From 9c2e28275b452753c61a5550f329346a9f66cb68 Mon Sep 17 00:00:00 2001 From: Choi Yunho Date: Sat, 19 Jul 2025 23:43:54 +0900 Subject: [PATCH] =?UTF-8?q?[Refactor]=20WAF=20=EC=84=9C=EB=B9=84=EC=8A=A4?= =?UTF-8?q?=20=EB=B6=84=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd.yml | 3 +- prod-team-account/deploy/alb/main.tf | 45 +++---------------- prod-team-account/deploy/waf/backend.tf | 9 ++++ prod-team-account/deploy/waf/main.tf | 53 +++++++++++++++++++++++ prod-team-account/deploy/waf/outputs.tf | 4 ++ prod-team-account/deploy/waf/variables.tf | 5 +++ 6 files changed, 80 insertions(+), 39 deletions(-) create mode 100644 prod-team-account/deploy/waf/backend.tf create mode 100644 prod-team-account/deploy/waf/main.tf create mode 100644 prod-team-account/deploy/waf/outputs.tf create mode 100644 prod-team-account/deploy/waf/variables.tf diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index adf0f76..73db833 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -65,8 +65,9 @@ jobs: ["prod-team-account/vpc"]="" ["prod-team-account/iam"]="" ["prod-team-account/acm"]="" + ["prod-team-account/waf"]="" ["operation-team-account/ecr"]="prod-team-account/deploy/iam" - ["prod-team-account/alb"]="prod-team-account/deploy/vpc prod-team-account/deploy/acm" + ["prod-team-account/alb"]="prod-team-account/deploy/vpc prod-team-account/deploy/acm prod-team-account/deploy/waf" ["prod-team-account/ecs"]="prod-team-account/deploy/vpc prod-team-account/deploy/iam prod-team-account/deploy/alb operation-team-account/deploy/ecr" ["prod-team-account/codedeploy"]="prod-team-account/deploy/ecs" ) diff --git a/prod-team-account/deploy/alb/main.tf b/prod-team-account/deploy/alb/main.tf index ea36832..e45363f 100644 --- a/prod-team-account/deploy/alb/main.tf +++ b/prod-team-account/deploy/alb/main.tf @@ -30,43 +30,12 @@ data "terraform_remote_state" "vpc" { } } -# WAF -resource "aws_wafv2_web_acl" "alb_waf" { - name = "${var.project_name}-alb-waf" - description = "WAF for ALB" - scope = "REGIONAL" - - default_action { - allow {} - } - - visibility_config { - cloudwatch_metrics_enabled = true - metric_name = "waf-alb-metric" - sampled_requests_enabled = true - } - - rule { - name = "AWS-AWSManagedRulesCommonRuleSet" - priority = 1 - override_action { - none {} - } - statement { - managed_rule_group_statement { - vendor_name = "AWS" - name = "AWSManagedRulesCommonRuleSet" - } - } - visibility_config { - cloudwatch_metrics_enabled = true - metric_name = "AWSManagedRulesCommonRuleSet" - sampled_requests_enabled = true - } - } - - tags = { - Name = "${var.project_name}-alb-waf" +data "terraform_remote_state" "waf" { + backend = "s3" + config = { + bucket = "cloudfence-prod-state" + key = "deploy/waf.tfstate" + region = "ap-northeast-2" } } @@ -158,6 +127,6 @@ resource "aws_lb_listener" "https_redirect" { # WAF와 ALB 연결 resource "aws_wafv2_web_acl_association" "alb_association" { resource_arn = aws_lb.alb.arn - web_acl_arn = aws_wafv2_web_acl.alb_waf.arn + web_acl_arn = data.terraform_remote_state.waf.outputs.web_acl_arn depends_on = [aws_lb.alb] } diff --git a/prod-team-account/deploy/waf/backend.tf b/prod-team-account/deploy/waf/backend.tf new file mode 100644 index 0000000..8d68c47 --- /dev/null +++ b/prod-team-account/deploy/waf/backend.tf @@ -0,0 +1,9 @@ +terraform { + backend "s3" { + bucket = "cloudfence-prod-state" + key = "deploy/waf.tfstate" + region = "ap-northeast-2" + dynamodb_table = "s3-prod-lock" + encrypt = true + } +} \ No newline at end of file diff --git a/prod-team-account/deploy/waf/main.tf b/prod-team-account/deploy/waf/main.tf new file mode 100644 index 0000000..e6ae276 --- /dev/null +++ b/prod-team-account/deploy/waf/main.tf @@ -0,0 +1,53 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + +} + +provider "aws" { + region = "ap-northeast-2" +} + +# WAF +resource "aws_wafv2_web_acl" "alb_waf" { + name = "${var.project_name}-alb-waf" + description = "WAF for ALB" + scope = "REGIONAL" + + default_action { + allow {} + } + + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "waf-alb-metric" + sampled_requests_enabled = true + } + + rule { + name = "AWS-AWSManagedRulesCommonRuleSet" + priority = 1 + override_action { + none {} + } + statement { + managed_rule_group_statement { + vendor_name = "AWS" + name = "AWSManagedRulesCommonRuleSet" + } + } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesCommonRuleSet" + sampled_requests_enabled = true + } + } + + tags = { + Name = "${var.project_name}-alb-waf" + } +} \ No newline at end of file diff --git a/prod-team-account/deploy/waf/outputs.tf b/prod-team-account/deploy/waf/outputs.tf new file mode 100644 index 0000000..0165460 --- /dev/null +++ b/prod-team-account/deploy/waf/outputs.tf @@ -0,0 +1,4 @@ +output "web_acl_arn" { + description = "The ARN of the WAF Web ACL" + value = aws_wafv2_web_acl.alb_waf.arn +} \ No newline at end of file diff --git a/prod-team-account/deploy/waf/variables.tf b/prod-team-account/deploy/waf/variables.tf new file mode 100644 index 0000000..7c839dd --- /dev/null +++ b/prod-team-account/deploy/waf/variables.tf @@ -0,0 +1,5 @@ +variable "project_name" { + description = "The name of the project" + type = string + default = "cloudfence" +} \ No newline at end of file