diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..a882a2c --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,67 @@ +name: CD + +on: + push: + branches: [main] + paths: + - "app/**" + - "k8s/**" + - ".github/workflows/cd.yaml" + +permissions: + id-token: write + contents: write + +concurrency: + group: prod-deploy + cancel-in-progress: true + +env: + AWS_REGION: eu-west-1 + ECR_REPOSITORY: data-pipeline-app + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS credentials with OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }} + + - name: Login to ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Build and push image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./app + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Install kustomize + run: | + curl -sL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.1/kustomize_v5.4.1_linux_amd64.tar.gz | tar xz + sudo mv kustomize /usr/local/bin/kustomize + + - name: Update prod image tag + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + cd k8s/overlays/prod + kustomize edit set image data-pipeline-app=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + + - name: Commit manifest change + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add k8s/overlays/prod/kustomization.yaml + git commit -m "deploy: image ${{ github.sha }}" || echo "No changes" + git push diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..2087bd5 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,37 @@ +name: CI + +on: + pull_request: + branches: [main] + paths: + - "app/**" + - ".github/workflows/ci.yaml" + push: + branches: [main] + paths: + - "app/**" + - ".github/workflows/ci.yaml" + +jobs: + test: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r app/requirements.txt + pip install pytest httpx + + - name: Run tests + working-directory: app + run: pytest -q + + - name: Docker build check + run: docker build -t data-pipeline-app-ci ./app diff --git a/.github/workflows/infra.yaml b/.github/workflows/infra.yaml new file mode 100644 index 0000000..cb637eb --- /dev/null +++ b/.github/workflows/infra.yaml @@ -0,0 +1,51 @@ +name: Terraform + +on: + pull_request: + branches: [main] + paths: + - "terraform/**" + - ".github/workflows/infra.yaml" + push: + branches: [main] + paths: + - "terraform/**" + - ".github/workflows/infra.yaml" + +permissions: + id-token: write + contents: read + +env: + AWS_REGION: eu-west-1 + +jobs: + terraform: + runs-on: ubuntu-latest + defaults: + run: + working-directory: terraform + + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS credentials with OIDC + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ env.AWS_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + + - name: Terraform Init + run: terraform init + + - name: Terraform Fmt + run: terraform fmt -check + + - name: Terraform Validate + run: terraform validate + + - name: Terraform Plan + run: terraform plan -no-color -input=false diff --git a/terraform/cicd_gitops.tf b/terraform/cicd_gitops.tf deleted file mode 100644 index 7c48029..0000000 --- a/terraform/cicd_gitops.tf +++ /dev/null @@ -1,46 +0,0 @@ -# ECR 레포지토리 (eu-west-1 생성) -resource "aws_ecr_repository" "app_repo" { - name = "data-pipeline-app" - image_tag_mutability = "MUTABLE" - force_delete = true -} - -resource "aws_ecr_lifecycle_policy" "app_repo_policy" { - repository = aws_ecr_repository.app_repo.name - policy = jsonencode({ - rules = [{ - rulePriority = 1 - description = "Keep last 30 images" - selection = { tagStatus = "any", countType = "imageCountMoreThan", countNumber = 30 } - action = { type = "expire" } - }] - }) -} - -# GitHub Actions용 OIDC Provider (글로벌 IAM) -resource "aws_iam_openid_connect_provider" "github_actions" { - url = "https://token.actions.githubusercontent.com" - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] -} - -resource "aws_iam_role" "github_actions_role" { - name = "GitHubActionsDeployRole" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Principal = { Federated = aws_iam_openid_connect_provider.github_actions.arn } - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - # [주의] 본인의 GitHub 계정명/레포지토리명으로 수정 필수 - "StringLike" = { "token.actions.githubusercontent.com:sub": "repo:YourGitHubName/YourRepoName:*" } - } - }] - }) -} - -resource "aws_iam_role_policy_attachment" "github_ecr_access" { - role = aws_iam_role.github_actions_role.name - policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" -} diff --git a/terraform/variables.tf b/terraform/variables.tf index 0ace1dc..c68014b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,13 +18,13 @@ variable "aws_region" { variable "github_owner" { description = "GitHub owner or organization name" type = string - default = "yooseongjin527" + default = "masondev1024" } variable "github_repo" { description = "GitHub repository name" type = string - default = "asac_de2_infra_1st" + default = "my-data-platform" } variable "github_branch" {