From f5560911d2ffb65bfff093b96a7d4d80e71897d9 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 22:56:19 +0900 Subject: [PATCH 1/8] ci/cd test --- .github/workflows/deploy.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..61b0f2d --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,20 @@ +name: OIDC Test +on: + push: + workflow_dispatch: + +permissions: + id-token: write + +jobs: + access-s3: + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + + - name: List files in S3 bucket + run: aws s3 ls cloudfence-bucket \ No newline at end of file From 68af6a5b24514d88a2f9a1c71cd3b0334a0f2c64 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:10:28 +0900 Subject: [PATCH 2/8] ci/cd test2 --- .github/workflows/deploy.yml | 41 +++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 61b0f2d..8aac475 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,4 +17,43 @@ jobs: role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole - name: List files in S3 bucket - run: aws s3 ls cloudfence-bucket \ No newline at end of file + run: aws s3 ls cloudfence-bucket + terraform: + name: "Security Check, and Deploy" + runs-on: ubuntu-latest + + env: + AWS_REGION: "ap-northeast-2" + TF_VERSION: "1.4.0" + steps: + - name: "Checkout GitHub repository" + uses: actions/checkout@v3 + + # terraform 설치 및 초기화 + - name: "Set up Terraform" + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: ${{ env.TF_VERSION }} + # trivy 설치 밀 실행 + - name: Run Trivy IaC Scan + uses: aquasecurity/trivy-action@master + with: + scan-type: config + scan-ref: . + + - name: "Terraform Init" + run: terraform init + + - name: "Terraform Format" + run: terraform fmt + + - name: "Terraform Validate" + run: terraform validate + + - name: "Terraform Plan" + run: terraform plan -out=tfplan + + - name: "Terraform Apply" + if: github.ref == 'refs/heads/main' + run: terraform apply -auto-approve tfplan + From db3b808b077539225e7500522b3b11d1c1b22c8b Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:14:50 +0900 Subject: [PATCH 3/8] ci/cd test3 --- main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 main.tf diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..0a9f689 --- /dev/null +++ b/main.tf @@ -0,0 +1,8 @@ +provider "aws" { + region = "ap-northeast-2" # 서울 리전 +} + +#tfsec:ignore:aws-s3-enable-bucket-logging +resource "aws_s3_bucket" "whs" { + bucket = "cloudfence-bucket" +} \ No newline at end of file From 7e85328f3a2ace48d4c82feb54ef58bb44f534cc Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:27:19 +0900 Subject: [PATCH 4/8] ci/cd test4 --- .github/workflows/deploy.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8aac475..8de26da 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -26,6 +26,12 @@ jobs: AWS_REGION: "ap-northeast-2" TF_VERSION: "1.4.0" steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + - name: "Checkout GitHub repository" uses: actions/checkout@v3 @@ -54,6 +60,6 @@ jobs: run: terraform plan -out=tfplan - name: "Terraform Apply" - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/feature-#7' run: terraform apply -auto-approve tfplan From 4d835e51cc9cf5373ffa0899bce505552f8b6209 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:45:27 +0900 Subject: [PATCH 5/8] ci/cd test4 --- main.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 0a9f689..c162542 100644 --- a/main.tf +++ b/main.tf @@ -3,6 +3,11 @@ provider "aws" { } #tfsec:ignore:aws-s3-enable-bucket-logging +resource "random_id" "suffix" { + byte_length = 4 +} + resource "aws_s3_bucket" "whs" { - bucket = "cloudfence-bucket" -} \ No newline at end of file + bucket = "cloudfence-bucket-${random_id.suffix.hex}" + force_destroy = true +} From 945fae94cb6b44740ba9660ee86832657f09b6d5 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:47:02 +0900 Subject: [PATCH 6/8] ci/cd test4 --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c162542..dbf3e24 100644 --- a/main.tf +++ b/main.tf @@ -8,6 +8,6 @@ resource "random_id" "suffix" { } resource "aws_s3_bucket" "whs" { - bucket = "cloudfence-bucket-${random_id.suffix.hex}" - force_destroy = true + bucket = "cloudfence-bucket" } + From ad155f6c1b4a6032b04bdf03dfd1cc5a96767513 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:48:11 +0900 Subject: [PATCH 7/8] ci/cd test4 --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index dbf3e24..2893fd2 100644 --- a/main.tf +++ b/main.tf @@ -3,10 +3,6 @@ provider "aws" { } #tfsec:ignore:aws-s3-enable-bucket-logging -resource "random_id" "suffix" { - byte_length = 4 -} - resource "aws_s3_bucket" "whs" { bucket = "cloudfence-bucket" } From 3a2fa4587b9e42c14d77ce1eb665c09e6d38e685 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Thu, 5 Jun 2025 23:53:34 +0900 Subject: [PATCH 8/8] ci/cd test5 --- main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 2893fd2..57f155b 100644 --- a/main.tf +++ b/main.tf @@ -2,8 +2,5 @@ provider "aws" { region = "ap-northeast-2" # 서울 리전 } -#tfsec:ignore:aws-s3-enable-bucket-logging -resource "aws_s3_bucket" "whs" { - bucket = "cloudfence-bucket" -} +