Skip to content

feat: Lambda와 CloudFront를 TF로 관리하도록 Migrate #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Hexeong wants to merge 9 commits into
base: main
Choose a base branch
from
+589 −47
Open

feat: Lambda와 CloudFront를 TF로 관리하도록 Migrate #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d2ae250
feat: Lambda의 소스 코드 생성
Hexeong Dec 28, 2025
3cde4d0
refactor: app_stack 모듈에서 shared_resources로의 s3이동
Hexeong Dec 28, 2025
aa4342c
feat: global 환경에 대해서 shared_resources에 대한 variables 선언
Hexeong Dec 28, 2025
fccc099
feat: global 환경에 대해서 shared_resources에 대한 secret 추가
Hexeong Dec 28, 2025
8dd2512
feat: global 환경에 대해서 shared_resources에 대한 provider 생성
Hexeong Dec 28, 2025
a15bba1
feat: lambda resource에 대한 정의
Hexeong Dec 28, 2025
5add933
feat: cloudfront resource에 대한 정의
Hexeong Dec 28, 2025
3a46f1c
feat: shared_resources 모듈을 사용해 global 환경 정의
Hexeong Dec 28, 2025
ee4f2f6
docs: readme update
Hexeong Dec 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*.tfstate.backup
*.tfvars
.terraform.lock.hcl
modules/shared_resources/dist/*.zip

# --- Secrets (보안상 절대 커밋 금지) ---
*.pem
Expand Down
28 changes: 21 additions & 7 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,23 @@ solid-connection-infra/
│ └── secrets/ # 민감한 data 관리
│ └── ...
├── modules/
│ └── app_stack/ # [Prod/Stage 환경의 공통 모듈]
│ ├── security_groups.tf
│ ├── ec2.tf
│ ├── rds.tf
│ ├── app_stack/ # [Prod/Stage 환경의 공통 모듈]
│ │ ├── security_groups.tf
│ │ ├── ec2.tf
│ │ ├── rds.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ └── shared_resources/ # [global 환경의 공유 자원 모듈]
│ ├── src/
│ │ ├── img_resizing/
│ │ │ └── index.js
│ │ └── thumbnail/
│ │ └── index.js
│ ├── cloudfront.tf
│ ├── lambda.tf
│ ├── provider.tf
│ ├── s3.tf
│ ├── variables.tf
│ └── outputs.tf
│ └── variables.tf
└── environments/
├── prod/ # [Prod 환경]
│ ├── main.tf
Expand All @@ -29,7 +39,11 @@ solid-connection-infra/
│ ├── main.tf
│ ├── provider.tf
│ └── variables.tf
└── monitoring/ # [Monitoring 환경]
├── monitoring/ # [부하테스트 환경]
│ ├── main.tf
│ ├── provider.tf
│ └── variables.tf
Comment on lines +42 to +45
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Incorrect comment for monitoring environment.

The comment "부하테스트 환경" (load test environment) is duplicated from load_test/. The monitoring/ directory should have its own description, likely "모니터링 환경" or similar.

🔎 Proposed fix 
-    ├── monitoring/            # [부하테스트 환경]
+    ├── monitoring/            # [모니터링 환경]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
├── monitoring/ # [부하테스트 환경]
│ ├── main.tf
│ ├── provider.tf
│ └── variables.tf
├── monitoring/ # [모니터링 환경]
│ ├── main.tf
│ ├── provider.tf
│ └── variables.tf
🤖 Prompt for AI Agents 
In README.md around lines 42 to 45, the inline comment for the monitoring/
directory incorrectly says "부하테스트 환경" (load test environment); update that
comment to accurately describe the monitoring directory (e.g., "모니터링 환경") so it
no longer duplicates load_test/ and reflects the correct purpose of monitoring/.

└── global/ # [global 공유 환경]
├── main.tf
├── provider.tf
└── variables.tf
Expand Down
2 changes: 1 addition & 1 deletion config/secrets
Open in desktop
Submodule secrets updated from c1cf69 to 29cb90
25 changes: 25 additions & 0 deletions environment/global/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
module "shared_resources" {
source = "../../modules/shared_resources"

providers = {
aws = aws
}

s3_default_bucket_name = var.s3_default_bucket_name
s3_upload_bucket_name = var.s3_upload_bucket_name

resizing_img_func_name = var.resizing_img_func_name
resizing_img_func_role = var.resizing_img_func_role
resizing_img_func_handler = var.resizing_img_func_handler
resizing_img_func_runtime = var.resizing_img_func_runtime
resizing_img_func_layers = var.resizing_img_func_layers

thumbnail_generating_func_name = var.thumbnail_generating_func_name
thumbnail_generating_func_role = var.thumbnail_generating_func_role
thumbnail_generating_func_handler = var.thumbnail_generating_func_handler
thumbnail_generating_func_runtime = var.thumbnail_generating_func_runtime
thumbnail_generating_func_layers = var.thumbnail_generating_func_layers

default_cdn_web_acl_id = var.default_cdn_web_acl_id
upload_cdn_web_acl_id = var.upload_cdn_web_acl_id
}
21 changes: 21 additions & 0 deletions environment/global/provider.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
terraform {
required_version = ">= 1.0.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

provider "aws" {
region = "ap-northeast-2"

default_tags {
tags = {
Project = "solid-connection"
Environment = "global"
}
}
}
71 changes: 71 additions & 0 deletions environment/global/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# [S3 버킷 관련 변수]
variable "s3_default_bucket_name" {
description = "Name of the default S3 bucket"
type = string
}

variable "s3_upload_bucket_name" {
description = "Name of the upload S3 bucket"
type = string
}

# [Lambda 관련 변수]
variable "resizing_img_func_name" {
description = "Image Resizing function name for uploaded s3 file"
type = string
}

variable "resizing_img_func_role" {
description = "Image Resizing function role for uploaded s3 file"
type = string
}

variable "resizing_img_func_handler" {
description = "Image Resizing function handler for uploaded s3 file"
type = string
}

variable "resizing_img_func_runtime" {
description = "Image Resizing function runtime for uploaded s3 file"
type = string
}

variable "thumbnail_generating_func_name" {
description = "Thumbnail generating function name for uploaded s3 file"
type = string
}

variable "thumbnail_generating_func_role" {
description = "Thumbnail generating function role for uploaded s3 file"
type = string
}

variable "thumbnail_generating_func_handler" {
description = "Thumbnail generating function handler for uploaded s3 file"
type = string
}

variable "thumbnail_generating_func_runtime" {
description = "Thumbnail generating function runtime for uploaded s3 file"
type = string
}

variable "resizing_img_func_layers" {
description = "Layers For Image Resizing func"
type = list(string)
}

variable "thumbnail_generating_func_layers" {
description = "Layers For Image Resizing func"
type = list(string)
}
Comment on lines +58 to +61
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Copy-paste error in variable description.

The description says "Layers For Image Resizing func" but this variable is for thumbnail_generating_func_layers, not the resizing function.

🔎 Recommended fix 
 variable "thumbnail_generating_func_layers" {
-  description = "Layers For Image Resizing func"
+  description = "Layers For Thumbnail Generating func"
   type = list(string)
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
variable "thumbnail_generating_func_layers" {
description = "Layers For Image Resizing func"
type = list(string)
}
variable "thumbnail_generating_func_layers" {
description = "Layers For Thumbnail Generating func"
type = list(string)
}
🤖 Prompt for AI Agents 
In environment/global/variables.tf around lines 58 to 61, the variable
description incorrectly references the image resizing function ("Layers For
Image Resizing func") while the variable is named
thumbnail_generating_func_layers; update the description to accurately describe
this variable (e.g., mention thumbnail generating function layers or thumbnail
generation) so the description matches the variable's purpose and intent.


variable "default_cdn_web_acl_id" {
description = "WAF Web ACL Id for Default Cloudfront CDN"
type = string
}

variable "upload_cdn_web_acl_id" {
description = "WAF Web ACL Id for Upload Cloudfront CDN"
type = string
}
4 changes: 0 additions & 4 deletions environment/prod/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,4 @@ module "prod_stack" {
domain_name = var.domain_name
cert_email = var.cert_email
nginx_conf_name = var.nginx_conf_name

# S3 버킷 이름 전달
s3_default_bucket_name = var.s3_default_bucket_name
s3_upload_bucket_name = var.s3_upload_bucket_name
}
10 changes: 0 additions & 10 deletions environment/prod/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,3 @@ variable "nginx_conf_name" {
description = "Nginx conf name for the prod environment"
type = string
}

variable "s3_default_bucket_name" {
description = "Name of the default S3 bucket"
type = string
}

variable "s3_upload_bucket_name" {
description = "Name of the upload S3 bucket"
type = string
}
4 changes: 0 additions & 4 deletions environment/stage/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,4 @@ module "stage_stack" {
domain_name = var.domain_name
cert_email = var.cert_email
nginx_conf_name = var.nginx_conf_name

# S3 버킷 이름 전달
s3_default_bucket_name = var.s3_default_bucket_name
s3_upload_bucket_name = var.s3_upload_bucket_name
}
10 changes: 0 additions & 10 deletions environment/stage/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,3 @@ variable "nginx_conf_name" {
description = "Nginx conf name for the stage environment"
type = string
}

variable "s3_default_bucket_name" {
description = "Name of the default S3 bucket"
type = string
}

variable "s3_upload_bucket_name" {
description = "Name of the upload S3 bucket"
type = string
}
11 changes: 0 additions & 11 deletions modules/app_stack/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,14 +103,3 @@ variable "nginx_conf_name" {
description = "Nginx config filename"
type = string
}

# [S3 버킷 관련 변수]
variable "s3_default_bucket_name" {
description = "Name of the default S3 bucket"
type = string
}

variable "s3_upload_bucket_name" {
description = "Name of the upload S3 bucket"
type = string
}
97 changes: 97 additions & 0 deletions modules/shared_resources/cloudfront.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# 1. CDN for Default Bucket
resource "aws_cloudfront_distribution" "default_cdn" {
enabled = true
is_ipv6_enabled = true
comment = "solid-connection s3 default cloudfront"
price_class = "PriceClass_All"
http_version = "http2"

web_acl_id = var.default_cdn_web_acl_id

tags = {
"Name" = "solid-connection s3 default cloudfront"
}

origin {
domain_name = "${var.s3_default_bucket_name}.s3.ap-northeast-2.amazonaws.com"
origin_id = "${var.s3_default_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1g7tk2w8" # 기존 ID 유지
origin_access_control_id = "E14M8OP55A3YO7"
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hard-coded Origin Access Control ID prevents Terraform management.

The origin_access_control_id is hard-coded, which means this OAC resource was created outside of Terraform. This prevents proper infrastructure-as-code management and could lead to drift.

🔎 Recommended fix: Import or create OAC resource

Option 1: Import existing OAC (recommended for migration)

Add a data source to reference the existing OAC:

+data "aws_cloudfront_origin_access_control" "default_oac" {
+  id = "E14M8OP55A3YO7"
+}
+
 resource "aws_cloudfront_distribution" "default_cdn" {
   # ...
   origin {
     domain_name              = "${var.s3_default_bucket_name}.s3.ap-northeast-2.amazonaws.com"
     origin_id                = "${var.s3_default_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1g7tk2w8"
-    origin_access_control_id = "E14M8OP55A3YO7"
+    origin_access_control_id = data.aws_cloudfront_origin_access_control.default_oac.id

Option 2: Create new OAC resource

resource "aws_cloudfront_origin_access_control" "default_oac" {
  name                              = "solid-connection-default-oac"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

Then reference it:

-    origin_access_control_id = "E14M8OP55A3YO7"
+    origin_access_control_id = aws_cloudfront_origin_access_control.default_oac.id

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 Gitleaks (8.30.0)

[high] 18-18: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)


connection_attempts = 3
connection_timeout = 10
}

default_cache_behavior {
target_origin_id = "${var.s3_default_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1g7tk2w8" # 위 origin_id와 같아야 함
viewer_protocol_policy = "redirect-to-https"
compress = true

allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]

cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6"

smooth_streaming = false
}

restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}

viewer_certificate {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1"
}
Comment on lines +44 to +47
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

TLSv1 is deprecated and insecure.

The minimum TLS protocol version is set to TLSv1, which has known security vulnerabilities and is deprecated. AWS recommends TLSv1.2 as the minimum.

🔎 Recommended security fix 
   viewer_certificate {
     cloudfront_default_certificate = true
-    minimum_protocol_version       = "TLSv1"
+    minimum_protocol_version       = "TLSv1.2_2021"
   }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
viewer_certificate {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1"
}
viewer_certificate {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1.2_2021"
}
🤖 Prompt for AI Agents 
In modules/shared_resources/cloudfront.tf around lines 44 to 47, the
viewer_certificate block sets minimum_protocol_version = "TLSv1", which is
deprecated; update it to use TLSv1.2 by changing minimum_protocol_version to
"TLSv1.2_2018" (or the latest TLSv1.2 policy) and, if you require a custom
certificate, set cloudfront_default_certificate = false and reference an ACM
certificate via acm_certificate_arn; ensure the certificate option and protocol
string are valid for the CloudFront distribution.

}

# 2. CDN for Upload Bucket
resource "aws_cloudfront_distribution" "upload_cdn" {
enabled = true
is_ipv6_enabled = true
comment = "solid-connection s3 upload cloudfront"
price_class = "PriceClass_All"
http_version = "http2"

web_acl_id = var.upload_cdn_web_acl_id

tags = {
"Name" = "solid-connection s3 upload cloudfront"
}

origin {
domain_name = "${var.s3_upload_bucket_name}.s3.ap-northeast-2.amazonaws.com"
origin_id = "${var.s3_upload_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1jpx6rvc"
origin_access_control_id = "E1ZBB5RMSBZQ4I"
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hard-coded Origin Access Control ID prevents Terraform management.

Same issue as the default_cdn distribution - the OAC ID is hard-coded. This should be managed through Terraform for consistency and infrastructure-as-code best practices.

🔎 Recommended fix: Import or create OAC resource

Option 1: Import existing OAC

+data "aws_cloudfront_origin_access_control" "upload_oac" {
+  id = "E1ZBB5RMSBZQ4I"
+}
+
 resource "aws_cloudfront_distribution" "upload_cdn" {
   # ...
   origin {
     domain_name              = "${var.s3_upload_bucket_name}.s3.ap-northeast-2.amazonaws.com"
     origin_id                = "${var.s3_upload_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1jpx6rvc"
-    origin_access_control_id = "E1ZBB5RMSBZQ4I"
+    origin_access_control_id = data.aws_cloudfront_origin_access_control.upload_oac.id

Option 2: Create new OAC resource

resource "aws_cloudfront_origin_access_control" "upload_oac" {
  name                              = "solid-connection-upload-oac"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

Committable suggestion skipped: line range outside the PR's diff.


connection_attempts = 3
connection_timeout = 10
}

default_cache_behavior {
target_origin_id = "${var.s3_upload_bucket_name}.s3.ap-northeast-2.amazonaws.com-mjo1jpx6rvc"
viewer_protocol_policy = "redirect-to-https"
compress = true

allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]

cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6"

smooth_streaming = false
}

restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}

viewer_certificate {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1"
}
Comment on lines +93 to +96
Copy link

@coderabbitai coderabbitai bot Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

TLSv1 is deprecated and insecure.

Same security issue as default_cdn - TLSv1 should be upgraded to at least TLSv1.2_2021.

🔎 Recommended security fix 
   viewer_certificate {
     cloudfront_default_certificate = true
-    minimum_protocol_version       = "TLSv1"
+    minimum_protocol_version       = "TLSv1.2_2021"
   }
🤖 Prompt for AI Agents 
In modules/shared_resources/cloudfront.tf around lines 93 to 96, the
viewer_certificate block sets minimum_protocol_version = "TLSv1" which is
deprecated; change that value to "TLSv1.2_2021" (or a later supported value) so
CloudFront requires TLS 1.2+, and if you need a custom cert switch to
acm_certificate_arn + ssl_support_method accordingly; update any related
tests/plan expectations and re-run terraform plan/apply to verify.

}
Loading