feat: IaC 코드 최신화 & tfstate에 대한 S3 백엔드화 & Github Actrion 워크플로우 생성#25
Open
feat: IaC 코드 최신화 & tfstate에 대한 S3 백엔드화 & Github Actrion 워크플로우 생성#25
Conversation
- app_stack에서 rds 부분에 대한 enable_rds 변수 선언 - 그에 따른 prod/stage에 대한 rds 존재 여부 설정
- pr에 대한 terraform plan 결과 생성 - pr 머지에 대한 terraform apply 잡 생성 - coderabbitai에 대한 자동 코드 리뷰 비활성화 및 terraform plan 이후 코드 리뷰 트리거 발동
Hexeong
requested review from
Gyuhyeok99,
JAEHEE25,
lsy1307,
sukangpunch,
whqtker and
wibaek
as code owners
Walkthrough이 PR은 CodeRabbit 설정(.coderabbit.yaml)을 추가하고, Terraform Plan/Apply GitHub Actions 워크플로(.github/workflows/terraform-plan.yml, .github/workflows/terraform-apply.yml)를 도입합니다. bootstrap에 S3 tfstate 버킷, IAM 역할 및 OIDC 공급자, 출력과 provider 구성이 추가되며 environment별(global, monitoring, prod, stage)로 Terraform required_version 및 S3 백엔드가 설정됩니다. prod 환경 워크플로와 plan 단계에는 SSM 포트포워딩을 통한 RDS 접근 로직이 포함되어 있습니다. 모듈 변경으로 EC2에 iam_instance_profile 입력이 추가되고, RDS 관련 리소스 및 변수는 var.enable_rds로 조건부화되거나 제거되었으며, 일부 MySQL provider 설정과 보안 그룹/버킷 알림 참조가 조정되었습니다. Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (2)
bootstrap/iam.tf (1)
57-77: IAM 리소스에 공통 태그 누락코딩 가이드라인에 따르면 모든 AWS 리소스에
Project = "solid-connection"및Env태그를 적용해야 합니다.aws_iam_role.github_actions와aws_iam_policy리소스들에 태그가 누락되었습니다.🏷️ 태그 추가 예시
resource "aws_iam_role" "github_actions" { name = "GitHubActionsTerraformRole" description = "IAM Role for GitHub Actions terraform plan/apply via OIDC" + + tags = { + Project = "solid-connection" + Env = "bootstrap" + } assume_role_policy = jsonencode({resource "aws_iam_policy" "github_actions_infra" { name = "GitHubActionsTerraformInfraPolicy" description = "For GitHub Actions terraform apply: AWS infrastructure management" + + tags = { + Project = "solid-connection" + Env = "bootstrap" + } policy = jsonencode({As per coding guidelines: "Apply common tags to all AWS resources:
Project = "solid-connection"andEnv = "<environment-name>"for tracking and organization"Also applies to: 103-146
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bootstrap/iam.tf` around lines 57 - 77, The IAM resources are missing the required common tags; update aws_iam_role.github_actions to include a tags block setting Project = "solid-connection" and Env = var.env (or the appropriate environment variable), and likewise add the same tags block to the aws_iam_policy resources referenced later (aws_iam_policy resource(s) around lines 103-146); ensure you merge these tags with any existing tags rather than overwriting, and use the same tag keys/values consistently across these IAM resources.modules/app_stack/variables.tf (1)
49-60:db_username/db_password기본값을 빈 문자열 대신null로 변경 권장빈 문자열
""은 유효한 값으로 간주될 수 있어enable_rds = true일 때 실제 자격증명 누락을 탐지하기 어렵습니다.null기본값을 사용하면 변수 미설정 시 Terraform의 타입 검증이 더 명확해집니다.♻️ 제안 수정
variable "db_username" { description = "DB 마스터 사용자명" type = string - default = "" + default = null } variable "db_password" { description = "DB 마스터 비밀번호" type = string sensitive = true - default = "" + default = null }또는
enable_rds = true일 때 자격증명 필수 입력을 강제하는 validation 블록 추가를 고려해 주세요.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@modules/app_stack/variables.tf` around lines 49 - 60, Change the db_username/db_password variable defaults from empty string to null and add validation that enforces credentials when enable_rds is true: set default = null for variable "db_username" and "db_password", then add a validation block that checks when var.enable_rds is true then var.db_username and var.db_password are not null/empty (e.g., var.enable_rds ? (var.db_username != null && length(var.db_username) > 0 && var.db_password != null && length(var.db_password) > 0) : true) so missing credentials are caught during plan/app.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/terraform-apply.yml:
- Around line 118-138: The step that starts the SSM tunnel is too optimistic:
ensure EC2_ID and RDS_HOST are non-empty and fail fast if they are; start the
SSM session (the aws ssm start-session invocation that backgrounded writes
SSM_PID to GITHUB_ENV) and immediately verify the session is still running (use
the saved SSM_PID) and the forwarded socket is reachable by actually testing a
MySQL/TCP handshake against 127.0.0.1:3306 rather than only nc -z, with a
configurable timeout; if the session dies or the port never accepts connections
within the timeout, exit non-zero so the job fails early. Reference symbols to
change: EC2_ID, RDS_HOST, aws ssm start-session (document-name
AWS-StartPortForwardingSessionToRemoteHost), SSM_PID, and the timeout/nc
readiness check.
- Around line 47-50: The pipeline allows
apply-global/apply-prod/apply-stage/apply-monitoring to run before
apply-bootstrap finishes when both bootstrap/** and env dirs change; update each
of those jobs (symbols: apply-global, apply-prod, apply-stage, apply-monitoring)
to declare needs: [detect-changes, apply-bootstrap] and keep their existing if
conditions (e.g., needs.detect-changes.outputs.<env> == 'true') so they will
wait for apply-bootstrap to complete when bootstrap changes; apply the same
change to all repeated job blocks referenced in the comment.
In @.github/workflows/terraform-plan.yml:
- Around line 74-86: The workflow currently reads the full
bootstrap/plan_output.txt and posts it directly via the "Post Plan Comment" step
using github.rest.issues.createComment (variable truncated), which can leak
secrets; change this to never post raw plan text: instead either (A) upload the
full plan as a workflow artifact and post only a short safe summary, or (B) run
a redaction pass over the plan content (detect common sensitive keys like
"password", "secret", "token", "private_key", "aws_secret_access_key",
provider-specific sensitive markers) and replace values with "[REDACTED]" before
assigning to truncated and calling github.rest.issues.createComment; ensure
bootstrap/plan_output.txt is written with terraform plan -out and terraform show
-json if using structured redaction, and update the script referencing truncated
and github.rest.issues.createComment to use the sanitized summary or artifact
link instead of the raw plan.
- Around line 157-177: 현재 단계는 로컬 포트(127.0.0.1:3306)만 확인하고 SSM 세션의 실제 생존이나 조회
결과(RDS_HOST, EC2_ID)가 유효한지 검사하지 않으므로 세션이 바로 종료되거나 조회가 빈값일 때 이후 terraform plan에서
실패할 수 있습니다; 수정 방법은 start-session을 실행하기 전에 EC2_ID와 RDS_HOST 값이 비어있지 않은지 검사하고(참조:
EC2_ID, RDS_HOST), aws ssm start-session 호출의 성공 여부와 반환된 세션/프로세스 상태(참조: SSM_PID 및
AWS-StartPortForwardingSessionToRemoteHost)를 확인하여 백그라운드 프로세스가 즉시 종료되지 않았는지 검사하고,
로컬 포트 체크 외에 aws ssm describe-sessions 또는 해당 PID가 살아있는지로 세션 지속성을 검증한 뒤 실패 시 워크플로를
중단하도록 변경하세요.
In `@bootstrap/iam.tf`:
- Around line 102-146: The aws_iam_policy resource github_actions_infra
currently grants overly broad privileges (wildcard Actions like "s3:*", "ec2:*",
"rds:*", combined with Resource = "*"); update the policy in the
github_actions_infra resource to follow least-privilege: replace wildcard
Actions with only the specific API calls required by your GitHub Actions
terraform workflows, restrict Resource values to exact ARNs (or scoped prefixes)
instead of "*", and split high-risk permissions (e.g., IAM, KMS, SSM) into
separate narrowly-scoped statements; if full wildcard access is intentional, add
a clear comment/ADR referencing the risk acceptance and justification.
- Around line 51-55: The aws_iam_openid_connect_provider resource
(aws_iam_openid_connect_provider.github) currently hardcodes a single thumbprint
in thumbprint_list which is brittle for certificate rotation; update the
thumbprint_list to include both known GitHub OIDC thumbprints so AWS has a
fallback during rotation (e.g., add the second thumbprint alongside
"6938fd4d..."), ensuring the list is non-empty and contains the additional
thumbprint "1c58a3a8..."; modify only the thumbprint_list attribute on the
aws_iam_openid_connect_provider.github resource to include both values.
In `@bootstrap/provider.tf`:
- Around line 23-27: 현재 provider.tf의 default_tags 블록(tags = { Project =
"solid-connection" })에 Env 태그가 누락되어 있으므로 default_tags.tags에 Env 키를 추가하고 값은 환경별
변수로 설정하세요 (예: use var.env); 만약 변수 env가 정의되어 있지 않다면 variable "env" (type =
string, 설명 포함) 를 추가하고 필요한 tfvars/워크스페이스 값으로 전달하도록 수정하세요; 변경 대상 식별자:
default_tags, tags, 변수명 env.
In `@bootstrap/s3.tf`:
- Around line 1-7: The S3 tfstate resource aws_s3_bucket.tfstate is missing the
required common tags; add a tags block to that resource with Project =
"solid-connection" and Env set from the environment variable used elsewhere
(e.g., var.env or local.env) so it follows the tagging convention; update the
resource aws_s3_bucket.tfstate to include tags { Project = "solid-connection"
Env = <existing env variable> } ensuring you reuse the same variable name used
across other resources.
---
Nitpick comments:
In `@bootstrap/iam.tf`:
- Around line 57-77: The IAM resources are missing the required common tags;
update aws_iam_role.github_actions to include a tags block setting Project =
"solid-connection" and Env = var.env (or the appropriate environment variable),
and likewise add the same tags block to the aws_iam_policy resources referenced
later (aws_iam_policy resource(s) around lines 103-146); ensure you merge these
tags with any existing tags rather than overwriting, and use the same tag
keys/values consistently across these IAM resources.
In `@modules/app_stack/variables.tf`:
- Around line 49-60: Change the db_username/db_password variable defaults from
empty string to null and add validation that enforces credentials when
enable_rds is true: set default = null for variable "db_username" and
"db_password", then add a validation block that checks when var.enable_rds is
true then var.db_username and var.db_password are not null/empty (e.g.,
var.enable_rds ? (var.db_username != null && length(var.db_username) > 0 &&
var.db_password != null && length(var.db_password) > 0) : true) so missing
credentials are caught during plan/app.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: ea51b116-161b-4b7e-a4c9-f6a9ea85ed45
📒 Files selected for processing (22)
.coderabbit.yaml.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.ymlbootstrap/iam.tfbootstrap/outputs.tfbootstrap/provider.tfbootstrap/s3.tfconfig/secretsenvironment/global/provider.tfenvironment/monitoring/provider.tfenvironment/prod/main.tfenvironment/prod/provider.tfenvironment/prod/variables.tfenvironment/stage/main.tfenvironment/stage/provider.tfenvironment/stage/variables.tfmodules/app_stack/ec2.tfmodules/app_stack/provider.tfmodules/app_stack/rds.tfmodules/app_stack/security_groups.tfmodules/app_stack/variables.tfmodules/shared_resources/lambda.tf
💤 Files with no reviewable changes (1)
- modules/app_stack/provider.tf
- stage 환경의 ingress rule에 대한 tfstate 최신화 - monitoring 환경에 대한 서브모듈 참조 부분 수정 - bootstrap 환경에서의 iam 정책 설정 부분 제거 및 해당 부분에 대한 수동 관리 적용
- 기존 terraform-plan 워크플로우가 새로운 커밋이 추가되었을 때 기존 댓글을 덮어씌우는 방식으로 변경 - 방어적 코딩으로 aws oidc에 대한 thumbprint 추가 - terraform plan 워크플로우의 결과 전문이 pr 댓글로 보이지 않도록 변경 - terraform apply 워크플로우에 대한 bootstrap 의존성 순서 선언 - SSM 터널링에 대한 에러 케이스 핸들링 로직 추가
Terraform Plan:
|
Terraform Plan:
|
Terraform Plan:
|
Terraform Plan:
|
✅ Actions performedReview triggered.
|
✅ Actions performedReview triggered.
|
✅ Actions performedReview triggered.
|
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/terraform-plan.yml (1)
414-427: CodeRabbit 트리거 댓글이 계속 누적됩니다.여기는 매 실행마다 새 댓글을 만들어서 PR이 길어질수록 노이즈가 쌓입니다. plan 댓글처럼 marker를 두고 update하거나,
detect-changes결과가 전부false면 아예 생략하는 쪽이 관리하기 좋습니다.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/terraform-plan.yml around lines 414 - 427, The trigger-coderabbit step currently creates a new PR comment every run via actions/github-script@v7 and github.rest.issues.createComment, causing duplicate noise; change it to (a) detect whether you should post at all (skip when your detect-changes job returns all false) and (b) if posting, search for an existing marker comment (e.g., look for a comment body containing the unique marker string "@coderabbitai review" or a marker token) using github.rest.issues.listComments and then update that comment with github.rest.issues.updateComment (or create a new one only if none found); update the step that references github.rest.issues.createComment and the job trigger-coderabbit logic to implement these checks and update-vs-create behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/terraform-apply.yml:
- Around line 156-169: The SSM tunnel wait loop uses a hardcoded 30-second retry
(for i in $(seq 1 30)) and an immediate failure if nc still can't connect, which
makes runs flaky; change this to read a timeout/retry count from an environment
variable (e.g., SSM_TUNNEL_TIMEOUT or SSM_TUNNEL_RETRIES) and use that variable
in the seq loop and the final nc check so both plan and apply can share the same
value; ensure references to SSM_PID, the nc -z 127.0.0.1 3306 checks, and the
sleep 1 remain unchanged except for replacing the hardcoded 30 with the
env-backed variable and add a sensible default when the env var is not set.
In @.github/workflows/terraform-plan.yml:
- Around line 57-60: The workflow uses a full-privilege role via
aws-actions/configure-aws-credentials@v4 with role-to-assume: ${{
secrets.AWS_ROLE_ARN }} for all plan jobs (plan-bootstrap, plan-global,
plan-prod, plan-stage, plan-monitoring); change each plan job to assume a
dedicated read-only/lock-only plan role (e.g. a new secret like ${{
secrets.AWS_TERRAFORM_PLAN_ROLE_ARN }}) that only grants read access to state
and PutObject/DeleteObject for the .tflock object(s) (no infrastructure write
permissions), and update the aws-actions/configure-aws-credentials usage in
those job definitions to reference that new plan-only role secret so
pull_request plan runs cannot modify real infra.
- Around line 53-56: The checkout step uses actions/checkout@v4 which defaults
to persist-credentials: true leaving GH_PAT in git config; for each workflow job
that checks out code (e.g., the jobs named plan-bootstrap, plan-global,
plan-prod, plan-stage, plan-monitoring) update the checkout step to explicitly
set persist-credentials: false after submodule checkout so credentials are not
persisted into later steps; locate every occurrence of the actions/checkout@v4
block and add the persist-credentials: false setting in the with: section
alongside submodules/token entries.
---
Nitpick comments:
In @.github/workflows/terraform-plan.yml:
- Around line 414-427: The trigger-coderabbit step currently creates a new PR
comment every run via actions/github-script@v7 and
github.rest.issues.createComment, causing duplicate noise; change it to (a)
detect whether you should post at all (skip when your detect-changes job returns
all false) and (b) if posting, search for an existing marker comment (e.g., look
for a comment body containing the unique marker string "@coderabbitai review" or
a marker token) using github.rest.issues.listComments and then update that
comment with github.rest.issues.updateComment (or create a new one only if none
found); update the step that references github.rest.issues.createComment and the
job trigger-coderabbit logic to implement these checks and update-vs-create
behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 9ceeb13e-301c-4d16-9e99-c0d7e1b18836
📒 Files selected for processing (3)
.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.ymlbootstrap/iam.tf
🚧 Files skipped from review as they are similar to previous changes (1)
- bootstrap/iam.tf
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Terraform Plan:
|
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/terraform-plan.yml (1)
48-418: plan 잡 구성이 너무 많이 복제돼 있습니다.checkout / AWS 인증 / Terraform setup / artifact / PR comment 패턴이 5번 반복돼서, 방금 같은 예외 처리 수정도 한 곳 빠뜨리기 쉽습니다. matrix + 공통 스텝(또는 reusable workflow)로 묶어두면 이후 drift를 많이 줄일 수 있습니다.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/terraform-plan.yml around lines 48 - 418, The plan jobs (plan-bootstrap, plan-global, plan-prod, plan-stage, plan-monitoring) duplicate common steps (checkout, aws-actions/configure-aws-credentials, hashicorp/setup-terraform, Terraform Init/Plan pattern, Upload Plan Artifact, Post Plan Comment) and should be consolidated: extract the repeated sequence into a single reusable workflow or a matrix-driven job that accepts parameters (working-directory, marker, artifact name, var-files, extra pre/post steps), move the Plan step logic (id: plan) and comment logic (Post Plan Comment using marker) into that shared workflow, and call it with per-environment params; keep prod-specific SSM Tunnel/Install Session Manager Plugin steps as an optional pre-step parameter or separate step that runs only for the prod invocation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/terraform-plan.yml:
- Around line 420-433: The trigger-coderabbit step is posting the same
'@coderabbitai review' comment every run because it uses if: always() plus
github.rest.issues.createComment without deduplication; modify the step to
either (a) check for and update an existing comment instead of always creating a
new one by using github.rest.issues.listComments to find a comment with body
containing '@coderabbitai review' and then call github.rest.issues.updateComment
if found or createComment if not, referencing the
github.rest.issues.createComment and
github.rest.issues.updateComment/listComments APIs, or (b) tighten the condition
from if: always() to only run when the plan job actually ran/succeeded (remove
always() and use a needs-based condition) so the comment is only posted for real
plan executions.
- Around line 80-88: The Post Plan Comment step currently calls
fs.readFileSync('plan_output.txt') unguarded which throws if the file doesn't
exist; wrap the read in a safe check/try-catch (or use fs.existsSync) and set a
sensible default like '(plan output missing)' so the script still posts a
helpful comment instead of crashing. Specifically, update the Post Plan Comment
action's script around the marker, output and summary variables: replace the
direct fs.readFileSync call with guarded logic that catches errors and assigns a
fallback output string, then continue computing summary from that fallback;
apply the same fix to the other identical script blocks mentioned (the other
Post Plan Comment occurrences).
---
Nitpick comments:
In @.github/workflows/terraform-plan.yml:
- Around line 48-418: The plan jobs (plan-bootstrap, plan-global, plan-prod,
plan-stage, plan-monitoring) duplicate common steps (checkout,
aws-actions/configure-aws-credentials, hashicorp/setup-terraform, Terraform
Init/Plan pattern, Upload Plan Artifact, Post Plan Comment) and should be
consolidated: extract the repeated sequence into a single reusable workflow or a
matrix-driven job that accepts parameters (working-directory, marker, artifact
name, var-files, extra pre/post steps), move the Plan step logic (id: plan) and
comment logic (Post Plan Comment using marker) into that shared workflow, and
call it with per-environment params; keep prod-specific SSM Tunnel/Install
Session Manager Plugin steps as an optional pre-step parameter or separate step
that runs only for the prod invocation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: aef5f5b1-0fd1-41d1-a97c-52563dd6ed01
📒 Files selected for processing (2)
.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/terraform-apply.yml
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/terraform-apply.yml (1)
230-259: 파일 끝에 개행 문자가 없습니다.POSIX 표준에 따라 파일은 개행 문자로 끝나야 합니다.
🔧 수정 제안
terraform apply -auto-approve \ -var-file="../../config/secrets/monitoring.tfvars" \ -var-file="../../config/secrets/monitoring_stack.tfvars" +🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/terraform-apply.yml around lines 230 - 259, The workflow file ends without a trailing newline (POSIX requires a final newline); open the workflow that contains the apply-monitoring job (look for the "apply-monitoring" job and the "Terraform Apply" step) and add a single newline character at the end of the file so the final line is terminated, then save and commit the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/terraform-apply.yml:
- Around line 230-259: The workflow file ends without a trailing newline (POSIX
requires a final newline); open the workflow that contains the apply-monitoring
job (look for the "apply-monitoring" job and the "Terraform Apply" step) and add
a single newline character at the end of the file so the final line is
terminated, then save and commit the change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 179d305a-b2b4-4dc7-bdbf-c3363ca19a14
📒 Files selected for processing (2)
.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.yml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/terraform-plan.yml
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Hexeong
changed the title
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/terraform-plan.yml (1)
54-57:plan-bootstrap에서persist-credentials: false설정이 누락되었습니다.다른 모든 plan 작업(global, prod, stage, monitoring)에는
persist-credentials: false가 설정되어 있으나,plan-bootstrap만 누락되어 일관성이 없습니다. 이전 리뷰에서 논의된 대로, checkout 후 GH_PAT이 git config에 남지 않도록 명시적으로 제거하는 것이 보안상 권장됩니다.♻️ 수정 제안
- uses: actions/checkout@v4 with: submodules: recursive token: ${{ secrets.GH_PAT }} + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/terraform-plan.yml around lines 54 - 57, The plan-bootstrap job is missing the persist-credentials: false option on the actions/checkout@v4 step; update the checkout step in the plan-bootstrap job (the uses: actions/checkout@v4 block) to include with: persist-credentials: false (matching the other plan jobs) so the GH_PAT is not left in git config after checkout.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/terraform-plan.yml:
- Around line 54-57: The plan-bootstrap job is missing the persist-credentials:
false option on the actions/checkout@v4 step; update the checkout step in the
plan-bootstrap job (the uses: actions/checkout@v4 block) to include with:
persist-credentials: false (matching the other plan jobs) so the GH_PAT is not
left in git config after checkout.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 5c6fbcc7-bb87-4119-a02f-584ddea86c66
📒 Files selected for processing (2)
.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.yml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/terraform-apply.yml
whqtker
approved these changes
May 3, 2026
| StringLike = { | ||
| "token.actions.githubusercontent.com:sub" = [ | ||
| "repo:solid-connection/solid-connection-infra:ref:refs/heads/main", | ||
| "repo:solid-connection/solid-connection-infra:pull_request" |
Member
There was a problem hiding this comment.
repo:solid-connection/solid-connection-infra:pull_request 에서 pull_request_target 으로 변경하는 건 어떤가요 ? 포크된 레포의 PR에서도 매칭이 될 거 같습니다
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
관련 이슈
작업 내용
1. tfstate S3 Remote Backend 전환 (
bootstrap/,environment/*/provider.tf)각 환경의 tfstate를 로컬 파일 대신 S3 버킷(
solid-connection-tfstate)에서 관리하도록 전환했습니다.bootstrap/환경에 S3 버킷, 버저닝, SSE-S3 암호화, HTTPS 전용 버킷 정책 정의environment/global,prod,stage,monitoring모두 S3 백엔드로 마이그레이션 완료2. IAM 정책 정의 (
bootstrap/iam.tf)3. GitHub Actions 워크플로우 정의 (
.github/workflows/)terraform plan실행 후 결과를 PR 댓글로 게시 (dorny/paths-filter사용)main머지 시 변경된 환경에 대해서만terraform apply자동 실행AWS-StartPortForwardingSessionToRemoteHost)4.
app_stack모듈 RDS 선택적 활성화 (modules/app_stack/)stage 환경의 RDS → Docker 컨테이너 전환에 맞춰
enable_rds변수를 추가했습니다.enable_rds = false이면 RDS, DB Security Group, MySQL 유저/권한 리소스 모두 생성하지 않음5. Lambda 버킷 참조 수정 (
modules/shared_resources/lambda.tf)Lambda 실행 권한 및 S3 트리거가 잘못된 버킷(
solid-connection-bucket)을 참조하던 문제를solid-connection-upload-bucket으로 수정했습니다.6. CodeRabbit 설정 (
.coderabbit.yaml)Terraform plan 결과를 반영한 코드 리뷰가 이루어지도록 설정했습니다.
auto_review: false)@coderabbitai review트리거 → plan 댓글이 모두 달린 뒤 리뷰 시작.tf파일 리뷰 시 plan 결과 확인, destroy/replace, IAM 최소 권한 등 중점 검토 지시 추가특이 사항
terraform apply가 불가합니다. apply는 GitHub Actions에서만 실행됩니다. 해당 pr이 반영되는 대로 개발자 IAM 작업은 수동으로 진행하려고 합니다.처리됩니다.
config/secrets/는 private submodule입니다.git submodule update --init --recursive후 plan을 실행하세요.리뷰 요구사항 (선택)