feat: IaC 코드 최신화 & tfstate에 대한 S3 백엔드화 & Github Actrion 워크플로우 생성

[Hexeong]

관련 이슈

• resolves: feat: S3를 사용한 tfstate 전역화 및 github 액션 워크플로우 작성 #24
• discussion: IaC를 사용한 인프라 관리 측면에서 인프라 상태 정보를 어떻게 공유하는 게 맞을까? #20

작업 내용

1. tfstate S3 Remote Backend 전환 (bootstrap/, environment/*/provider.tf)

각 환경의 tfstate를 로컬 파일 대신 S3 버킷(solid-connection-tfstate)에서 관리하도록 전환했습니다.

• Terraform 1.10+ S3 네이티브 락 사용 (DynamoDB 불필요)
• bootstrap/ 환경에 S3 버킷, 버저닝, SSE-S3 암호화, HTTPS 전용 버킷 정책 정의
• environment/global, prod, stage, monitoring 모두 S3 백엔드로 마이그레이션 완료

2. IAM 정책 정의 (bootstrap/iam.tf)

• GitHub Actions용 (OIDC): tfstate 전체 접근 + AWS 인프라 관리 권한 부여
• OIDC가 사용할 IAM Role 2개 생성: main에 푸쉬했을 때의 aws 리소스 접근권한과 pr을 생성했을 때의 접근 권한을 분리하여 보안 강화

3. GitHub Actions 워크플로우 정의 (.github/workflows/)

• terraform-plan.yml: PR 생성/업데이트 시 변경된 환경에 대해서만 terraform plan 실행 후 결과를 PR 댓글로 게시 (dorny/paths-filter 사용)
• terraform-apply.yml: main 머지 시 변경된 환경에 대해서만 terraform apply 자동 실행
• prod 환경: MySQL provider 연결을 위해 SSM Port Forwarding으로 RDS에 터널링 (AWS-StartPortForwardingSessionToRemoteHost)

4. app_stack 모듈 RDS 선택적 활성화 (modules/app_stack/)

stage 환경의 RDS → Docker 컨테이너 전환에 맞춰 enable_rds 변수를 추가했습니다.

• enable_rds = false이면 RDS, DB Security Group, MySQL 유저/권한 리소스 모두 생성하지 않음
• MySQL provider를 모듈에서 제거하고 prod 환경 레벨로 이동 (stage에서 MySQL 연결 시도 방지)

5. Lambda 버킷 참조 수정 (modules/shared_resources/lambda.tf)

Lambda 실행 권한 및 S3 트리거가 잘못된 버킷(solid-connection-bucket)을 참조하던 문제를 solid-connection-upload-bucket으로 수정했습니다.

6. CodeRabbit 설정 (.coderabbit.yaml)

Terraform plan 결과를 반영한 코드 리뷰가 이루어지도록 설정했습니다.

• 자동 리뷰 비활성화 (auto_review: false)
• 모든 plan 잡 완료 후 @coderabbitai review 트리거 → plan 댓글이 모두 달린 뒤 리뷰 시작
• .tf 파일 리뷰 시 plan 결과 확인, destroy/replace, IAM 최소 권한 등 중점 검토 지시 추가

특이 사항

• 로컬 apply 불가: 개발자 IAM Policy는 tfstate PutObject 권한이 없으므로 로컬에서 terraform apply가 불가합니다. apply는 GitHub Actions에서만 실행됩니다. 해당 pr이 반영되는 대로 개발자 IAM 작업은 수동으로 진행하려고 합니다.
• prod MySQL 터널링 필요: 로컬에서 prod plan 실행 시 SSH 터널로 RDS 3306 포트를 포워딩한 상태에서 실행해야 합니다. CI에서는 SSM Port Forwarding으로 자동 처리됩니다.
• bootstrap apply 순서: bootstrap → 나머지 환경 순으로 apply가 선행되어야 합니다. GitHub Actions Role과 S3 버킷이 먼저 존재해야 합니다.
• submodule 필요: config/secrets/는 private submodule입니다. git submodule update --init --recursive 후 plan을 실행하세요.

리뷰 요구사항 (선택)

[coderabbitai]

Warning

Rate limit exceeded

@Hexeong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 41 minutes and 2 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: c709d0ff-65c5-4893-8e63-a32e0ba5c72a

📥 Commits

Reviewing files that changed from the base of the PR and between 0c7b91b and 09cc257.

📒 Files selected for processing (8)

• config/secrets
• environment/global/main.tf
• environment/global/variables.tf
• modules/shared_resources/acm.tf
• modules/shared_resources/cloudfront.tf
• modules/shared_resources/output.tf
• modules/shared_resources/s3.tf
• modules/shared_resources/variables.tf

Walkthrough

이 PR은 CodeRabbit 구성(.coderabbit.yaml) 추가, Terraform Plan/Apply GitHub Actions 워크플로(.github/workflows/terraform-plan.yml 및 .github/workflows/terraform-apply.yml) 추가, bootstrap에 S3 tfstate 버킷·IAM OIDC 공급자·GitHub Actions용 IAM 역할·출력·provider 및 S3 버킷 설정을 도입합니다. 각 environment(global/monitoring/prod/stage)에 Terraform required_version 및 S3 백엔드를 추가했으며, prod와 plan 워크플로는 SSM 포트포워딩으로 RDS에 접근합니다. 모듈 변경으로 EC2에 iam_instance_profile 입력이 추가되고 RDS 관련 리소스/변수는 enable_rds 토글로 조건부화되거나 제거되었으며 일부 MySQL provider와 보안 그룹, S3 알림 참조가 조정되었습니다.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• wibaek
• JAEHEE25
• sukangpunch
• Gyuhyeok99

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 제목이 주요 변경사항(S3 백엔드화, GitHub Actions 워크플로우, IaC 최신화)을 명확하게 요약하고 있습니다.
Description check	✅ Passed	PR 설명이 템플릿의 모든 필수 섹션(관련 이슈, 작업 내용, 특이 사항)을 포함하며 각 변경사항을 상세히 설명하고 있습니다.
Linked Issues check	✅ Passed	PR의 모든 주요 변경사항이 #24의 요구사항을 충족합니다: S3 버킷 생성, 모든 환경의 provider.tf 수정, terraform-plan/apply 워크플로우 작성이 완료되었습니다.
Out of Scope Changes check	✅ Passed	config/secrets 서브모듈 업데이트, CodeRabbit 설정, Lambda 버킷 참조 수정은 모두 #24의 워크플로우 및 IAM 설정과 직접 관련된 필수 변경사항입니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/24-change-tfstate-global

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 41 minutes and 2 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (2)

bootstrap/iam.tf (1)

57-77: IAM 리소스에 공통 태그 누락

코딩 가이드라인에 따르면 모든 AWS 리소스에 Project = "solid-connection" 및 Env 태그를 적용해야 합니다. aws_iam_role.github_actions와 aws_iam_policy 리소스들에 태그가 누락되었습니다.

🏷️ 태그 추가 예시

 resource "aws_iam_role" "github_actions" {
   name        = "GitHubActionsTerraformRole"
   description = "IAM Role for GitHub Actions terraform plan/apply via OIDC"
+
+  tags = {
+    Project = "solid-connection"
+    Env     = "bootstrap"
+  }

   assume_role_policy = jsonencode({

 resource "aws_iam_policy" "github_actions_infra" {
   name        = "GitHubActionsTerraformInfraPolicy"
   description = "For GitHub Actions terraform apply: AWS infrastructure management"
+
+  tags = {
+    Project = "solid-connection"
+    Env     = "bootstrap"
+  }

   policy = jsonencode({

As per coding guidelines: "Apply common tags to all AWS resources: Project = "solid-connection" and Env = "<environment-name>" for tracking and organization"

Also applies to: 103-146

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bootstrap/iam.tf` around lines 57 - 77, The IAM resources are missing the
required common tags; update aws_iam_role.github_actions to include a tags block
setting Project = "solid-connection" and Env = var.env (or the appropriate
environment variable), and likewise add the same tags block to the
aws_iam_policy resources referenced later (aws_iam_policy resource(s) around
lines 103-146); ensure you merge these tags with any existing tags rather than
overwriting, and use the same tag keys/values consistently across these IAM
resources.

modules/app_stack/variables.tf (1)

49-60: db_username/db_password 기본값을 빈 문자열 대신 null로 변경 권장

빈 문자열 ""은 유효한 값으로 간주될 수 있어 enable_rds = true일 때 실제 자격증명 누락을 탐지하기 어렵습니다. null 기본값을 사용하면 변수 미설정 시 Terraform의 타입 검증이 더 명확해집니다.

♻️ 제안 수정

 variable "db_username" {
   description = "DB 마스터 사용자명"
   type        = string
-  default     = ""
+  default     = null
 }

 variable "db_password" {
   description = "DB 마스터 비밀번호"
   type        = string
   sensitive   = true
-  default     = ""
+  default     = null
 }

또는 enable_rds = true일 때 자격증명 필수 입력을 강제하는 validation 블록 추가를 고려해 주세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/app_stack/variables.tf` around lines 49 - 60, Change the
db_username/db_password variable defaults from empty string to null and add
validation that enforces credentials when enable_rds is true: set default = null
for variable "db_username" and "db_password", then add a validation block that
checks when var.enable_rds is true then var.db_username and var.db_password are
not null/empty (e.g., var.enable_rds ? (var.db_username != null &&
length(var.db_username) > 0 && var.db_password != null &&
length(var.db_password) > 0) : true) so missing credentials are caught during
plan/app.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/terraform-apply.yml:
- Around line 118-138: The step that starts the SSM tunnel is too optimistic:
ensure EC2_ID and RDS_HOST are non-empty and fail fast if they are; start the
SSM session (the aws ssm start-session invocation that backgrounded writes
SSM_PID to GITHUB_ENV) and immediately verify the session is still running (use
the saved SSM_PID) and the forwarded socket is reachable by actually testing a
MySQL/TCP handshake against 127.0.0.1:3306 rather than only nc -z, with a
configurable timeout; if the session dies or the port never accepts connections
within the timeout, exit non-zero so the job fails early. Reference symbols to
change: EC2_ID, RDS_HOST, aws ssm start-session (document-name
AWS-StartPortForwardingSessionToRemoteHost), SSM_PID, and the timeout/nc
readiness check.
- Around line 47-50: The pipeline allows
apply-global/apply-prod/apply-stage/apply-monitoring to run before
apply-bootstrap finishes when both bootstrap/** and env dirs change; update each
of those jobs (symbols: apply-global, apply-prod, apply-stage, apply-monitoring)
to declare needs: [detect-changes, apply-bootstrap] and keep their existing if
conditions (e.g., needs.detect-changes.outputs.<env> == 'true') so they will
wait for apply-bootstrap to complete when bootstrap changes; apply the same
change to all repeated job blocks referenced in the comment.

In @.github/workflows/terraform-plan.yml:
- Around line 74-86: The workflow currently reads the full
bootstrap/plan_output.txt and posts it directly via the "Post Plan Comment" step
using github.rest.issues.createComment (variable truncated), which can leak
secrets; change this to never post raw plan text: instead either (A) upload the
full plan as a workflow artifact and post only a short safe summary, or (B) run
a redaction pass over the plan content (detect common sensitive keys like
"password", "secret", "token", "private_key", "aws_secret_access_key",
provider-specific sensitive markers) and replace values with "[REDACTED]" before
assigning to truncated and calling github.rest.issues.createComment; ensure
bootstrap/plan_output.txt is written with terraform plan -out and terraform show
-json if using structured redaction, and update the script referencing truncated
and github.rest.issues.createComment to use the sanitized summary or artifact
link instead of the raw plan.
- Around line 157-177: 현재 단계는 로컬 포트(127.0.0.1:3306)만 확인하고 SSM 세션의 실제 생존이나 조회
결과(RDS_HOST, EC2_ID)가 유효한지 검사하지 않으므로 세션이 바로 종료되거나 조회가 빈값일 때 이후 terraform plan에서
실패할 수 있습니다; 수정 방법은 start-session을 실행하기 전에 EC2_ID와 RDS_HOST 값이 비어있지 않은지 검사하고(참조:
EC2_ID, RDS_HOST), aws ssm start-session 호출의 성공 여부와 반환된 세션/프로세스 상태(참조: SSM_PID 및
AWS-StartPortForwardingSessionToRemoteHost)를 확인하여 백그라운드 프로세스가 즉시 종료되지 않았는지 검사하고,
로컬 포트 체크 외에 aws ssm describe-sessions 또는 해당 PID가 살아있는지로 세션 지속성을 검증한 뒤 실패 시 워크플로를
중단하도록 변경하세요.

In `@bootstrap/iam.tf`:
- Around line 102-146: The aws_iam_policy resource github_actions_infra
currently grants overly broad privileges (wildcard Actions like "s3:*", "ec2:*",
"rds:*", combined with Resource = "*"); update the policy in the
github_actions_infra resource to follow least-privilege: replace wildcard
Actions with only the specific API calls required by your GitHub Actions
terraform workflows, restrict Resource values to exact ARNs (or scoped prefixes)
instead of "*", and split high-risk permissions (e.g., IAM, KMS, SSM) into
separate narrowly-scoped statements; if full wildcard access is intentional, add
a clear comment/ADR referencing the risk acceptance and justification.
- Around line 51-55: The aws_iam_openid_connect_provider resource
(aws_iam_openid_connect_provider.github) currently hardcodes a single thumbprint
in thumbprint_list which is brittle for certificate rotation; update the
thumbprint_list to include both known GitHub OIDC thumbprints so AWS has a
fallback during rotation (e.g., add the second thumbprint alongside
"6938fd4d..."), ensuring the list is non-empty and contains the additional
thumbprint "1c58a3a8..."; modify only the thumbprint_list attribute on the
aws_iam_openid_connect_provider.github resource to include both values.

In `@bootstrap/provider.tf`:
- Around line 23-27: 현재 provider.tf의 default_tags 블록(tags = { Project =
"solid-connection" })에 Env 태그가 누락되어 있으므로 default_tags.tags에 Env 키를 추가하고 값은 환경별
변수로 설정하세요 (예: use var.env); 만약 변수 env가 정의되어 있지 않다면 variable "env" (type =
string, 설명 포함) 를 추가하고 필요한 tfvars/워크스페이스 값으로 전달하도록 수정하세요; 변경 대상 식별자:
default_tags, tags, 변수명 env.

In `@bootstrap/s3.tf`:
- Around line 1-7: The S3 tfstate resource aws_s3_bucket.tfstate is missing the
required common tags; add a tags block to that resource with Project =
"solid-connection" and Env set from the environment variable used elsewhere
(e.g., var.env or local.env) so it follows the tagging convention; update the
resource aws_s3_bucket.tfstate to include tags { Project = "solid-connection"
Env = <existing env variable> } ensuring you reuse the same variable name used
across other resources.

---

Nitpick comments:
In `@bootstrap/iam.tf`:
- Around line 57-77: The IAM resources are missing the required common tags;
update aws_iam_role.github_actions to include a tags block setting Project =
"solid-connection" and Env = var.env (or the appropriate environment variable),
and likewise add the same tags block to the aws_iam_policy resources referenced
later (aws_iam_policy resource(s) around lines 103-146); ensure you merge these
tags with any existing tags rather than overwriting, and use the same tag
keys/values consistently across these IAM resources.

In `@modules/app_stack/variables.tf`:
- Around line 49-60: Change the db_username/db_password variable defaults from
empty string to null and add validation that enforces credentials when
enable_rds is true: set default = null for variable "db_username" and
"db_password", then add a validation block that checks when var.enable_rds is
true then var.db_username and var.db_password are not null/empty (e.g.,
var.enable_rds ? (var.db_username != null && length(var.db_username) > 0 &&
var.db_password != null && length(var.db_password) > 0) : true) so missing
credentials are caught during plan/app.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ea51b116-161b-4b7e-a4c9-f6a9ea85ed45

📥 Commits

Reviewing files that changed from the base of the PR and between 0b8da36 and bac30ef.

📒 Files selected for processing (22)

• .coderabbit.yaml
• .github/workflows/terraform-apply.yml
• .github/workflows/terraform-plan.yml
• bootstrap/iam.tf
• bootstrap/outputs.tf
• bootstrap/provider.tf
• bootstrap/s3.tf
• config/secrets
• environment/global/provider.tf
• environment/monitoring/provider.tf
• environment/prod/main.tf
• environment/prod/provider.tf
• environment/prod/variables.tf
• environment/stage/main.tf
• environment/stage/provider.tf
• environment/stage/variables.tf
• modules/app_stack/ec2.tf
• modules/app_stack/provider.tf
• modules/app_stack/rds.tf
• modules/app_stack/security_groups.tf
• modules/app_stack/variables.tf
• modules/shared_resources/lambda.tf

💤 Files with no reviewable changes (1)

• modules/app_stack/provider.tf

[github-actions]

Terraform Plan: monitoring

No changes. Your infrastructure matches the configuration.

전체 plan 결과는 보안을 위해 댓글에 포함되지 않습니다. 워크플로우 실행 아티팩트를 확인하세요.

[github-actions]

Terraform Plan: stage

No changes. Your infrastructure matches the configuration.

전체 plan 결과는 보안을 위해 댓글에 포함되지 않습니다. 워크플로우 실행 아티팩트를 확인하세요.

[github-actions]

Terraform Plan: global

Plan: 0 to add, 0 to change, 3 to destroy.

전체 plan 결과는 보안을 위해 댓글에 포함되지 않습니다. 워크플로우 실행 아티팩트를 확인하세요.

[github-actions]

Terraform Plan: bootstrap

No changes. Your infrastructure matches the configuration.

전체 plan 결과는 보안을 위해 댓글에 포함되지 않습니다. 워크플로우 실행 아티팩트를 확인하세요.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

Terraform Plan: prod

No changes. Your infrastructure matches the configuration.

전체 plan 결과는 보안을 위해 댓글에 포함되지 않습니다. 워크플로우 실행 아티팩트를 확인하세요.

[github-actions]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/terraform-plan.yml (1)

48-418: plan 잡 구성이 너무 많이 복제돼 있습니다.

checkout / AWS 인증 / Terraform setup / artifact / PR comment 패턴이 5번 반복돼서, 방금 같은 예외 처리 수정도 한 곳 빠뜨리기 쉽습니다. matrix + 공통 스텝(또는 reusable workflow)로 묶어두면 이후 drift를 많이 줄일 수 있습니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/terraform-plan.yml around lines 48 - 418, The plan jobs
(plan-bootstrap, plan-global, plan-prod, plan-stage, plan-monitoring) duplicate
common steps (checkout, aws-actions/configure-aws-credentials,
hashicorp/setup-terraform, Terraform Init/Plan pattern, Upload Plan Artifact,
Post Plan Comment) and should be consolidated: extract the repeated sequence
into a single reusable workflow or a matrix-driven job that accepts parameters
(working-directory, marker, artifact name, var-files, extra pre/post steps),
move the Plan step logic (id: plan) and comment logic (Post Plan Comment using
marker) into that shared workflow, and call it with per-environment params; keep
prod-specific SSM Tunnel/Install Session Manager Plugin steps as an optional
pre-step parameter or separate step that runs only for the prod invocation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/terraform-plan.yml:
- Around line 420-433: The trigger-coderabbit step is posting the same
'@coderabbitai review' comment every run because it uses if: always() plus
github.rest.issues.createComment without deduplication; modify the step to
either (a) check for and update an existing comment instead of always creating a
new one by using github.rest.issues.listComments to find a comment with body
containing '@coderabbitai review' and then call github.rest.issues.updateComment
if found or createComment if not, referencing the
github.rest.issues.createComment and
github.rest.issues.updateComment/listComments APIs, or (b) tighten the condition
from if: always() to only run when the plan job actually ran/succeeded (remove
always() and use a needs-based condition) so the comment is only posted for real
plan executions.
- Around line 80-88: The Post Plan Comment step currently calls
fs.readFileSync('plan_output.txt') unguarded which throws if the file doesn't
exist; wrap the read in a safe check/try-catch (or use fs.existsSync) and set a
sensible default like '(plan output missing)' so the script still posts a
helpful comment instead of crashing. Specifically, update the Post Plan Comment
action's script around the marker, output and summary variables: replace the
direct fs.readFileSync call with guarded logic that catches errors and assigns a
fallback output string, then continue computing summary from that fallback;
apply the same fix to the other identical script blocks mentioned (the other
Post Plan Comment occurrences).

---

Nitpick comments:
In @.github/workflows/terraform-plan.yml:
- Around line 48-418: The plan jobs (plan-bootstrap, plan-global, plan-prod,
plan-stage, plan-monitoring) duplicate common steps (checkout,
aws-actions/configure-aws-credentials, hashicorp/setup-terraform, Terraform
Init/Plan pattern, Upload Plan Artifact, Post Plan Comment) and should be
consolidated: extract the repeated sequence into a single reusable workflow or a
matrix-driven job that accepts parameters (working-directory, marker, artifact
name, var-files, extra pre/post steps), move the Plan step logic (id: plan) and
comment logic (Post Plan Comment using marker) into that shared workflow, and
call it with per-environment params; keep prod-specific SSM Tunnel/Install
Session Manager Plugin steps as an optional pre-step parameter or separate step
that runs only for the prod invocation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: aef5f5b1-0fd1-41d1-a97c-52563dd6ed01

📥 Commits

Reviewing files that changed from the base of the PR and between b9e3fd9 and 5ec981d.

📒 Files selected for processing (2)

• .github/workflows/terraform-apply.yml
• .github/workflows/terraform-plan.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/terraform-apply.yml

[github-actions]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/terraform-apply.yml (1)

230-259: 파일 끝에 개행 문자가 없습니다.

POSIX 표준에 따라 파일은 개행 문자로 끝나야 합니다.

🔧 수정 제안

           terraform apply -auto-approve \
             -var-file="../../config/secrets/monitoring.tfvars" \
             -var-file="../../config/secrets/monitoring_stack.tfvars"
+

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/terraform-apply.yml around lines 230 - 259, The workflow
file ends without a trailing newline (POSIX requires a final newline); open the
workflow that contains the apply-monitoring job (look for the "apply-monitoring"
job and the "Terraform Apply" step) and add a single newline character at the
end of the file so the final line is terminated, then save and commit the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/terraform-apply.yml:
- Around line 230-259: The workflow file ends without a trailing newline (POSIX
requires a final newline); open the workflow that contains the apply-monitoring
job (look for the "apply-monitoring" job and the "Terraform Apply" step) and add
a single newline character at the end of the file so the final line is
terminated, then save and commit the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 179d305a-b2b4-4dc7-bdbf-c3363ca19a14

📥 Commits

Reviewing files that changed from the base of the PR and between 5ec981d and 1e636ab.

📒 Files selected for processing (2)

• .github/workflows/terraform-apply.yml
• .github/workflows/terraform-plan.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/terraform-plan.yml

[github-actions]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/terraform-plan.yml (1)

54-57: plan-bootstrap에서 persist-credentials: false 설정이 누락되었습니다.

다른 모든 plan 작업(global, prod, stage, monitoring)에는 persist-credentials: false가 설정되어 있으나, plan-bootstrap만 누락되어 일관성이 없습니다. 이전 리뷰에서 논의된 대로, checkout 후 GH_PAT이 git config에 남지 않도록 명시적으로 제거하는 것이 보안상 권장됩니다.

♻️ 수정 제안

       - uses: actions/checkout@v4
         with:
           submodules: recursive
           token: ${{ secrets.GH_PAT }}
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/terraform-plan.yml around lines 54 - 57, The
plan-bootstrap job is missing the persist-credentials: false option on the
actions/checkout@v4 step; update the checkout step in the plan-bootstrap job
(the uses: actions/checkout@v4 block) to include with: persist-credentials:
false (matching the other plan jobs) so the GH_PAT is not left in git config
after checkout.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/terraform-plan.yml:
- Around line 54-57: The plan-bootstrap job is missing the persist-credentials:
false option on the actions/checkout@v4 step; update the checkout step in the
plan-bootstrap job (the uses: actions/checkout@v4 block) to include with:
persist-credentials: false (matching the other plan jobs) so the GH_PAT is not
left in git config after checkout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5c6fbcc7-bb87-4119-a02f-584ddea86c66

📥 Commits

Reviewing files that changed from the base of the PR and between 5ec981d and 7f078d0.

📒 Files selected for processing (2)

• .github/workflows/terraform-apply.yml
• .github/workflows/terraform-plan.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/terraform-apply.yml

[whqtker]

고생하셨습니다 ~

[whqtker]

repo:solid-connection/solid-connection-infra:pull_request 에서 pull_request_target 으로 변경하는 건 어떤가요 ? 포크된 레포의 PR에서도 매칭이 될 거 같습니다

[Hexeong]

협업 워크플로우를 고려할 때, 이번 구현은 fork 레포를 전제로 하기보다 main 레포 안에서 별도 feature 브랜치로 작업하는 방식을 기준으로 했습니다.

fork 레포를 별도로 두지 않은 이유는, 해당 레포가 public으로 열려 있을 경우 fork된 저장소에서의 작업 흐름이 혼재될 수 있고, 실수로 운영 반영 대상이 아닌 저장소의 결과가 인프라에 연결될 가능성을 최대한 줄이고 싶었기 때문입니다.

그래서 배포 및 협업의 기준점을 main 레포로 단일화해, 권한과 흐름을 더 명확하게 통제할 수 있도록 구성했습니다.

이 판단이 적절한지에 대해서는 리뷰어님의 의견도 궁금합니다.

특히 fork를 허용하는 방식이 더 적절한 상황인지, 혹은 현재처럼 main 레포 중심으로 관리하는 방식이 더 안전한지 의견 주시면 감사하겠습니다. @whqtker

[lsy1307]

1. sub 조건만 pull_request_target으로 바꾸면 아마 매칭이 안 될 가능성이 큽니다.
   GitHub OIDC 공식 예시는 PR workflow의 기본 sub를 repo:ORG/REPO:pull_request로 설명합니다. pull_request_target은 event_name으로는 존재하지만 기본 sub 조건 문자열을 단순히 ...:pull_request_target으로 바꾸는 방식은 공식 예시 패턴이 아닙니다.

2. workflow 트리거 자체를 pull_request_target으로 바꾸는 건 위험합니다.
   GitHub 문서도 pull_request_target은 base repo 컨텍스트에서 실행되고 secrets 접근이 가능하므로 PR의 코드를 checkout/build/run 해야 하면 쓰지 말라고 경고합니다. 이 PR의 Terraform plan은 PR에서 바뀐 Terraform 코드를 실행해야 하는데 여기에 AWS Role까지 붙으면 fork PR 작성자가 Terraform/provider/script를 통해 AWS 권한이나 secret을 건드릴 수 있는 구조가 됩니다.

[Hexeong]

위와 같은 보안 취약점도 있었군요.. 그럼 해당 논의에 대해서는 기존 pull_request 방식을 유지하는 걸로 하겠습니다.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/terraform-plan.yml (1)

54-57: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

plan-bootstrap에 persist-credentials: false 누락

다른 plan 작업들(plan-global, plan-prod, plan-stage, plan-monitoring)은 모두 persist-credentials: false가 설정되어 있지만, plan-bootstrap만 누락되어 있습니다. 일관성과 보안을 위해 동일하게 설정해주세요.

🔐 수정 예시

       - uses: actions/checkout@v4
         with:
           submodules: recursive
           token: ${{ secrets.GH_PAT }}
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/terraform-plan.yml around lines 54 - 57, plan-bootstrap
job is missing the security setting present in other plan jobs: add
persist-credentials: false to the actions/checkout@v4 step in the plan-bootstrap
job (the same way it is set in plan-global, plan-prod, plan-stage,
plan-monitoring) to prevent credentials from being persisted; locate the
actions/checkout@v4 usage in the plan-bootstrap job and add the
persist-credentials: false option alongside submodules and token.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/terraform-plan.yml:
- Around line 54-57: plan-bootstrap job is missing the security setting present
in other plan jobs: add persist-credentials: false to the actions/checkout@v4
step in the plan-bootstrap job (the same way it is set in plan-global,
plan-prod, plan-stage, plan-monitoring) to prevent credentials from being
persisted; locate the actions/checkout@v4 usage in the plan-bootstrap job and
add the persist-credentials: false option alongside submodules and token.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3f245867-8395-49c2-9731-a36e0ffadf4d

📥 Commits

Reviewing files that changed from the base of the PR and between 7f078d0 and d45a117.

📒 Files selected for processing (3)

• .github/workflows/terraform-plan.yml
• bootstrap/iam.tf
• bootstrap/outputs.tf

🚧 Files skipped from review as they are similar to previous changes (1)

• bootstrap/outputs.tf

[lsy1307]

config/secrets 변경 감지 누락 코멘트 남겼습니다.

[lsy1307]

이번 PR에서 config/secrets submodule pointer가 바뀌었는데 paths-filter는 environment와 modules만 보고 있습니다. 이후 tfvars/secrets 변경만 포함된 PR은 plan이, main push는 apply가 스킵될 수 있습니다. config/secrets 또는 환경별 tfvars 경로를 관련 필터에 추가하는 편이 안전합니다.

[Hexeong]

확인했습니다. terraform plan/apply 워크플로우 둘다 secret들의 변경에 대해서도 동작하도록 반영했습니다.