Feat/#54 Cloudtrail에 대한 Opensearch 모니터링 환경 구성

.github/workflows/CI.yml

@@ -34,34 +34,22 @@ jobs:
           echo "Changed files:"
           echo "$FILES"
 
-          declare -A ROLE_MAP=(
+          declare -A ROLE_MAP=( 
             ["operation-team-account"]="ROLE_ARN_OPERATION"
             ["identity-team-account"]="ROLE_ARN_IDENTITY"
-            ["prod-team-account"]="ROLE_ARN_PROD"
-            ["dev-team-account"]="ROLE_ARN_DEV"
-            ["security-team-account"]="ROLE_ARN_SECURITY"
-            ["stage-team-account"]="ROLE_ARN_STAGE"
             ["management-team-account"]="ROLE_ARN_MANAGEMENT"
           )
 
           TMP_FILE=$(mktemp)
-
           for FILE in $FILES; do
             DIR=$(dirname "$FILE")
             TOP_DIR=$(echo $DIR | cut -d/ -f1)
             ROLE_KEY="${ROLE_MAP[$TOP_DIR]}"
 
             if [ -n "$ROLE_KEY" ]; then
-              if [ "$DIR" == "$TOP_DIR" ]; then
-                TF_COUNT=$(find "$DIR" -maxdepth 1 -name '*.tf' | wc -l)
-                if [ "$TF_COUNT" -gt 0 ]; then
-                  echo "$DIR|$ROLE_KEY" >> $TMP_FILE
-                fi
-              else
-                TF_COUNT=$(find "$DIR" -maxdepth 1 -name '*.tf' | wc -l)
-                if [ "$TF_COUNT" -gt 0 ]; then
-                  echo "$DIR|$ROLE_KEY" >> $TMP_FILE
-                fi
+              TF_COUNT=$(find "$DIR" -maxdepth 1 -name '*.tf' | wc -l)
+              if [ "$TF_COUNT" -gt 0 ]; then
+                echo "$DIR|$ROLE_KEY" >> $TMP_FILE
               fi
             fi
           done
@@ -84,10 +72,8 @@ jobs:
           done <<< "$UNIQUE_LINES"
 
           MATRIX_JSON="$MATRIX_JSON]"
-
           echo "Final JSON matrix:"
           echo "$MATRIX_JSON"
-
           echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT
 
   terraform-ci:
@@ -104,6 +90,7 @@ jobs:
       INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       INFRACOST_TERRAFORM_CLI_WRAPPER: false
+      TF_VAR_slack_webhook_url: ${{ secrets.TF_VAR_slack_webhook_url }}
 
     steps:
       - name: Checkout Code
@@ -152,29 +139,41 @@ jobs:
           PLAN_TXT=plan.txt
           PLAN_JSON=plan.json
 
-          # Run terraform plan
-          terraform plan -no-color -out=$PLAN_FILE > /dev/null 2> plan_error.txt || echo "PLAN_FAILED=true" >> $GITHUB_ENV
+          if terraform plan -no-color -out=$PLAN_FILE > /dev/null 2> plan_error.txt; then
+            echo "PLAN_FAILED=false" >> $GITHUB_ENV
+            terraform show -no-color $PLAN_FILE > $PLAN_TXT
+            terraform show -json $PLAN_FILE > $PLAN_JSON || true
+          else
+            echo "PLAN_FAILED=true" >> $GITHUB_ENV
+            echo "Plan failed" > $PLAN_TXT
+            echo "{}" > $PLAN_JSON
+          fi
 
-          # Show plan text output
-          terraform show -no-color $PLAN_FILE > $PLAN_TXT 2>/dev/null || echo "Plan failed" > $PLAN_TXT
+          # 디버깅용 출력
+          echo "::group::Raw terraform show output"
+          cat $PLAN_TXT || echo "(empty)"
+          echo "::endgroup::"
 
-          # Remove ANSI color codes
-          cat $PLAN_TXT | \
-            sed 's/`/\\`/g' | \
-            tr -d '\r' | \
-            sed -r "s/\x1B\[[0-9;]*[JKmsu]//g" \
-            > cleaned_plan.txt
+          sed 's/`/\\`/g' $PLAN_TXT | tr -d '\r' | sed -r "s/\x1B\[[0-9;]*[JKmsu]//g" > cleaned_plan.txt
 
           PLAN_CONTENT=$(cat cleaned_plan.txt)
+          PLAN_ERROR=$(cat plan_error.txt || echo "No error captured")
+
+          if [ -z "$PLAN_CONTENT" ]; then
+            PLAN_CONTENT="(no changes or output empty)"
+          fi
 
-          # Save JSON plan for infracost
-          terraform show -json $PLAN_FILE > $PLAN_JSON || true
+          if [ -z "$PLAN_ERROR" ]; then
+            PLAN_ERROR="(no errors)"
+          fi
 
-          # Output plan content for PR comment
           {
             echo "PLAN_CONTENT<<EOF"
             echo "$PLAN_CONTENT"
             echo "EOF"
+            echo "PLAN_ERROR<<EOF"
+            echo "$PLAN_ERROR"
+            echo "EOF"
           } >> $GITHUB_OUTPUT
         working-directory: ${{ matrix.dir }}
 
@@ -198,6 +197,11 @@ jobs:
             ${{ steps.plan.outputs.PLAN_CONTENT }}
             ```
 
+            ### Plan Error (if any)
+            ```
+            ${{ steps.plan.outputs.PLAN_ERROR }}
+            ```
+
       - name: Setup Infracost
         uses: infracost/actions/setup@v2
 
@@ -213,4 +217,4 @@ jobs:
         uses: infracost/actions/comment@v1
         with:
           path: ${{ matrix.dir }}/infracost.json
-          behavior: update
+          behavior: update

.gitignore

@@ -25,4 +25,7 @@ ehthumbs.db             # Windows
 *.tmp                   # 임시 파일
 
 # VSCode 설정 (선택사항)
-.vscode/
+.vscode/
+
+# OpenSearch alert 생성 시 생기는 임시 파일
+modules/opensearch/slack_response.json

management-team-account/monitoring/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  required_version = ">= 1.1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "cloudfence-management-state"
+    key            = "cloudtrail/terraform.tfstate"
+    region         = "ap-northeast-2"
+    encrypt        = true
+    dynamodb_table = "tfstate-management-lock"
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+data "terraform_remote_state" "operation" {
+  backend = "s3"
+  config = {
+    bucket = "cloudfence-operation-state"
+    key    = "monitoring/terraform.tfstate"
+    region = "ap-northeast-2"
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+module "cloudtrail" {
+  source                 = "../../modules/cloudtrail_org"
+  org_trail_name         = var.org_trail_name
+  cloudtrail_bucket_name = data.terraform_remote_state.operation.outputs.bucket_name
+  cloudtrail_kms_key_arn = data.terraform_remote_state.operation.outputs.kms_key_arn
+}

management-team-account/monitoring/variables.tf

@@ -0,0 +1,11 @@
+variable "aws_region" {
+  description = "AWS region"
+  type        = string
+  default     = "ap-northeast-2"
+}
+
+variable "org_trail_name" {
+  description = "Organization CloudTrail name"
+  type        = string
+  default     = "org-cloudtrail"
+}

modules/cloudtrail_org/main.tf

@@ -0,0 +1,29 @@
+resource "aws_cloudtrail" "org" {
+  name                          = var.org_trail_name
+  is_organization_trail         = true
+  is_multi_region_trail         = true
+  include_global_service_events = true
+  enable_log_file_validation    = true
+  enable_logging                = true
+
+  s3_bucket_name = var.cloudtrail_bucket_name
+  kms_key_id     = var.cloudtrail_kms_key_arn
+
+  event_selector {
+    read_write_type           = "All"
+    include_management_events = true
+
+    data_resource {
+      type = "AWS::S3::Object"
+      values = [
+        "arn:aws:s3:::${var.cloudtrail_bucket_name}/AWSLogs/"
+      ]
+    }
+  }
+
+  tags = {
+    Name        = var.org_trail_name
+    Environment = "prod"
+    Owner       = "security-team"
+  }
+}

modules/cloudtrail_org/variables.tf

@@ -0,0 +1,14 @@
+variable "org_trail_name" {
+  description = "Organization CloudTrail name"
+  type        = string
+}
+
+variable "cloudtrail_bucket_name" {
+  description = "S3 bucket name for CloudTrail logs (from operation account)"
+  type        = string
+}
+
+variable "cloudtrail_kms_key_arn" {
+  description = "KMS key ARN for CloudTrail SSE-KMS (from operation account)"
+  type        = string
+}

modules/eventbridge_triggers/main.tf

@@ -0,0 +1,30 @@
+resource "aws_cloudwatch_event_rule" "s3_object_created" {
+  name        = "cloudtrail-s3-event-rule"
+  description = "Trigger Lambda on CloudTrail S3 delivery objects"
+
+  event_pattern = jsonencode({
+    source = ["aws.s3"]
+    detail = {
+      eventName = ["PutObject"]
+      requestParameters = {
+        bucketName = [var.bucket_name]
+        key        = [{ prefix = "AWSLogs/" }]
+      }
+    }
+  })
+  event_bus_name = "default"
+}
+
+resource "aws_cloudwatch_event_target" "lambda" {
+  rule      = aws_cloudwatch_event_rule.s3_object_created.name
+  target_id = "lambda-target"
+  arn       = var.lambda_function_arn
+}
+
+resource "aws_lambda_permission" "allow_eventbridge" {
+  statement_id  = "AllowExecutionFromEventBridge"
+  action        = "lambda:InvokeFunction"
+  function_name = var.lambda_function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.s3_object_created.arn
+}

modules/eventbridge_triggers/outputs.tf

@@ -0,0 +1,3 @@
+output "event_rule_arn" {
+  value = aws_cloudwatch_event_rule.s3_object_created.arn
+}

modules/eventbridge_triggers/variables.tf

@@ -0,0 +1,14 @@
+variable "bucket_name" {
+  description = "Name of the S3 bucket where CloudTrail logs are stored"
+  type        = string
+}
+
+variable "lambda_function_name" {
+  description = "Lambda function name to be triggered"
+  type        = string
+}
+
+variable "lambda_function_arn" {
+  description = "ARN of the Lambda function to trigger"
+  type        = string
+}