Skip to content

Feat/#92: KMS 분리 후 모듈화, CI 코드 수정 #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
imyourhopeee wants to merge 7 commits into from
Closed

Feat/#92: KMS 분리 후 모듈화, CI 코드 수정 #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ac6b17e
feat: S3 버킷에서 KMS 모듈 분리
maybSubin Jul 17, 2025
371430b
terraform fmt -recursive
maybSubin Jul 17, 2025
261e29c
Merge remote-tracking branch 'origin/feat/#92' into feat/#92
maybSubin Jul 25, 2025
a462652
change infracost comment
imyourhopeee Jul 28, 2025
063f028
change infracost comment2
imyourhopeee Jul 28, 2025
476a4ab
change infracost comment3
imyourhopeee Jul 28, 2025
3ac2c36
change cost comment_again
imyourhopeee Jul 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ jobs:
run: |
tfsec --format json --out tfsec_results.json .
working-directory: ${{ matrix.dir }}
continue-on-error: true

- name: Notify Slack for LOW/MEDIUM tfsec findings # LOW, Medium으로 감지된 내용을 slack 전송하고 알림
if: always()
Expand Down Expand Up @@ -251,18 +252,24 @@ jobs:
git fetch origin ${{ github.base_ref }}
git checkout origin/${{ github.base_ref }} -- .
terraform init -input=false
terraform plan -input=false -out=tfplan-base.binary

infracost breakdown \
--path=. \
--terraform-plan-flags="-out=tfplan-base.binary" \
--format=json \
--out-file infracost-baseline.json

- name: Generate Infracost Diff # PR 브랜치로 돌아와, 비용 차이를 계산하여 저장
working-directory: ${{ matrix.dir }}
run: |
git checkout ${{ github.head_ref }}
terraform init -input=false
terraform plan -input=false -out=tfplan-pr.binary

infracost diff \
--path=. \
--terraform-plan-flags="-out=tfplan-pr.binary" \
--compare-to infracost-baseline.json \
--format=json \
--out-file infracost-diff.json
Expand All @@ -276,26 +283,20 @@ jobs:
# 변경사항 없음 메시지 (로그용)
echo "✅ No infrastructure cost changes detected."
echo "Generating and posting full cost breakdown for current infrastructure."

# 전체 비용 스냅샷 생성
infracost breakdown \
--path=. \
--format=json \
--out-file infracost-full.json

# 전체 비용 분석 댓글

infracost comment github \
--path=infracost-full.json \
--path=infracost-baseline.json \
--repo=${{ github.repository }} \
--pull-request=${{ github.event.pull_request.number }} \
--github-token=${{ secrets.GITHUB_TOKEN }} \
--behavior=update
--behavior=update \
--tag=infracost-comment
else
# 변경사항이 있을 때는 diff 댓글
infracost comment github \
--path=infracost-diff.json \
--repo=${{ github.repository }} \
--pull-request=${{ github.event.pull_request.number }} \
--github-token=${{ secrets.GITHUB_TOKEN }} \
--behavior=update
--behavior=update \
--tag=infracost-comment
fi
58 changes: 8 additions & 50 deletions dev-team-account/state/S3/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ provider "aws" {
region = "ap-northeast-2"
}

# KMS 모듈 호출
module "s3_kms" {
source = "../../../modules/S3_kms"
description = "KMS key for S3 encryption"
s3_bucket_arn = "arn:aws:s3:::cloudfence-dev-state"
}

# S3 버킷 생성
resource "aws_s3_bucket" "state_org" {
bucket = "cloudfence-dev-state"
Expand Down Expand Up @@ -51,63 +58,14 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" {
restrict_public_buckets = true
}

data "aws_caller_identity" "current" {}

# S3 암호화를 위한 KMS 키
resource "aws_kms_key" "s3_key" {
description = "KMS key for S3 encryption"
enable_key_rotation = true

# KMS 키 정책 추가
policy = jsonencode({
Version = "2012-10-17",
Statement = [

# 현재 계정에게 모든 KMS 작업 권한 부여
{
Sid = "AllowRootAccountFullAccess",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "kms:*",
Resource = "*"
},

# S3 서비스에게 암복호화 권한 부여
{
Sid = "AllowS3ServicePrincipal"
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
Resource = "*"
Condition = {
StringEquals = {
"aws:SourceArn" = "arn:aws:s3:::cloudfence-dev-state",
"aws:SourceAccount" = data.aws_caller_identity.current.account_id
}
}
}
]
})
}

# S3 버킷 서버 측 암호화
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.state_org.id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_key.arn
kms_master_key_id = module.s3_kms.kms_key_arn
}
}
}
58 changes: 8 additions & 50 deletions identity-team-account/state/S3/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ provider "aws" {
region = "ap-northeast-2"
}

# KMS 모듈 호출
module "s3_kms" {
source = "../../../modules/S3_kms"
description = "KMS key for S3 encryption"
s3_bucket_arn = "arn:aws:s3:::cloudfence-identity-state"
}

# S3 버킷 생성
resource "aws_s3_bucket" "state_org" {
bucket = "cloudfence-identity-state"
Expand Down Expand Up @@ -51,63 +58,14 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" {
restrict_public_buckets = true
}

data "aws_caller_identity" "current" {}

# S3 암호화를 위한 KMS 키
resource "aws_kms_key" "s3_key" {
description = "KMS key for S3 encryption"
enable_key_rotation = true

# KMS 키 정책 추가
policy = jsonencode({
Version = "2012-10-17",
Statement = [

# 현재 계정에게 모든 KMS 작업 권한 부여
{
Sid = "AllowRootAccountFullAccess",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "kms:*",
Resource = "*"
},

# S3 서비스에게 암복호화 권한 부여
{
Sid = "AllowS3ServicePrincipal"
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
Resource = "*"
Condition = {
StringEquals = {
"aws:SourceArn" = "arn:aws:s3:::cloudfence-identity-state",
"aws:SourceAccount" = data.aws_caller_identity.current.account_id
}
}
}
]
})
}

# S3 버킷 서버 측 암호화
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.state_org.id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_key.arn
kms_master_key_id = module.s3_kms.kms_key_arn
}
}
}
60 changes: 8 additions & 52 deletions management-team-account/state/S3/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ provider "aws" {
region = "ap-northeast-2"
}

# KMS 모듈 호출
module "s3_kms" {
source = "../../../modules/S3_kms"
description = "KMS key for S3 encryption"
s3_bucket_arn = "arn:aws:s3:::cloudfence-management-state"
}

# S3 버킷 생성
resource "aws_s3_bucket" "state_org" {
bucket = "cloudfence-management-state"
Expand Down Expand Up @@ -51,65 +58,14 @@ resource "aws_s3_bucket_public_access_block" "state_org_block" {
restrict_public_buckets = true
}


data "aws_caller_identity" "current" {}


# S3 암호화를 위한 KMS 키
resource "aws_kms_key" "s3_key" {
description = "KMS key for S3 encryption"
enable_key_rotation = true

# KMS 키 정책 추가
policy = jsonencode({
Version = "2012-10-17",
Statement = [

# 현재 계정에게 모든 KMS 작업 권한 부여
{
Sid = "AllowRootAccountFullAccess",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "kms:*",
Resource = "*"
},

# S3 서비스에게 암복호화 권한 부여
{
Sid = "AllowS3ServicePrincipal"
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
Resource = "*"
Condition = {
StringEquals = {
"aws:SourceArn" = "arn:aws:s3:::cloudfence-management-state",
"aws:SourceAccount" = data.aws_caller_identity.current.account_id
}
}
}
]
})
}

# S3 버킷 서버 측 암호화
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.state_org.id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_key.arn
kms_master_key_id = module.s3_kms.kms_key_arn
}
}
}
42 changes: 42 additions & 0 deletions modules/S3_kms/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
data "aws_caller_identity" "current" {}

resource "aws_kms_key" "this" {
description = var.description
enable_key_rotation = true

policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "AllowRootAccountFullAccess",
Effect = "Allow",
Principal = {
AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "kms:*",
Resource = "*"
},
{
Sid = "AllowS3ServicePrincipal"
Effect = "Allow"
Principal = {
Service = "s3.amazonaws.com"
}
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
Resource = "*"
Condition = {
StringEquals = {
"aws:SourceArn" = var.s3_bucket_arn,
"aws:SourceAccount" = data.aws_caller_identity.current.account_id
}
}
}
]
})
}
4 changes: 4 additions & 0 deletions modules/S3_kms/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "kms_key_arn" {
description = "The ARN of the KMS key used for S3 encryption"
value = aws_kms_key.this.arn
}
9 changes: 9 additions & 0 deletions modules/S3_kms/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "description" {
type = string
default = "KMS key for S3 encryption"
}

variable "s3_bucket_arn" {
type = string
description = "ARN of the S3 bucket that will use this KMS key"
}
Loading
Loading