[Refactor] WAF 서비스 분리

.github/workflows/cd.yml

@@ -65,8 +65,9 @@ jobs:
             ["prod-team-account/vpc"]=""
             ["prod-team-account/iam"]=""
             ["prod-team-account/acm"]=""
+            ["prod-team-account/waf"]=""
             ["operation-team-account/ecr"]="prod-team-account/deploy/iam"
-            ["prod-team-account/alb"]="prod-team-account/deploy/vpc prod-team-account/deploy/acm"
+            ["prod-team-account/alb"]="prod-team-account/deploy/vpc prod-team-account/deploy/acm prod-team-account/deploy/waf"
             ["prod-team-account/ecs"]="prod-team-account/deploy/vpc prod-team-account/deploy/iam prod-team-account/deploy/alb operation-team-account/deploy/ecr"
             ["prod-team-account/codedeploy"]="prod-team-account/deploy/ecs"
           )

prod-team-account/deploy/alb/main.tf

@@ -30,43 +30,12 @@ data "terraform_remote_state" "vpc" {
   }
 }
 
-# WAF
-resource "aws_wafv2_web_acl" "alb_waf" {
-  name        = "${var.project_name}-alb-waf"
-  description = "WAF for ALB"
-  scope       = "REGIONAL"
-
-  default_action {
-    allow {}
-  }
-
-  visibility_config {
-    cloudwatch_metrics_enabled = true
-    metric_name                = "waf-alb-metric"
-    sampled_requests_enabled   = true
-  }
-
-  rule {
-    name     = "AWS-AWSManagedRulesCommonRuleSet"
-    priority = 1
-    override_action {
-      none {}
-    }
-    statement {
-      managed_rule_group_statement {
-        vendor_name = "AWS"
-        name        = "AWSManagedRulesCommonRuleSet"
-      }
-    }
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "AWSManagedRulesCommonRuleSet"
-      sampled_requests_enabled   = true
-    }
-  }
-
-  tags = {
-    Name = "${var.project_name}-alb-waf"
+data "terraform_remote_state" "waf" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-prod-state"
+    key    = "deploy/waf.tfstate"
+    region = "ap-northeast-2"
   }
 }
 
@@ -158,6 +127,6 @@ resource "aws_lb_listener" "https_redirect" {
 # WAF와 ALB 연결
 resource "aws_wafv2_web_acl_association" "alb_association" {
   resource_arn = aws_lb.alb.arn
-  web_acl_arn  = aws_wafv2_web_acl.alb_waf.arn
+  web_acl_arn  = data.terraform_remote_state.waf.outputs.web_acl_arn
   depends_on   = [aws_lb.alb]
 }

prod-team-account/deploy/waf/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket         = "cloudfence-prod-state"
+    key            = "deploy/waf.tfstate"
+    region         = "ap-northeast-2"
+    dynamodb_table = "s3-prod-lock"
+    encrypt        = true
+  }
+}

prod-team-account/deploy/waf/main.tf

@@ -0,0 +1,53 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+}
+
+provider "aws" {
+  region = "ap-northeast-2"
+}
+
+# WAF
+resource "aws_wafv2_web_acl" "alb_waf" {
+  name        = "${var.project_name}-alb-waf"
+  description = "WAF for ALB"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "waf-alb-metric"
+    sampled_requests_enabled   = true
+  }
+
+  rule {
+    name     = "AWS-AWSManagedRulesCommonRuleSet"
+    priority = 1
+    override_action {
+      none {}
+    }
+    statement {
+      managed_rule_group_statement {
+        vendor_name = "AWS"
+        name        = "AWSManagedRulesCommonRuleSet"
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesCommonRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  tags = {
+    Name = "${var.project_name}-alb-waf"
+  }
+}

prod-team-account/deploy/waf/outputs.tf

@@ -0,0 +1,4 @@
+output "web_acl_arn" {
+  description = "The ARN of the WAF Web ACL"
+  value       = aws_wafv2_web_acl.alb_waf.arn
+}

prod-team-account/deploy/waf/variables.tf

@@ -0,0 +1,5 @@
+variable "project_name" {
+  description = "The name of the project"
+  type        = string
+  default     = "cloudfence"
+}