diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 00000000..28c75df7 --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,126 @@ +name: Terraform Plan and Apply + +on: + pull_request: + branches: [main] + paths: + - 'operation-team-account/**' + - 'identity-team-account/**' + - 'prod-team-account/**' + push: + branches: + - main # PR이 main에 merge되었을 때만 apply 실행 + +permissions: + contents: read + id-token: write + +jobs: + terraform-plan: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Fetch origin/main + run: git fetch origin main + + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" + echo "$FILES" + + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No matching folder changed." + exit 1 + fi + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + - name: Terraform Init + run: terraform init + working-directory: ${{ steps.detect.outputs.work_dir }} + + - name: Terraform Plan + id: plan + run: | + terraform plan -no-color > plan_output.txt + cat plan_output.txt + + working-directory: ${{ steps.detect.outputs.work_dir }} + continue-on-error: true + + + terraform-apply: + if: github.event_name == 'push' && github.ref == 'refs/heads/main' == true + runs-on: ubuntu-latest + needs: terraform-plan # terraform-plan 작업이 완료된 후에 실행 + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Fetch origin/main + run: git fetch origin main + + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" + echo "$FILES" + + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No matching folder changed." + exit 1 + fi + + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + - name: Terraform InitS + run: terraform init + working-directory: ${{ steps.detect.outputs.work_dir }} + + - name: Terraform Apply + run: terraform apply -auto-approve + working-directory: ${{ steps.detect.outputs.work_dir }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..4fbb2cd0 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,127 @@ +name: Monitoring CI + +on: + pull_request: + branches: [main] # main 브랜치에 대한 PR 이벤트에서만 실행 + +permissions: + contents: read # GitHub repo의 내용을 읽을 권한 + id-token: write # OIDC로 AWS 인증을 위해 필요 + +jobs: + terraform-ci: + name: Terraform CI per changed folder + runs-on: ubuntu-latest + + steps: + # 1. PR 코드 체크아웃 + - name: Checkout Code + uses: actions/checkout@v3 + + # 2. 최신 main 브랜치를 fetch (diff 비교를 위해) + - name: Fetch origin/main + run: git fetch origin main + + # 3. 어떤 디렉토리가 변경되었는지 감지 + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" + echo "$FILES" + + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No matching folder changed." + exit 1 + fi + + # 4. 변경된 디렉토리에 맞는 IAM Role Assume (GitHub OIDC 방식) + - name: Configure AWS Credentials via OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} + + # 5. tfsec 보안 점검 + - name: Run tfsec (Terraform Security Check) + uses: aquasecurity/tfsec-action@v1.0.0 + with: + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 6. Terraform CLI 설정 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + # 7. Terraform init + - name: Terraform Init + run: terraform init + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 8. terraform fmt 코드 정렬 검사 + - name: Terraform Format Check (root) + run: terraform fmt -check -recursive + + # 9. terraform validate 문법 검증 + - name: Terraform Validate + run: terraform validate + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 10. plan 결과를 텍스트로 저장 (PR 코멘트 용) + - name: Terraform Plan (text for PR comment) + run: terraform plan -no-color > plan.txt + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 11. plan 텍스트를 아티팩트로 저장 (추후 코멘트 삽입 가능) + - name: Upload Plan as Artifact + uses: actions/upload-artifact@v4 + with: + name: terraform-plan + path: ${{ steps.detect.outputs.work_dir }}/plan.txt + + # 12. infracost 용 plan binary 생성 + - name: Terraform Plan (for infracost) + run: terraform plan -refresh=false -out=tfplan.binary + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 13. binary plan을 JSON으로 변환 + - name: Convert Plan to JSON + run: terraform show -json tfplan.binary > plan.json + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 14. Infracost 설치 + - name: Setup Infracost + uses: infracost/actions/setup@v2 + + # 15. 비용 분석 실행 + - name: Generate Infracost Breakdown + run: | + ls -al ${{ steps.detect.outputs.work_dir }} + cat ${{ steps.detect.outputs.work_dir }}/plan.json + infracost breakdown \ + --path=${{ steps.detect.outputs.work_dir }}/plan.json \ + --format=json \ + --out-file=/tmp/infracost.json + env: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + + # 16. Infracost 분석 결과를 PR 코멘트로 남기기 + - name: Infracost Comment on Pull Request + uses: infracost/actions@v1 + if: github.event_name == 'pull_request' + with: + path: /tmp/infracost.json + behavior: update + env: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..3bd27e49 --- /dev/null +++ b/main.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = "ap-northeast-2" # 서울 리전 +} diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf new file mode 100644 index 00000000..8cfb50be --- /dev/null +++ b/operation-team-account/main.tf @@ -0,0 +1,18 @@ +# CD 테스트용 리소스 +#test1 + +resource "null_resource" "test" { + triggers = { + always_run = "${timestamp()}" + } +} + +resource "null_resource" "test1" { + triggers = { + always_run = "test1-${timestamp()}" + } + +} +#test2 + +#test3 \ No newline at end of file