GitHub - 5a6io/OliveSafety: Cloud Wave 3๊ธฐ ํ”„๋กœ์ ํŠธ olivesafety

Cloud Wave 3๊ธฐ ํ”„๋กœ์ ํŠธ olivesafety. Contribute to 5a6io/OliveSafety development by creating an account on GitHub.

github.com

Cloud Wave์—์„œ ํ”„๋กœ์ ํŠธ๋ฅผ ์ˆ˜ํ–‰ํ–ˆ์„ ๋•Œ ์ฝ˜์†”๋กœ ์ž‘์—…ํ•ด Terraform ์ฝ”๋“œ๋กœ ์ž‘์„ฑํ•ด๋ณด๋ ค๊ณ  ํ•œ๋‹ค. ๋จผ์ € Network์™€ ๊ด€๋ จ๋œ ๋ชจ๋“ˆ์„ ์ƒ์„ฑํ•ด๋ณด๊ฒ ๋‹ค.

๐Ÿ“Œ๋ชจ๋“ˆ ๊ตฌ์„ฑ์— ํ•„์š”ํ•œ ๋ฆฌ์†Œ์Šค

  • IAM: aws_iam_role, aws_iam_role_policy_attachment
  • Security Group: aws_security_gruop

โš™๏ธIAM ๋ชจ๋“ˆ

main.tf

# EKS Cluster
resource "aws_iam_role" "cluster" {
  name = "${var.project_name}-cluster-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
        {
            Action = [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
            Effect = "Allow"
            Principal = {
                Service = "eks.amazonaws.com"
            }
        },
    ]
  })

  tags = merge(var.common_tags, {
    Name = "${var.project_name}-cluster-role"
  })
}

# EKS Node Group
resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
  role = aws_iam_role.cluster.name
}

resource "aws_iam_role" "node" {
  name = "${var.project_name}-node-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
            Service = "ec2.amazonaws.com"
        }
    }]
  })

  tags = merge(var.common_tags, {
    Name = "${var.project_name}-node-role"
  })
}

resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
  role = aws_iam_role.node.name
}

resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
  role = aws_iam_role.node.name
}

resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
  role       = aws_iam_role.example.name
}

variables.tf

variable "project_name" {
  type = string
}

variable "common_tags" {
  type = map(string)
  default = {}
}

์œ„์—์„œ๋Š” role๋งŒ ๋งŒ๋“ค์—ˆ์ง€๋งŒ ์ด์™ธ์—๋„ user๋‚˜ group๋„ ๊ฐ€๋Šฅํ•˜๋‹ค. ๊ทธ๋ ‡์ง€๋งŒ ๋‚˜๋Š” ๋ฆฌ์†Œ์Šค์— ๋Œ€ํ•œ role๋งŒ ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— role์„ ์ž‘์„ฑํ–ˆ๋‹ค.์šฐ์„  EKS ํด๋Ÿฌ์Šคํ„ฐ์™€ ๋…ธ๋“œ ๊ด€๋ จ Role๋งŒ ์ •๋ฆฌํ•ด๋‘์—ˆ๋‹ค. ์ถ”ํ›„์— ๋” ํ•„์š”ํ•œ role์ด ์žˆ๋‹ค๋ฉด ์ถ”๊ฐ€ํ•  ์˜ˆ์ •์ด๋‹ค. ๊ทธ๋ฆฌ๊ณ  outputs.tf๋„ ํ•„์š”ํ•˜๋‹ค๋ฉด ์ถ”๊ฐ€ํ•  ์˜ˆ์ •์ด๋‹ค.

โš™๏ธSecurity Group ๋ชจ๋“ˆ

main.tf

# EKS
resource "aws_security_group" "sg_eks" {
    name = "${var.project_name}-sg-eks"
    vpc_id = var.vpc_id

    tags = merge(var.common_tags, {
        name = "${var.project_name}-sg-eks"
    })
}

resource "aws_vpc_security_group_ingress_rule" "eks_ingress" {
    security_group_id = aws_security_group.sg_eks.id
    from_port = "ํฌํŠธ ๋ฒˆํ˜ธ"
    ip_protocol = "tcp"
    to_port = "ํฌํŠธ ๋ฒˆํ˜ธ"
    tags = merge(var.common_tags, {
        Name = "${var.project_name}-eks-ingress"
    })
}

# RDS
resource "aws_security_group" "sg_rds" {
    name = "${var.project_name}-sg-rds"
    vpc_id = var.vpc_id
    tags = merge(var.common_tags, {
        Name = "${var.project_name}-sg-rds"
    })
}

resource "aws_vpc_security_group_ingress_rule" "rds_ingress" {
    security_group_id = aws_security_group.sg_rds.id
    from_port = "ํฌํŠธ ๋ฒˆํ˜ธ"
    ip_protocol = "tcp"
    to_port = "ํฌํŠธ ๋ฒˆํ˜ธ"
    tags = merge(var.common_tags, {
    Name = "${var.project_name}-rds-ingress"
  })
}

outputs.tf

output "sg_eks" {
  value = aws_security_group.sg_eks.id
}

output "sg_rds" {
  value = aws_security_group.sg_rds.id
}

variables.tf

variable "project_name" {
  type = string
}

variable "common_tags" {
  type = map(string)
  default = {}
}

variable "vpc_id" {
  type = string
}

๐Ÿ“Œ๋ชจ๋“ˆ ์ƒ์„ฑ

02-security.tf

module "iam" {
  source = "../modules/security/iam"
  project_name = var.project_name
  common_tags = var.common_tags
}

module "sg" {
  source = "../modules/security/security-group"
  project_name = var.project_name
  common_tags = var.common_tags
  vpc_id = module.vpc.vpc_id
}

์ด๋ ‡๊ฒŒ ์‚ฌ์šฉํ•˜๊ณ ์ž ํ•˜๋Š” ๋ชจ๋“ˆ์„ ํ˜ธ์ถœํ•˜๋ฉด ๋œ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ๋‹ค๋ฅธ ๋ชจ๋“ˆ์—์„œ ์‚ฌ์šฉํ•  ๋•Œ modules.iam์ด๋‚˜ modules.sg๋กœ ํ˜ธ์ถœํ•˜๋ฉด ๋œ๋‹ค.

๋‹ค์Œ์—๋Š” EKS์™€ ECS์— ๋Œ€ํ•ด์„œ ์ž‘์„ฑํ•˜๊ณ ์ž ํ•œ๋‹ค. EKS๋Š” Cloud Wave ํ”„๋กœ์ ํŠธ์—์„œ ํ•œ ๋‚ด์šฉ์„ ๊ธฐ๋ฐ˜์œผ๋กœ ์ž‘์„ฑํ•˜๊ฒ ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ECS๋Š” ์ตœ๊ทผ Softbank Hackathon์—์„œ ์ˆ˜ํ–‰ํ•œ ๋‚ด์šฉ์„ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•˜๊ฒ ๋‹ค.

์ž‘์„ฑํ•œ ์ฝ”๋“œ๋Š” ์•„๋ž˜ ๊นƒํ—ˆ๋ธŒ์—์„œ ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

GitHub - 5a6io/Cloud-Wave-Project-Terraform: Cloud Wave 3๊ธฐ ํ”„๋กœ์ ํŠธ Terraform ์ฝ”๋“œ

Cloud Wave 3๊ธฐ ํ”„๋กœ์ ํŠธ Terraform ์ฝ”๋“œ. Contribute to 5a6io/Cloud-Wave-Project-Terraform development by creating an account on GitHub.

github.com

์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€ (์ƒˆ์ฐฝ์—ด๋ฆผ)

'Cloud > IaC' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[IaC] Terraform Module๋กœ AWS Network ์ƒ์„ฑ  (0) 2025.11.11
[IaC] Terraform module ์ƒ์„ฑ  (1) 2025.07.18
[IaC] Terraform์œผ๋กœ AWS ์ธํ”„๋ผ ๊ด€๋ฆฌ ๋ฐ ์ž๋™ํ™”  (0) 2025.06.30
[IaC] ํ…Œ๋ผํผ(Terraform)์ด๋ž€?  (0) 2025.06.28

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”