From 6ec33dca80c3aea6ec97f6a01d77d17ac61af9d7 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 6 Jun 2025 00:54:02 +0900 Subject: [PATCH 01/58] ci/cd test --- .github/workflows/cd.yml | 26 ++++++++++++++++++++++++++ .github/workflows/ci.yml | 29 +++++++++++++++++++++++++++++ main.tf | 3 +++ 3 files changed, 58 insertions(+) create mode 100644 .github/workflows/cd.yml create mode 100644 .github/workflows/ci.yml create mode 100644 main.tf diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 00000000..8a184b9f --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,26 @@ +name: Monitoring CD + +on: + push: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + id-token: write + +jobs: + terraform-cd: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + - run: terraform init + - run: terraform apply -auto-approve diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..8ceee2c6 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,29 @@ +name: Monitoring CI + +on: + pull_request: + branches: [main] + push: + branches: [dev] + +permissions: + contents: read + id-token: write + +jobs: + terraform-ci: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + - run: terraform init + - run: terraform validate + - run: terraform plan diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..ff6bc333 --- /dev/null +++ b/main.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = "ap-northeast-2" # 서울 리전 +} \ No newline at end of file From d845f9b5979ebc54c3d98ec04bef1d0c56093c40 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 01:54:05 +0900 Subject: [PATCH 02/58] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ceee2c6..b2072562 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,7 +18,7 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role - uses: hashicorp/setup-terraform@v1 with: From 94f2e8fc51bb0954a12197c1668be6a0f1275443 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 02:15:44 +0900 Subject: [PATCH 03/58] Update ci.yml --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b2072562..fe6b1f1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,8 @@ permissions: jobs: terraform-ci: + env: + ACTIONS_STEP_DEBUG: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From 56c185594ad4742bf56a14ba52b6def6a461420f Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 02:17:39 +0900 Subject: [PATCH 04/58] Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe6b1f1a..02ed08a2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,8 @@ on: branches: [main] push: branches: [dev] +env: + ACTIONS_STEP_DEBUG: true permissions: contents: read @@ -12,8 +14,6 @@ permissions: jobs: terraform-ci: - env: - ACTIONS_STEP_DEBUG: true runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 From 5ec75a0ab43aa783fb961e5a856a9c48961e8dfa Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 13:18:25 +0900 Subject: [PATCH 05/58] Update CI.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IAM에서 일단 권한은 전체로 해 놓음, 모니터링 팀에서 구체적으로 어떤 기능을 사용할지 논의 후 수정할 예정 --- .github/workflows/ci.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 02ed08a2..cdd1115d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,13 +14,39 @@ permissions: jobs: terraform-ci: + name: Terraform Plan for Monitoring Infra runs-on: ubuntu-latest + steps: + - name: Checkout Code - uses: actions/checkout@v3 + + - name: Configure AWS Credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role + + - name: Run tfsec + uses: aquasecurity/tfsec-action@v1.0.0 + + # - name: Run Infracost + # uses: infracost/actions/setup@v2 + # with: + # api-key: ${{ secrets.INFRACOST_API_KEY }} + + - name: Send Email(fail) + if: failure() + uses: dawidd6/action-send-mail@v3 + with: + server_address: smtp.gmail.com + server_port: 587 + username: ${{ secrets.EMAIL_USERNAME }} + password: ${{ secrets.EMAIL_PASSWORD }} + subject: "🚨 Monitoring CI Failed" + to: yourteam@email.com + from: Monitoring CI + body: "Terraform Plan or Validate failed. Please check the Actions log." - uses: hashicorp/setup-terraform@v1 with: From f32812de798eaf345727778a929c80e9834aaecb Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 13:20:27 +0900 Subject: [PATCH 06/58] Update ci.yml --- .github/workflows/ci.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cdd1115d..cfafd102 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,18 +35,18 @@ jobs: # with: # api-key: ${{ secrets.INFRACOST_API_KEY }} - - name: Send Email(fail) - if: failure() - uses: dawidd6/action-send-mail@v3 - with: - server_address: smtp.gmail.com - server_port: 587 - username: ${{ secrets.EMAIL_USERNAME }} - password: ${{ secrets.EMAIL_PASSWORD }} - subject: "🚨 Monitoring CI Failed" - to: yourteam@email.com - from: Monitoring CI - body: "Terraform Plan or Validate failed. Please check the Actions log." + # - name: Send Email(fail) + # if: failure() + # uses: dawidd6/action-send-mail@v3 + # with: + # server_address: smtp.gmail.com + # server_port: 587 + # username: ${{ secrets.EMAIL_USERNAME }} + # password: ${{ secrets.EMAIL_PASSWORD }} + # subject: "🚨 Monitoring CI Failed" + # to: yourteam@email.com + # from: Monitoring CI + # body: "Terraform Plan or Validate failed. Please check the Actions log." - uses: hashicorp/setup-terraform@v1 with: From 36742a940bf12c03f197b68088a481c00e227cd6 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 13:23:06 +0900 Subject: [PATCH 07/58] Update CI.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cfafd102..ba88ea77 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,10 +19,10 @@ jobs: steps: - name: Checkout Code - - uses: actions/checkout@v3 + uses: actions/checkout@v3 - name: Configure AWS Credentials via OIDC - - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role From 409d850bd1d8694aea5d9a8106f4ff6d73353d74 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 6 Jun 2025 14:37:54 +0900 Subject: [PATCH 08/58] Update cd.yml --- .github/workflows/cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 8a184b9f..ac53ade3 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -17,7 +17,7 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: arn:aws:iam::433331841346:role/cloudfencedemorole + role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role - uses: hashicorp/setup-terraform@v1 with: terraform_version: 1.4.0 From bb1b28ff592ded2ccb9ef2ed61d7e457cc68b7fd Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Tue, 10 Jun 2025 18:20:47 +0900 Subject: [PATCH 09/58] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba88ea77..b70c1bfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role + role-to-assume: arn:aws:iam::502676416967:role/monitoring-role - name: Run tfsec uses: aquasecurity/tfsec-action@v1.0.0 From ab3dd1c84ed03b8119c2119f096d16953b774bc2 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 13 Jun 2025 04:19:48 +0900 Subject: [PATCH 10/58] Update ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 코드 포맷 검사 및 보안검사, infracost 추가 --- .github/workflows/ci.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b70c1bfe..119accab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,7 @@ on: pull_request: branches: [main] push: - branches: [dev] + branches: [main] env: ACTIONS_STEP_DEBUG: true @@ -53,5 +53,18 @@ jobs: terraform_version: 1.4.0 - run: terraform init + - run: terraform fmt -check - run: terraform validate - run: terraform plan + + - name: Run trivy + uses: aquasecurity/trivy-action@master + with: + scan-type: config + hide-progress: true + + - name: Run Infracost (비용 예측) + run: | + infracost breakdown --path . --format json --out-file infracost.json + + From b331b8fcad7c15cb5a2aa9f944bad0ea40a38ca4 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Fri, 13 Jun 2025 04:21:08 +0900 Subject: [PATCH 11/58] Update main.tf --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index ff6bc333..3bd27e49 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,3 @@ provider "aws" { - region = "ap-northeast-2" # 서울 리전 -} \ No newline at end of file + region = "ap-northeast-2" # 서울 리전 +} From 04d453d3c5047a7845b52af5dcad71ec25ed26c7 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 13:00:39 +0900 Subject: [PATCH 12/58] ci/cd test --- .github/workflows/ci.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 119accab..bf855ecb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,8 +63,3 @@ jobs: scan-type: config hide-progress: true - - name: Run Infracost (비용 예측) - run: | - infracost breakdown --path . --format json --out-file infracost.json - - From 2764f8e10e62bbad4cb9f94c51c794fba6b5177a Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:40:55 +0900 Subject: [PATCH 13/58] ci/cd test --- .github/workflows/ci.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf855ecb..2df13a4e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,23 +30,6 @@ jobs: - name: Run tfsec uses: aquasecurity/tfsec-action@v1.0.0 - # - name: Run Infracost - # uses: infracost/actions/setup@v2 - # with: - # api-key: ${{ secrets.INFRACOST_API_KEY }} - - # - name: Send Email(fail) - # if: failure() - # uses: dawidd6/action-send-mail@v3 - # with: - # server_address: smtp.gmail.com - # server_port: 587 - # username: ${{ secrets.EMAIL_USERNAME }} - # password: ${{ secrets.EMAIL_PASSWORD }} - # subject: "🚨 Monitoring CI Failed" - # to: yourteam@email.com - # from: Monitoring CI - # body: "Terraform Plan or Validate failed. Please check the Actions log." - uses: hashicorp/setup-terraform@v1 with: From 29d1e64797765f94bafd643da49070a382b66b41 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:43:00 +0900 Subject: [PATCH 14/58] ci/cd test --- .github/workflows/ci.yml | 99 +++++++++++++++++++++++++++++++++++----- 1 file changed, 88 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2df13a4e..bbb167ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,51 @@ +# name: Monitoring CI + +# on: +# pull_request: +# branches: [main] +# push: +# branches: [main] +# env: +# ACTIONS_STEP_DEBUG: true + +# permissions: +# contents: read +# id-token: write + +# jobs: +# terraform-ci: +# name: Terraform Plan for Monitoring Infra +# runs-on: ubuntu-latest + +# steps: +# - name: Checkout Code +# uses: actions/checkout@v3 + +# - name: Configure AWS Credentials via OIDC +# uses: aws-actions/configure-aws-credentials@v4 +# with: +# aws-region: ap-northeast-2 +# role-to-assume: arn:aws:iam::502676416967:role/monitoring-role + +# - name: Run tfsec +# uses: aquasecurity/tfsec-action@v1.0.0 + + +# - uses: hashicorp/setup-terraform@v1 +# with: +# terraform_version: 1.4.0 + +# - run: terraform init +# - run: terraform fmt -check +# - run: terraform validate +# - run: terraform plan + +# - name: Run trivy +# uses: aquasecurity/trivy-action@master +# with: +# scan-type: config +# hide-progress: true + name: Monitoring CI on: @@ -5,6 +53,7 @@ on: branches: [main] push: branches: [main] + env: ACTIONS_STEP_DEBUG: true @@ -14,9 +63,9 @@ permissions: jobs: terraform-ci: - name: Terraform Plan for Monitoring Infra + name: Terraform Plan with Security and Cost Estimation runs-on: ubuntu-latest - + steps: - name: Checkout Code uses: actions/checkout@v3 @@ -26,23 +75,51 @@ jobs: with: aws-region: ap-northeast-2 role-to-assume: arn:aws:iam::502676416967:role/monitoring-role - - - name: Run tfsec - uses: aquasecurity/tfsec-action@v1.0.0 + - name: Run tfsec (Terraform Security Check) + uses: aquasecurity/tfsec-action@v1.0.0 - - uses: hashicorp/setup-terraform@v1 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 with: terraform_version: 1.4.0 - - run: terraform init - - run: terraform fmt -check - - run: terraform validate - - run: terraform plan + - name: Terraform Init + run: terraform init + + - name: Terraform Format Check + run: terraform fmt -check + + - name: Terraform Validate + run: terraform validate - - name: Run trivy + - name: Terraform Plan + run: terraform plan -out=tfplan.binary + + - name: Convert Plan to JSON + run: terraform show -json tfplan.binary > plan.json + + - name: Run Trivy Config Scan uses: aquasecurity/trivy-action@master with: scan-type: config hide-progress: true + scan-ref: . + + - name: Setup Infracost + uses: infracost/actions/setup@v2 + + - name: Generate Infracost Breakdown + run: infracost breakdown --path=plan.json --format=json --out-file=infracost.json + env: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + + - name: Infracost Comment on Pull Request + uses: infracost/actions/comment@v2 + if: github.event_name == 'pull_request' + with: + path: infracost.json + behavior: update + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f4a2d2614c082ae76e45e45c66ac2b20eca4b0a7 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:44:57 +0900 Subject: [PATCH 15/58] ci/cd test --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bbb167ea..33da87c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,11 +115,13 @@ jobs: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - name: Infracost Comment on Pull Request - uses: infracost/actions/comment@v2 - if: github.event_name == 'pull_request' + uses: infracost/actions@v2 with: + entrypoint: comment path: infracost.json behavior: update + if: github.event_name == 'pull_request' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + From f26ef546fd71e54324196c5b1d974427d1d6705b Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:47:00 +0900 Subject: [PATCH 16/58] ci/cd test --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 33da87c4..5cd2196e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,7 +115,7 @@ jobs: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - name: Infracost Comment on Pull Request - uses: infracost/actions@v2 + uses: infracost/actions@v1 with: entrypoint: comment path: infracost.json @@ -125,3 +125,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + From 516970f8e19effb67d8ddfc5ed3d654cb64781ba Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:49:52 +0900 Subject: [PATCH 17/58] ci/cd test --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5cd2196e..765f4c50 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -114,15 +114,15 @@ jobs: env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - - name: Infracost Comment on Pull Request - uses: infracost/actions@v1 - with: - entrypoint: comment - path: infracost.json - behavior: update - if: github.event_name == 'pull_request' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # - name: Infracost Comment on Pull Request + # uses: infracost/actions@v1 + # with: + # entrypoint: comment + # path: infracost.json + # behavior: update + # if: github.event_name == 'pull_request' + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 4ad6c93b6023e7294b6abf8541337b87694e4690 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:53:25 +0900 Subject: [PATCH 18/58] ci/cd test --- .github/workflows/ci.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 765f4c50..a39745f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -114,15 +114,16 @@ jobs: env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - # - name: Infracost Comment on Pull Request - # uses: infracost/actions@v1 - # with: - # entrypoint: comment - # path: infracost.json - # behavior: update - # if: github.event_name == 'pull_request' - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Infracost Comment on Pull Request + uses: infracost/actions@v1 + with: + path: /tmp/infracost.json + behavior: update + if: github.event_name == 'pull_request' + env: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + From 431878eb137d503aae02030db024661ccd268ba7 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 16:55:33 +0900 Subject: [PATCH 19/58] ci/cd test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a39745f5..e19d02ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,7 +110,7 @@ jobs: uses: infracost/actions/setup@v2 - name: Generate Infracost Breakdown - run: infracost breakdown --path=plan.json --format=json --out-file=infracost.json + run: infracost breakdown --path=plan.json --format=json --out-file /tmp/infracost.json env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} From 00092341c6372bf829edccaa84695d534ea8220d Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 17:03:22 +0900 Subject: [PATCH 20/58] ci/cd test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e19d02ac..46e69e53 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -110,7 +110,7 @@ jobs: uses: infracost/actions/setup@v2 - name: Generate Infracost Breakdown - run: infracost breakdown --path=plan.json --format=json --out-file /tmp/infracost.json + run: infracost breakdown --path=plan.json --format=json --out-file=/tmp/infracost.json env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} From c954fd2bd868e481647063d2be6cff647f034a68 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Fri, 13 Jun 2025 17:07:51 +0900 Subject: [PATCH 21/58] ci/cd test --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46e69e53..5c612c0b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -114,15 +114,15 @@ jobs: env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - - name: Infracost Comment on Pull Request - uses: infracost/actions@v1 - with: - path: /tmp/infracost.json - behavior: update - if: github.event_name == 'pull_request' - env: - INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # - name: Infracost Comment on Pull Request + # uses: infracost/actions@v1 + # with: + # path: /tmp/infracost.json + # behavior: update + # if: github.event_name == 'pull_request' + # env: + # INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 6f49520525c6fb562f772e151f5245abf137b3a6 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:07:59 +0900 Subject: [PATCH 22/58] cd test --- .github/workflows/cd.yml | 51 +++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ac53ade3..378a69d5 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,9 +1,12 @@ -name: Monitoring CD +name: Unified CD on PR (via Secrets) on: - push: + pull_request: branches: [main] - workflow_dispatch: + paths: + - 'operation-team-account/**' + - 'identity-team-account/**' + - 'prod-team-account/**' permissions: contents: read @@ -12,15 +15,45 @@ permissions: jobs: terraform-cd: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v3 - - uses: aws-actions/configure-aws-credentials@v4 + - name: Checkout + uses: actions/checkout@v3 + + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "$FILES" + + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No matching folder changed." + exit 1 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: arn:aws:iam::433331841346:role/Monitoring-role - - uses: hashicorp/setup-terraform@v1 + role-to-assume: ${{ secrets[format('ROLE_ARN_' + steps.detect.outputs.account)] }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 with: terraform_version: 1.4.0 - - run: terraform init - - run: terraform apply -auto-approve + - name: Terraform Init + run: terraform init + working-directory: ${{ steps.detect.outputs.work_dir }} + + - name: Terraform Plan + run: terraform plan + working-directory: ${{ steps.detect.outputs.work_dir }} From 041ba6e34abb60ac8f8205432319b726c264a26f Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:18:03 +0900 Subject: [PATCH 23/58] test: trigger CD by modifying operation-team-account --- operation-team-account/main.tf | 1 + 1 file changed, 1 insertion(+) create mode 100644 operation-team-account/main.tf diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf new file mode 100644 index 00000000..f367b2e8 --- /dev/null +++ b/operation-team-account/main.tf @@ -0,0 +1 @@ +# CD 테스트용 리소스 From 738c4b88eb7566e0905a5ae01300959037db6be8 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:21:25 +0900 Subject: [PATCH 24/58] test: trigger CD by modifying operation-team-account --- .github/workflows/cd.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 378a69d5..f0e5be61 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -43,7 +43,8 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: ${{ secrets[format('ROLE_ARN_' + steps.detect.outputs.account)] }} + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)]}} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From 6d1e39e71fe09cfc2503ab49b433d4aee05d40f1 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:24:32 +0900 Subject: [PATCH 25/58] test --- .github/workflows/cd.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index f0e5be61..667bbaec 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -20,10 +20,14 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Fetch origin/main + run: git fetch origin main + - name: Detect Changed Folder id: detect run: | FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" echo "$FILES" if echo "$FILES" | grep -q '^operation-team-account/'; then @@ -43,8 +47,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)]}} - + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From bd0ad0b5da512a08ea61c591a428a736a92109db Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:26:06 +0900 Subject: [PATCH 26/58] test --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 667bbaec..b1f1d55b 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -42,6 +42,7 @@ jobs: else echo "No matching folder changed." exit 1 + fi - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 9a921af0b39f7a29046773fd6566915f0de89b7e Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:31:19 +0900 Subject: [PATCH 27/58] test --- operation-team-account/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index f367b2e8..426613f5 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -1 +1,2 @@ # CD 테스트용 리소스 +#test1 From eeb4dc52267ebc159425b7547aba7e3361bb9d16 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Sun, 22 Jun 2025 14:32:58 +0900 Subject: [PATCH 28/58] test --- operation-team-account/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 426613f5..88dbd000 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -1,2 +1,8 @@ # CD 테스트용 리소스 #test1 + +resource "null_resource" "test" { + triggers = { + always_run = "${timestamp()}" + } +} From 8d1f26e882be3957d31dd2e23c1452975f703965 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 15:22:54 +0900 Subject: [PATCH 29/58] Update ci.yml --- .github/workflows/ci.yml | 90 ++++++++++------------------------------ 1 file changed, 23 insertions(+), 67 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5c612c0b..c73e0704 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,61 +1,8 @@ -# name: Monitoring CI - -# on: -# pull_request: -# branches: [main] -# push: -# branches: [main] -# env: -# ACTIONS_STEP_DEBUG: true - -# permissions: -# contents: read -# id-token: write - -# jobs: -# terraform-ci: -# name: Terraform Plan for Monitoring Infra -# runs-on: ubuntu-latest - -# steps: -# - name: Checkout Code -# uses: actions/checkout@v3 - -# - name: Configure AWS Credentials via OIDC -# uses: aws-actions/configure-aws-credentials@v4 -# with: -# aws-region: ap-northeast-2 -# role-to-assume: arn:aws:iam::502676416967:role/monitoring-role - -# - name: Run tfsec -# uses: aquasecurity/tfsec-action@v1.0.0 - - -# - uses: hashicorp/setup-terraform@v1 -# with: -# terraform_version: 1.4.0 - -# - run: terraform init -# - run: terraform fmt -check -# - run: terraform validate -# - run: terraform plan - -# - name: Run trivy -# uses: aquasecurity/trivy-action@master -# with: -# scan-type: config -# hide-progress: true - name: Monitoring CI on: pull_request: branches: [main] - push: - branches: [main] - -env: - ACTIONS_STEP_DEBUG: true permissions: contents: read @@ -86,25 +33,38 @@ jobs: - name: Terraform Init run: terraform init + working-directory: ./operation-team-account - name: Terraform Format Check run: terraform fmt -check + working-directory: ./operation-team-account - name: Terraform Validate run: terraform validate + working-directory: ./operation-team-account - name: Terraform Plan run: terraform plan -out=tfplan.binary + working-directory: ./operation-team-account + + - name: Add Terraform Plan as PR Comment + uses: robburger/terraform-pr-comment@v1 + with: + plan-path: ./operation-team-account/tfplan.binary + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: github.event_name == 'pull_request' - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json + working-directory: ./operation-team-account - name: Run Trivy Config Scan uses: aquasecurity/trivy-action@master with: scan-type: config hide-progress: true - scan-ref: . + scan-ref: ./operation-team-account - name: Setup Infracost uses: infracost/actions/setup@v2 @@ -114,16 +74,12 @@ jobs: env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - # - name: Infracost Comment on Pull Request - # uses: infracost/actions@v1 - # with: - # path: /tmp/infracost.json - # behavior: update - # if: github.event_name == 'pull_request' - # env: - # INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - - + - name: Infracost Comment on Pull Request + uses: infracost/actions@v1 + with: + path: /tmp/infracost.json + behavior: update + if: github.event_name == 'pull_request' + env: + INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7fbd32d7b8b1e639015a3ee7773e45685a5d797e Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 16:09:24 +0900 Subject: [PATCH 30/58] Update ci.yml --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c73e0704..1f0ccc67 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,13 +47,13 @@ jobs: run: terraform plan -out=tfplan.binary working-directory: ./operation-team-account - - name: Add Terraform Plan as PR Comment - uses: robburger/terraform-pr-comment@v1 + - name: Comment Terraform Plan to PR + uses: marocchino/sticky-pull-request-comment@v2 with: - plan-path: ./operation-team-account/tfplan.binary + path: plan.txt + if: github.event_name == 'pull_request' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name == 'pull_request' - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json From b2d9515eb7848dbcbe7b8c1536942b9e35d8ae54 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 16:12:13 +0900 Subject: [PATCH 31/58] Update ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit infracost api key 및 코드 수정 --- .github/workflows/ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f0ccc67..bdfe1bfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,12 +48,10 @@ jobs: working-directory: ./operation-team-account - name: Comment Terraform Plan to PR + if: github.event_name == 'pull_request' uses: marocchino/sticky-pull-request-comment@v2 with: path: plan.txt - if: github.event_name == 'pull_request' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json From 3279ef7d34834d18e96b1e69bd2e4d920fdc836f Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 16:14:50 +0900 Subject: [PATCH 32/58] Update ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit plan 결과 관련 오류 수정 --- .github/workflows/ci.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bdfe1bfa..519bebea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,10 +48,14 @@ jobs: working-directory: ./operation-team-account - name: Comment Terraform Plan to PR - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' uses: marocchino/sticky-pull-request-comment@v2 with: path: plan.txt + recreate: true # 덮어쓰기 옵션 + hide_classify: OUTDATED + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json From 5097a0ae8315427ac5a2c487bff88de857be9878 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 16:17:28 +0900 Subject: [PATCH 33/58] Update ci.yml --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 519bebea..3f0814bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: working-directory: ./operation-team-account - name: Terraform Plan - run: terraform plan -out=tfplan.binary + run: terraform plan -no-color > plan.txt working-directory: ./operation-team-account - name: Comment Terraform Plan to PR @@ -52,10 +52,10 @@ jobs: uses: marocchino/sticky-pull-request-comment@v2 with: path: plan.txt - recreate: true # 덮어쓰기 옵션 + recreate: true hide_classify: OUTDATED env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json From 251b09f436cb6aa1bc534dbbf9731a033288067a Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 16:23:09 +0900 Subject: [PATCH 34/58] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f0814bd..a7797ec8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: if: github.event_name == 'pull_request' uses: marocchino/sticky-pull-request-comment@v2 with: - path: plan.txt + path: ./operation-team-account/plan.txt recreate: true hide_classify: OUTDATED env: From 70c485741338b081abfda4409ec1cb25749b5648 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 18:20:29 +0900 Subject: [PATCH 35/58] Update ci.yml --- .github/workflows/ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7797ec8..cfcd8659 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,9 +43,13 @@ jobs: run: terraform validate working-directory: ./operation-team-account - - name: Terraform Plan + - name: Terraform Plan (text for PR commnet) run: terraform plan -no-color > plan.txt working-directory: ./operation-team-account + + - name: Terraform Plan (for infracost) + run: terraform plan -out=tfplan.binary + working-directory: ./operation-team-account - name: Comment Terraform Plan to PR if: github.event_name == 'pull_request' @@ -72,7 +76,7 @@ jobs: uses: infracost/actions/setup@v2 - name: Generate Infracost Breakdown - run: infracost breakdown --path=plan.json --format=json --out-file=/tmp/infracost.json + run: infracost breakdown --path=./operation-team-account/plan.json --format=json --out-file=/tmp/infracost.json env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} From b143f4b37c1f4d0be6821f7812f0f1f4ba258412 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 18:30:09 +0900 Subject: [PATCH 36/58] Update ci.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR 코멘트에 계속 오류나서 아티팩트로 plan.txt 업로드하게 함 --- .github/workflows/ci.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cfcd8659..0ee1759b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,15 +51,21 @@ jobs: run: terraform plan -out=tfplan.binary working-directory: ./operation-team-account - - name: Comment Terraform Plan to PR - if: github.event_name == 'pull_request' - uses: marocchino/sticky-pull-request-comment@v2 + # - name: Comment Terraform Plan to PR + # if: github.event_name == 'pull_request' + # uses: marocchino/sticky-pull-request-comment@v2 + # with: + # path: ./operation-team-account/plan.txt + # recreate: true + # hide_classify: OUTDATED + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload Terraform Plan as Artifact + uses: actions/upload-artifact@v4 with: + name: terraform-plan path: ./operation-team-account/plan.txt - recreate: true - hide_classify: OUTDATED - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Convert Plan to JSON run: terraform show -json tfplan.binary > plan.json From 4d5e3fd33d7f06c2d0f03131514d940cddb09187 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 18:43:17 +0900 Subject: [PATCH 37/58] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ee1759b..f5224407 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,7 +48,7 @@ jobs: working-directory: ./operation-team-account - name: Terraform Plan (for infracost) - run: terraform plan -out=tfplan.binary + run: terraform plan -refresh=false -out=tfplan.binary working-directory: ./operation-team-account # - name: Comment Terraform Plan to PR From ad096915b8ddae0d811a62c70794e4f3baa258e5 Mon Sep 17 00:00:00 2001 From: imyourhopeee <144752063+imyourhopeee@users.noreply.github.com> Date: Sun, 22 Jun 2025 18:50:08 +0900 Subject: [PATCH 38/58] Update ci.yml --- .github/workflows/ci.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5224407..23a916aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,7 +68,9 @@ jobs: path: ./operation-team-account/plan.txt - name: Convert Plan to JSON - run: terraform show -json tfplan.binary > plan.json + run: | + ls -al + terraform show -json tfplan.binary > plan.json working-directory: ./operation-team-account - name: Run Trivy Config Scan @@ -82,7 +84,13 @@ jobs: uses: infracost/actions/setup@v2 - name: Generate Infracost Breakdown - run: infracost breakdown --path=./operation-team-account/plan.json --format=json --out-file=/tmp/infracost.json + run: | + ls -al ./operation-team-account + cat ./operation-team-account/plan.json + infracost breakdown \ + --path=./operation-team-account/plan.json \ + --format=json \ + --out-file=/tmp/infracost.json env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} From 5bef33b312ef5ed8522c7e964924f85218bee4e6 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 00:02:17 +0900 Subject: [PATCH 39/58] test --- .github/workflows/cd.yml | 46 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index b1f1d55b..5ff565ea 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -1,4 +1,4 @@ -name: Unified CD on PR (via Secrets) +name: Terraform Plan and Apply on: pull_request: @@ -7,13 +7,16 @@ on: - 'operation-team-account/**' - 'identity-team-account/**' - 'prod-team-account/**' + push: + branches: + - main # PR이 main에 merge되었을 때만 apply 실행 permissions: contents: read id-token: write jobs: - terraform-cd: + terraform-plan: runs-on: ubuntu-latest steps: @@ -60,5 +63,42 @@ jobs: working-directory: ${{ steps.detect.outputs.work_dir }} - name: Terraform Plan - run: terraform plan + id: plan + run: | + terraform plan -no-color working-directory: ${{ steps.detect.outputs.work_dir }} + + - name: Check Terraform Plan for Errors + run: | + if [[ "${{ steps.plan.outputs.stdout }}" == *"No changes. Your infrastructure matches the configuration."* ]]; then + echo "Terraform Plan successful" + else + echo "Terraform Plan failed" + exit 1 + id: check-plan + + terraform-apply: + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: terraform-plan # terraform-plan 작업이 완료된 후에 실행 + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ap-northeast-2 + role-to-assume: ${{ secrets.ROLE_ARN_PROD }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.4.0 + + - name: Terraform Init + run: terraform init + + - name: Terraform Apply + run: terraform apply -auto-approve From c29e37bd8e6ad625e36007a11ebe32d6d1f1c7fb Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 00:08:41 +0900 Subject: [PATCH 40/58] test --- .github/workflows/cd.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 5ff565ea..8c0f5c83 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -65,12 +65,15 @@ jobs: - name: Terraform Plan id: plan run: | - terraform plan -no-color + terraform plan -no-color > plan_output.txt + cat plan_output.txt + working-directory: ${{ steps.detect.outputs.work_dir }} + continue-on-error: true - name: Check Terraform Plan for Errors run: | - if [[ "${{ steps.plan.outputs.stdout }}" == *"No changes. Your infrastructure matches the configuration."* ]]; then + if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then echo "Terraform Plan successful" else echo "Terraform Plan failed" From 8834e6d0b86acf2307d62e799e60876b7674342a Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 00:13:03 +0900 Subject: [PATCH 41/58] test --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 8c0f5c83..68176e77 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -78,6 +78,7 @@ jobs: else echo "Terraform Plan failed" exit 1 + fi id: check-plan terraform-apply: From 36eb6a16e16b8e09dfe55a787e712682568a6852 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:30:02 +0900 Subject: [PATCH 42/58] test --- .github/workflows/cd.yml | 11 ++-- .github/workflows/ci.yml | 111 +++++++++++++++++++++++---------------- 2 files changed, 75 insertions(+), 47 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 68176e77..7e758af2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -73,10 +73,15 @@ jobs: - name: Check Terraform Plan for Errors run: | - if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then - echo "Terraform Plan successful" + if test -f plan_output.txt; then + if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then + echo "Terraform Plan successful" + else + echo "Terraform Plan failed" + exit 1 + fi else - echo "Terraform Plan failed" + echo "plan_output.txt not found" exit 1 fi id: check-plan diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 23a916aa..708a8fb8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,104 +2,127 @@ name: Monitoring CI on: pull_request: - branches: [main] + branches: [main] # main 브랜치에 대한 PR 이벤트에서만 실행 permissions: - contents: read - id-token: write + contents: read # GitHub repo의 내용을 읽을 권한 + id-token: write # OIDC로 AWS 인증을 위해 필요 jobs: terraform-ci: - name: Terraform Plan with Security and Cost Estimation + name: Terraform CI per changed folder runs-on: ubuntu-latest steps: + # 1. PR 코드 체크아웃 - name: Checkout Code uses: actions/checkout@v3 + # 2. 최신 main 브랜치를 fetch (diff 비교를 위해) + - name: Fetch origin/main + run: git fetch origin main + + # 3. 어떤 디렉토리가 변경되었는지 감지 + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" + echo "$FILES" + + # 디렉토리별로 account 이름 및 working directory 설정 + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No relevant Terraform folder changed." + exit 1 + + # 4. 변경된 디렉토리에 맞는 IAM Role Assume (GitHub OIDC 방식) - name: Configure AWS Credentials via OIDC uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: arn:aws:iam::502676416967:role/monitoring-role + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} + # 5. tfsec 보안 점검 - name: Run tfsec (Terraform Security Check) uses: aquasecurity/tfsec-action@v1.0.0 + with: + working-directory: ${{ steps.detect.outputs.work_dir }} + # 6. Terraform CLI 설정 - name: Setup Terraform uses: hashicorp/setup-terraform@v1 with: terraform_version: 1.4.0 + # 7. Terraform init - name: Terraform Init run: terraform init - working-directory: ./operation-team-account + working-directory: ${{ steps.detect.outputs.work_dir }} + # 8. terraform fmt 코드 정렬 검사 - name: Terraform Format Check run: terraform fmt -check - working-directory: ./operation-team-account + working-directory: ${{ steps.detect.outputs.work_dir }} + # 9. terraform validate 문법 검증 - name: Terraform Validate run: terraform validate - working-directory: ./operation-team-account + working-directory: ${{ steps.detect.outputs.work_dir }} - - name: Terraform Plan (text for PR commnet) + # 10. plan 결과를 텍스트로 저장 (PR 코멘트 용) + - name: Terraform Plan (text for PR comment) run: terraform plan -no-color > plan.txt - working-directory: ./operation-team-account - - - name: Terraform Plan (for infracost) - run: terraform plan -refresh=false -out=tfplan.binary - working-directory: ./operation-team-account - - # - name: Comment Terraform Plan to PR - # if: github.event_name == 'pull_request' - # uses: marocchino/sticky-pull-request-comment@v2 - # with: - # path: ./operation-team-account/plan.txt - # recreate: true - # hide_classify: OUTDATED - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Terraform Plan as Artifact + working-directory: ${{ steps.detect.outputs.work_dir }} + + # 11. plan 텍스트를 아티팩트로 저장 (추후 코멘트 삽입 가능) + - name: Upload Plan as Artifact uses: actions/upload-artifact@v4 with: name: terraform-plan - path: ./operation-team-account/plan.txt + path: ${{ steps.detect.outputs.work_dir }}/plan.txt - - name: Convert Plan to JSON - run: | - ls -al - terraform show -json tfplan.binary > plan.json - working-directory: ./operation-team-account + # 12. infracost 용 plan binary 생성 + - name: Terraform Plan (for infracost) + run: terraform plan -refresh=false -out=tfplan.binary + working-directory: ${{ steps.detect.outputs.work_dir }} - - name: Run Trivy Config Scan - uses: aquasecurity/trivy-action@master - with: - scan-type: config - hide-progress: true - scan-ref: ./operation-team-account + # 13. binary plan을 JSON으로 변환 + - name: Convert Plan to JSON + run: terraform show -json tfplan.binary > plan.json + working-directory: ${{ steps.detect.outputs.work_dir }} + # 14. Infracost 설치 - name: Setup Infracost uses: infracost/actions/setup@v2 + # 15. 비용 분석 실행 - name: Generate Infracost Breakdown run: | - ls -al ./operation-team-account - cat ./operation-team-account/plan.json + ls -al ${{ steps.detect.outputs.work_dir }} + cat ${{ steps.detect.outputs.work_dir }}/plan.json infracost breakdown \ - --path=./operation-team-account/plan.json \ - --format=json \ - --out-file=/tmp/infracost.json + --path=${{ steps.detect.outputs.work_dir }}/plan.json \ + --format=json \ + --out-file=/tmp/infracost.json env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} + # 16. Infracost 분석 결과를 PR 코멘트로 남기기 - name: Infracost Comment on Pull Request uses: infracost/actions@v1 + if: github.event_name == 'pull_request' with: path: /tmp/infracost.json behavior: update - if: github.event_name == 'pull_request' env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 215840235ac4ba09050b38b6f4bae9c8ac2f9b4d Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:33:10 +0900 Subject: [PATCH 43/58] test --- .github/workflows/cd.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 7e758af2..daad9cc1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -71,20 +71,20 @@ jobs: working-directory: ${{ steps.detect.outputs.work_dir }} continue-on-error: true - - name: Check Terraform Plan for Errors - run: | - if test -f plan_output.txt; then - if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then - echo "Terraform Plan successful" - else - echo "Terraform Plan failed" - exit 1 - fi - else - echo "plan_output.txt not found" - exit 1 - fi - id: check-plan + # - name: Check Terraform Plan for Errors + # run: | + # if test -f plan_output.txt; then + # if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then + # echo "Terraform Plan successful" + # else + # echo "Terraform Plan failed" + # exit 1 + # fi + # else + # echo "plan_output.txt not found" + # exit 1 + # fi + # id: check-plan terraform-apply: if: github.event_name == 'push' && github.ref == 'refs/heads/main' From b82ea661ad2d7c30678ee10b4294895f7b778352 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:42:16 +0900 Subject: [PATCH 44/58] test --- operation-team-account/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 88dbd000..d8d57ddb 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -6,3 +6,9 @@ resource "null_resource" "test" { always_run = "${timestamp()}" } } + +resource "null_resource" "test" { + triggers = { + always_run = "${timestamp()}" + } +} From b7ba96005f6d4441d4b2de44fd1aaeccd9dd2a67 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:43:54 +0900 Subject: [PATCH 45/58] cd test --- operation-team-account/main.tf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index d8d57ddb..c6859a77 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -7,8 +7,5 @@ resource "null_resource" "test" { } } -resource "null_resource" "test" { - triggers = { - always_run = "${timestamp()}" - } -} +#test2 + From f10baabad34f4e5c1a3dfaaad95f003076a90023 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:49:05 +0900 Subject: [PATCH 46/58] cd test --- .github/workflows/cd.yml | 16 +--------------- operation-team-account/main.tf | 1 + 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index daad9cc1..a49215b2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -71,23 +71,9 @@ jobs: working-directory: ${{ steps.detect.outputs.work_dir }} continue-on-error: true - # - name: Check Terraform Plan for Errors - # run: | - # if test -f plan_output.txt; then - # if grep -q "No changes. Your infrastructure matches the configuration." plan_output.txt; then - # echo "Terraform Plan successful" - # else - # echo "Terraform Plan failed" - # exit 1 - # fi - # else - # echo "plan_output.txt not found" - # exit 1 - # fi - # id: check-plan terraform-apply: - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + # if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.event.pull_request.merged == true runs-on: ubuntu-latest needs: terraform-plan # terraform-plan 작업이 완료된 후에 실행 diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index c6859a77..7d187cab 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -9,3 +9,4 @@ resource "null_resource" "test" { #test2 +#test3 \ No newline at end of file From 4f4ded8c37ce13963285ee8bb7842f635397b245 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:53:14 +0900 Subject: [PATCH 47/58] cd test --- .github/workflows/cd.yml | 27 ++++++++++++++++++++++++++- operation-team-account/main.tf | 6 ++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index a49215b2..50378343 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -81,6 +81,31 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Fetch origin/main + run: git fetch origin main + + - name: Detect Changed Folder + id: detect + run: | + FILES=$(git diff --name-only origin/main ${{ github.sha }}) + echo "Changed files:" + echo "$FILES" + + if echo "$FILES" | grep -q '^operation-team-account/'; then + echo "account=OPERATION" >> $GITHUB_OUTPUT + echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^identity-team-account/'; then + echo "account=IDENTITY" >> $GITHUB_OUTPUT + echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT + elif echo "$FILES" | grep -q '^prod-team-account/'; then + echo "account=PROD" >> $GITHUB_OUTPUT + echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT + else + echo "No matching folder changed." + exit 1 + fi + + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -92,7 +117,7 @@ jobs: with: terraform_version: 1.4.0 - - name: Terraform Init + - name: Terraform InitS run: terraform init - name: Terraform Apply diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 7d187cab..713a2e2e 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -7,6 +7,12 @@ resource "null_resource" "test" { } } + +resource "null_resource" "test1" { + triggers = { + always_run = "${timestamp()}" + } +} #test2 #test3 \ No newline at end of file From 6344854c9554fb86a1edd6a7096b5ed37ab8834d Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:55:56 +0900 Subject: [PATCH 48/58] cd test --- .github/workflows/cd.yml | 2 +- operation-team-account/main.tf | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 50378343..28708459 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -110,7 +110,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ap-northeast-2 - role-to-assume: ${{ secrets.ROLE_ARN_PROD }} + role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 713a2e2e..8d777e80 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -8,11 +8,6 @@ resource "null_resource" "test" { } -resource "null_resource" "test1" { - triggers = { - always_run = "${timestamp()}" - } -} #test2 #test3 \ No newline at end of file From e0af02b3503aba6f5a2cbb874f725e8f20fac86f Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:57:24 +0900 Subject: [PATCH 49/58] cd test --- operation-team-account/main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 8d777e80..a0f0cdf0 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -7,7 +7,11 @@ resource "null_resource" "test" { } } - +resource "null_resource" "test1" { + triggers = { + always_run = "${timestamp()}" + } +} #test2 #test3 \ No newline at end of file From a9eddfab8abac3c5528b3ebdde1f6a7346584d8b Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 15:59:58 +0900 Subject: [PATCH 50/58] cd test --- operation-team-account/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index a0f0cdf0..30a5abc7 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -8,9 +8,10 @@ resource "null_resource" "test" { } resource "null_resource" "test1" { - triggers = { - always_run = "${timestamp()}" + triggers = { + always_run = "test1-${timestamp()}" } + } #test2 From 07e3311d30d1b582d938b46d5b856bcd102034fe Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:01:27 +0900 Subject: [PATCH 51/58] cd test --- operation-team-account/k.tf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 operation-team-account/k.tf diff --git a/operation-team-account/k.tf b/operation-team-account/k.tf new file mode 100644 index 00000000..a2d074d6 --- /dev/null +++ b/operation-team-account/k.tf @@ -0,0 +1,5 @@ +resource "null_resource" "test" { + triggers = { + always_run = "${timestamp()}" + } +} \ No newline at end of file From 79e528e87943b07d551a78addf3fb47d20622440 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:02:11 +0900 Subject: [PATCH 52/58] cd test --- operation-team-account/k.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operation-team-account/k.tf b/operation-team-account/k.tf index a2d074d6..a826342c 100644 --- a/operation-team-account/k.tf +++ b/operation-team-account/k.tf @@ -1,4 +1,4 @@ -resource "null_resource" "test" { +resource "null_resource" "test3" { triggers = { always_run = "${timestamp()}" } From 2b53747a0788d927f2e12b42a46544528157366a Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:05:30 +0900 Subject: [PATCH 53/58] cd test --- .github/workflows/cd.yml | 1 + operation-team-account/k.tf | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 operation-team-account/k.tf diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 28708459..aada0006 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -122,3 +122,4 @@ jobs: - name: Terraform Apply run: terraform apply -auto-approve + working-directory: ${{ steps.detect.outputs.work_dir }} diff --git a/operation-team-account/k.tf b/operation-team-account/k.tf deleted file mode 100644 index a826342c..00000000 --- a/operation-team-account/k.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "null_resource" "test3" { - triggers = { - always_run = "${timestamp()}" - } -} \ No newline at end of file From 8af926573bef93c1476574d48e30865147d2951d Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:07:28 +0900 Subject: [PATCH 54/58] cd test --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index aada0006..75af7746 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -119,6 +119,7 @@ jobs: - name: Terraform InitS run: terraform init + working-directory: ${{ steps.detect.outputs.work_dir }} - name: Terraform Apply run: terraform apply -auto-approve From 8ae5ecd72801676aa95a89272f3485924274178b Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:16:01 +0900 Subject: [PATCH 55/58] cd test --- .github/workflows/cd.yml | 2 +- .github/workflows/ci.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 75af7746..28c75df7 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -73,7 +73,7 @@ jobs: terraform-apply: - # if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.event.pull_request.merged == true + if: github.event_name == 'push' && github.ref == 'refs/heads/main' == true runs-on: ubuntu-latest needs: terraform-plan # terraform-plan 작업이 완료된 후에 실행 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 708a8fb8..d989d9f9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,6 @@ jobs: echo "Changed files:" echo "$FILES" - # 디렉토리별로 account 이름 및 working directory 설정 if echo "$FILES" | grep -q '^operation-team-account/'; then echo "account=OPERATION" >> $GITHUB_OUTPUT echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT @@ -41,8 +40,9 @@ jobs: echo "account=PROD" >> $GITHUB_OUTPUT echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT else - echo "No relevant Terraform folder changed." + echo "No matching folder changed." exit 1 + fi # 4. 변경된 디렉토리에 맞는 IAM Role Assume (GitHub OIDC 방식) - name: Configure AWS Credentials via OIDC From 18e701bf898a7c6aa7d66977b11f30e22ff4dc00 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:22:50 +0900 Subject: [PATCH 56/58] ci test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d989d9f9..7a824007 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,7 +70,7 @@ jobs: # 8. terraform fmt 코드 정렬 검사 - name: Terraform Format Check - run: terraform fmt -check + run: terraform fmt -check -recursive working-directory: ${{ steps.detect.outputs.work_dir }} # 9. terraform validate 문법 검증 From fb81551a3ed337c440954b54d569e566ad899569 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:32:03 +0900 Subject: [PATCH 57/58] ci test --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7a824007..4fbb2cd0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,9 +69,8 @@ jobs: working-directory: ${{ steps.detect.outputs.work_dir }} # 8. terraform fmt 코드 정렬 검사 - - name: Terraform Format Check + - name: Terraform Format Check (root) run: terraform fmt -check -recursive - working-directory: ${{ steps.detect.outputs.work_dir }} # 9. terraform validate 문법 검증 - name: Terraform Validate From 5e4090313282f92965366365eb07eb71cd40d523 Mon Sep 17 00:00:00 2001 From: rnjsdbwlsqwer Date: Mon, 23 Jun 2025 16:35:30 +0900 Subject: [PATCH 58/58] fix: format operation-team-account/main.tf --- operation-team-account/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf index 30a5abc7..8cfb50be 100644 --- a/operation-team-account/main.tf +++ b/operation-team-account/main.tf @@ -8,7 +8,7 @@ resource "null_resource" "test" { } resource "null_resource" "test1" { - triggers = { + triggers = { always_run = "test1-${timestamp()}" }