } - -# Security Group Rules -resource "aws_security_group_rule" "alb_egress" { - type = "egress" - from_port = 80 - to_port = 80 - protocol = "tcp" - source_security_group_id = aws_security_group.alb_sg.id - security_groups = [aws_security_group.ecs_sg.id] -} - -resource "aws_security_group_rule" "ecs_ingress" { - type = "ingress" - from_port = 80 - to_port = 80 - protocol = "tcp" - source_security_group_id = aws_security_group.ecs_sg.id - security_groups = [aws_security_group.alb_sg.id] -} \ No newline at end of file