WHS-DevSecOps-infra · imyourhopeee · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -0,0 +1,126 @@
+name: Terraform Plan and Apply
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - 'operation-team-account/**'
+      - 'identity-team-account/**'
+      - 'prod-team-account/**'
+  push:
+    branches:
+      - main  # PR이 main에 merge되었을 때만 apply 실행
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Fetch origin/main
+        run: git fetch origin main
+
+      - name: Detect Changed Folder
+        id: detect
+        run: |
+          FILES=$(git diff --name-only origin/main ${{ github.sha }})
+          echo "Changed files:"
+          echo "$FILES"
+
+          if echo "$FILES" | grep -q '^operation-team-account/'; then
+            echo "account=OPERATION" >> $GITHUB_OUTPUT
+            echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^identity-team-account/'; then
+            echo "account=IDENTITY" >> $GITHUB_OUTPUT
+            echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^prod-team-account/'; then
+            echo "account=PROD" >> $GITHUB_OUTPUT
+            echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT
+          else
+            echo "No matching folder changed."
+            exit 1
+          fi
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ap-northeast-2
+          role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.4.0
+
+      - name: Terraform Init
+        run: terraform init
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      - name: Terraform Plan
+        id: plan
+        run: |
+          terraform plan -no-color > plan_output.txt
+          cat plan_output.txt
+
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+        continue-on-error: true
+
+
+  terraform-apply:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main' == true
+    runs-on: ubuntu-latest
+    needs: terraform-plan  # terraform-plan 작업이 완료된 후에 실행
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Fetch origin/main
+        run: git fetch origin main
+
+      - name: Detect Changed Folder
+        id: detect
+        run: |
+          FILES=$(git diff --name-only origin/main ${{ github.sha }})
+          echo "Changed files:"
+          echo "$FILES"
+
+          if echo "$FILES" | grep -q '^operation-team-account/'; then
+            echo "account=OPERATION" >> $GITHUB_OUTPUT
+            echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^identity-team-account/'; then
+            echo "account=IDENTITY" >> $GITHUB_OUTPUT
+            echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^prod-team-account/'; then
+            echo "account=PROD" >> $GITHUB_OUTPUT
+            echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT
+          else
+            echo "No matching folder changed."
+            exit 1
+          fi
+
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ap-northeast-2
+          role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.4.0
+
+      - name: Terraform InitS
+        run: terraform init
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve
+        working-directory: ${{ steps.detect.outputs.work_dir }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,127 @@
+name: Monitoring CI
+
+on:
+  pull_request:
+    branches: [main]  # main 브랜치에 대한 PR 이벤트에서만 실행
+
+permissions:
+  contents: read       # GitHub repo의 내용을 읽을 권한
+  id-token: write      # OIDC로 AWS 인증을 위해 필요
+
+jobs:
+  terraform-ci:
+    name: Terraform CI per changed folder
+    runs-on: ubuntu-latest
+
+    steps:
+      # 1. PR 코드 체크아웃
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      # 2. 최신 main 브랜치를 fetch (diff 비교를 위해)
+      - name: Fetch origin/main
+        run: git fetch origin main
+
+      # 3. 어떤 디렉토리가 변경되었는지 감지
+      - name: Detect Changed Folder
+        id: detect
+        run: |
+          FILES=$(git diff --name-only origin/main ${{ github.sha }})
+          echo "Changed files:"
+          echo "$FILES"
+
+          if echo "$FILES" | grep -q '^operation-team-account/'; then
+            echo "account=OPERATION" >> $GITHUB_OUTPUT
+            echo "work_dir=operation-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^identity-team-account/'; then
+            echo "account=IDENTITY" >> $GITHUB_OUTPUT
+            echo "work_dir=identity-team-account" >> $GITHUB_OUTPUT
+          elif echo "$FILES" | grep -q '^prod-team-account/'; then
+            echo "account=PROD" >> $GITHUB_OUTPUT
+            echo "work_dir=prod-team-account" >> $GITHUB_OUTPUT
+          else
+            echo "No matching folder changed."
+            exit 1
+          fi
+
+      # 4. 변경된 디렉토리에 맞는 IAM Role Assume (GitHub OIDC 방식)
+      - name: Configure AWS Credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ap-northeast-2
+          role-to-assume: ${{ secrets[format('ROLE_ARN_{0}', steps.detect.outputs.account)] }}
+
+      # 5. tfsec 보안 점검
+      - name: Run tfsec (Terraform Security Check)
+        uses: aquasecurity/tfsec-action@v1.0.0
+        with:
+          working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 6. Terraform CLI 설정
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 1.4.0
+
+      # 7. Terraform init
+      - name: Terraform Init
+        run: terraform init
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 8. terraform fmt 코드 정렬 검사
+      - name: Terraform Format Check (root)
+        run: terraform fmt -check -recursive
+
+      # 9. terraform validate 문법 검증
+      - name: Terraform Validate
+        run: terraform validate
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 10. plan 결과를 텍스트로 저장 (PR 코멘트 용)
+      - name: Terraform Plan (text for PR comment)
+        run: terraform plan -no-color > plan.txt
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 11. plan 텍스트를 아티팩트로 저장 (추후 코멘트 삽입 가능)
+      - name: Upload Plan as Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: terraform-plan
+          path: ${{ steps.detect.outputs.work_dir }}/plan.txt
+
+      # 12. infracost 용 plan binary 생성
+      - name: Terraform Plan (for infracost)
+        run: terraform plan -refresh=false -out=tfplan.binary
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 13. binary plan을 JSON으로 변환
+      - name: Convert Plan to JSON
+        run: terraform show -json tfplan.binary > plan.json
+        working-directory: ${{ steps.detect.outputs.work_dir }}
+
+      # 14. Infracost 설치
+      - name: Setup Infracost
+        uses: infracost/actions/setup@v2
+
+      # 15. 비용 분석 실행
+      - name: Generate Infracost Breakdown
+        run: |
+          ls -al ${{ steps.detect.outputs.work_dir }}
+          cat ${{ steps.detect.outputs.work_dir }}/plan.json
+          infracost breakdown \
+            --path=${{ steps.detect.outputs.work_dir }}/plan.json \
+            --format=json \
+            --out-file=/tmp/infracost.json
+        env:
+          INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
+
+      # 16. Infracost 분석 결과를 PR 코멘트로 남기기
+      - name: Infracost Comment on Pull Request
+        uses: infracost/actions@v1
+        if: github.event_name == 'pull_request'
+        with:
+          path: /tmp/infracost.json
+          behavior: update
+        env:
+          INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "ap-northeast-2" # 서울 리전
+}
diff --git a/operation-team-account/main.tf b/operation-team-account/main.tf
@@ -0,0 +1,18 @@
+# CD 테스트용 리소스
+#test1
+
+resource "null_resource" "test" {
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+}
+
+resource "null_resource" "test1" {
+  triggers = {
+    always_run = "test1-${timestamp()}"
+  }
+
+}
+#test2
+
+#test3