refactor: Parameter Store 기반 Terraform 입력값 전환

.github/workflows/terraform-apply.yml

@@ -35,25 +35,18 @@ jobs:
             global:
               - 'environment/global/**'
               - 'modules/shared_resources/**'
-              - 'config/secrets/shared_resources.tfvars'
             prod:
               - 'environment/prod/**'
               - 'modules/app_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/prod.tfvars'
-              - 'config/secrets/app_stack.tfvars'
             stage:
               - 'environment/stage/**'
               - 'modules/app_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/stage.tfvars'
-              - 'config/secrets/app_stack.tfvars'
             monitoring:
               - 'environment/monitoring/**'
               - 'modules/monitoring_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/monitoring.tfvars'
-              - 'config/secrets/monitoring_stack.tfvars'
 
   apply-bootstrap:
     needs: detect-changes
@@ -106,9 +99,7 @@ jobs:
         run: terraform init
       - name: Terraform Apply
         working-directory: environment/global
-        run: |
-          terraform apply -auto-approve \
-            -var-file="../../config/secrets/shared_resources.tfvars"
+        run: terraform apply -auto-approve
 
   apply-prod:
     needs: [detect-changes, apply-bootstrap]
@@ -198,10 +189,7 @@ jobs:
         run: terraform init
       - name: Terraform Apply
         working-directory: environment/prod
-        run: |
-          terraform apply -auto-approve \
-            -var-file="../../config/secrets/prod.tfvars" \
-            -var-file="../../config/secrets/app_stack.tfvars"
+        run: terraform apply -auto-approve
       - name: Stop SSM Tunnel
         if: always()
         run: kill $SSM_PID 2>/dev/null || true
@@ -232,10 +220,7 @@ jobs:
         run: terraform init
       - name: Terraform Apply
         working-directory: environment/stage
-        run: |
-          terraform apply -auto-approve \
-            -var-file="../../config/secrets/stage.tfvars" \
-            -var-file="../../config/secrets/app_stack.tfvars"
+        run: terraform apply -auto-approve
 
   apply-monitoring:
     needs: [detect-changes, apply-bootstrap]
@@ -263,7 +248,4 @@ jobs:
         run: terraform init
       - name: Terraform Apply
         working-directory: environment/monitoring
-        run: |
-          terraform apply -auto-approve \
-            -var-file="../../config/secrets/monitoring.tfvars" \
-            -var-file="../../config/secrets/monitoring_stack.tfvars"
+        run: terraform apply -auto-approve

.github/workflows/terraform-plan.yml

@@ -36,25 +36,18 @@ jobs:
             global:
               - 'environment/global/**'
               - 'modules/shared_resources/**'
-              - 'config/secrets/shared_resources.tfvars'
             prod:
               - 'environment/prod/**'
               - 'modules/app_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/prod.tfvars'
-              - 'config/secrets/app_stack.tfvars'
             stage:
               - 'environment/stage/**'
               - 'modules/app_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/stage.tfvars'
-              - 'config/secrets/app_stack.tfvars'
             monitoring:
               - 'environment/monitoring/**'
               - 'modules/monitoring_stack/**'
               - 'modules/common/**'
-              - 'config/secrets/monitoring.tfvars'
-              - 'config/secrets/monitoring_stack.tfvars'
 
   plan-bootstrap:
     needs: detect-changes
@@ -141,9 +134,7 @@ jobs:
         id: plan
         working-directory: environment/global
         run: |
-          terraform plan -no-color \
-            -var-file="../../config/secrets/shared_resources.tfvars" \
-            2>&1 | tee plan_output.txt
+          terraform plan -no-color 2>&1 | tee plan_output.txt
           echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
       - name: Upload Plan Artifact
         if: always()
@@ -267,10 +258,7 @@ jobs:
         id: plan
         working-directory: environment/prod
         run: |
-          terraform plan -no-color \
-            -var-file="../../config/secrets/prod.tfvars" \
-            -var-file="../../config/secrets/app_stack.tfvars" \
-            2>&1 | tee plan_output.txt
+          terraform plan -no-color 2>&1 | tee plan_output.txt
           echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
       - name: Stop SSM Tunnel
         if: always()
@@ -334,10 +322,7 @@ jobs:
         id: plan
         working-directory: environment/stage
         run: |
-          terraform plan -no-color \
-            -var-file="../../config/secrets/stage.tfvars" \
-            -var-file="../../config/secrets/app_stack.tfvars" \
-            2>&1 | tee plan_output.txt
+          terraform plan -no-color 2>&1 | tee plan_output.txt
           echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
       - name: Upload Plan Artifact
         if: always()
@@ -398,10 +383,7 @@ jobs:
         id: plan
         working-directory: environment/monitoring
         run: |
-          terraform plan -no-color \
-            -var-file="../../config/secrets/monitoring.tfvars" \
-            -var-file="../../config/secrets/monitoring_stack.tfvars" \
-            2>&1 | tee plan_output.txt
+          terraform plan -no-color 2>&1 | tee plan_output.txt
           echo "exitcode=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
       - name: Upload Plan Artifact
         if: always()

environment/global/main.tf

@@ -2,22 +2,22 @@ module "shared_resources" {
   source = "../../modules/shared_resources"
 
   providers = {
-    aws     = aws
+    aws = aws
   }
 
-  s3_upload_bucket_name             = var.s3_upload_bucket_name
+  s3_upload_bucket_name = local.s3_upload_bucket_name
 
-  resizing_img_func_name            = var.resizing_img_func_name
-  resizing_img_func_role            = var.resizing_img_func_role
-  resizing_img_func_handler         = var.resizing_img_func_handler
-  resizing_img_func_runtime         = var.resizing_img_func_runtime
-  resizing_img_func_layers          = var.resizing_img_func_layers
+  resizing_img_func_name    = local.resizing_img_func_name
+  resizing_img_func_role    = local.resizing_img_func_role
+  resizing_img_func_handler = local.resizing_img_func_handler
+  resizing_img_func_runtime = local.resizing_img_func_runtime
+  resizing_img_func_layers  = local.resizing_img_func_layers
 
-  thumbnail_generating_func_name    = var.thumbnail_generating_func_name
-  thumbnail_generating_func_role    = var.thumbnail_generating_func_role
-  thumbnail_generating_func_handler = var.thumbnail_generating_func_handler
-  thumbnail_generating_func_runtime = var.thumbnail_generating_func_runtime
-  thumbnail_generating_func_layers  = var.thumbnail_generating_func_layers
+  thumbnail_generating_func_name    = local.thumbnail_generating_func_name
+  thumbnail_generating_func_role    = local.thumbnail_generating_func_role
+  thumbnail_generating_func_handler = local.thumbnail_generating_func_handler
+  thumbnail_generating_func_runtime = local.thumbnail_generating_func_runtime
+  thumbnail_generating_func_layers  = local.thumbnail_generating_func_layers
 
-  upload_cdn_web_acl_id             = var.upload_cdn_web_acl_id
+  upload_cdn_web_acl_id = local.upload_cdn_web_acl_id
 }

environment/global/ssm.tf

@@ -0,0 +1,66 @@
+locals {
+  parameter_prefix = "/solid-connection/infra/global"
+}
+
+data "aws_ssm_parameter" "s3_upload_bucket_name" {
+  name = "${local.parameter_prefix}/s3-upload-bucket-name"
+}
+
+data "aws_ssm_parameter" "upload_cdn_web_acl_id" {
+  name = "${local.parameter_prefix}/upload-cdn-web-acl-id"
+}
+
+data "aws_ssm_parameter" "resizing_img_func_name" {
+  name = "${local.parameter_prefix}/resizing-img-func-name"
+}
+
+data "aws_ssm_parameter" "resizing_img_func_role" {
+  name = "${local.parameter_prefix}/resizing-img-func-role"
+}
+
+data "aws_ssm_parameter" "resizing_img_func_handler" {
+  name = "${local.parameter_prefix}/resizing-img-func-handler"
+}
+
+data "aws_ssm_parameter" "resizing_img_func_runtime" {
+  name = "${local.parameter_prefix}/resizing-img-func-runtime"
+}
+
+data "aws_ssm_parameter" "resizing_img_func_layers" {
+  name = "${local.parameter_prefix}/resizing-img-func-layers"
+}
+
+data "aws_ssm_parameter" "thumbnail_generating_func_name" {
+  name = "${local.parameter_prefix}/thumbnail-generating-func-name"
+}
+
+data "aws_ssm_parameter" "thumbnail_generating_func_role" {
+  name = "${local.parameter_prefix}/thumbnail-generating-func-role"
+}
+
+data "aws_ssm_parameter" "thumbnail_generating_func_handler" {
+  name = "${local.parameter_prefix}/thumbnail-generating-func-handler"
+}
+
+data "aws_ssm_parameter" "thumbnail_generating_func_runtime" {
+  name = "${local.parameter_prefix}/thumbnail-generating-func-runtime"
+}
+
+data "aws_ssm_parameter" "thumbnail_generating_func_layers" {
+  name = "${local.parameter_prefix}/thumbnail-generating-func-layers"
+}
+
+locals {
+  s3_upload_bucket_name             = data.aws_ssm_parameter.s3_upload_bucket_name.value
+  upload_cdn_web_acl_id             = data.aws_ssm_parameter.upload_cdn_web_acl_id.value
+  resizing_img_func_name            = data.aws_ssm_parameter.resizing_img_func_name.value
+  resizing_img_func_role            = data.aws_ssm_parameter.resizing_img_func_role.value
+  resizing_img_func_handler         = data.aws_ssm_parameter.resizing_img_func_handler.value
+  resizing_img_func_runtime         = data.aws_ssm_parameter.resizing_img_func_runtime.value
+  resizing_img_func_layers          = jsondecode(data.aws_ssm_parameter.resizing_img_func_layers.value)
+  thumbnail_generating_func_name    = data.aws_ssm_parameter.thumbnail_generating_func_name.value
+  thumbnail_generating_func_role    = data.aws_ssm_parameter.thumbnail_generating_func_role.value
+  thumbnail_generating_func_handler = data.aws_ssm_parameter.thumbnail_generating_func_handler.value
+  thumbnail_generating_func_runtime = data.aws_ssm_parameter.thumbnail_generating_func_runtime.value
+  thumbnail_generating_func_layers  = jsondecode(data.aws_ssm_parameter.thumbnail_generating_func_layers.value)
+}

environment/monitoring/main.tf

@@ -7,23 +7,23 @@ module "monitoring_stack" {
   # 기존 app_stack 모듈을 재사용하거나, 모니터링 전용 모듈이 있다면 경로 수정
   source = "../../modules/monitoring_stack"
 
-  env_name          = "monitoring"
-  vpc_id            = data.aws_vpc.default.id
+  env_name = "monitoring"
+  vpc_id   = data.aws_vpc.default.id
 
-  ami_id            = var.ami_id
+  ami_id = local.ami_id
 
-  key_name          = var.key_name
+  key_name = local.key_name
 
-  instance_type     = var.monitoring_instance_type
+  instance_type = local.monitoring_instance_type
 
-  private_ip = var.private_ip
+  private_ip = local.private_ip
 
   # Nginx 및 도메인 설정
-  domain_name = var.domain_name
-  cert_email  = var.cert_email
-  nginx_conf_name = var.nginx_conf_name
+  domain_name     = local.domain_name
+  cert_email      = local.cert_email
+  nginx_conf_name = local.nginx_conf_name
 
 
   # Grafana(3000), Prometheus(9090), Loki(3100) 포트 개방
-  monitoring_ingress_rules = var.monitoring_ingress_rules
+  monitoring_ingress_rules = local.monitoring_ingress_rules
 }

environment/monitoring/ssm.tf

@@ -0,0 +1,46 @@
+locals {
+  parameter_prefix = "/solid-connection/infra/monitoring"
+}
+
+data "aws_ssm_parameter" "ami_id" {
+  name = "${local.parameter_prefix}/ami-id"
+}
+
+data "aws_ssm_parameter" "monitoring_instance_type" {
+  name = "${local.parameter_prefix}/monitoring-instance-type"
+}
+
+data "aws_ssm_parameter" "key_name" {
+  name = "${local.parameter_prefix}/key-name"
+}
+
+data "aws_ssm_parameter" "private_ip" {
+  name = "${local.parameter_prefix}/private-ip"
+}
+
+data "aws_ssm_parameter" "domain_name" {
+  name = "${local.parameter_prefix}/domain-name"
+}
+
+data "aws_ssm_parameter" "cert_email" {
+  name = "${local.parameter_prefix}/cert-email"
+}
+
+data "aws_ssm_parameter" "nginx_conf_name" {
+  name = "${local.parameter_prefix}/nginx-conf-name"
+}
+
+data "aws_ssm_parameter" "monitoring_ingress_rules" {
+  name = "${local.parameter_prefix}/monitoring-ingress-rules"
+}
+
+locals {
+  ami_id                   = data.aws_ssm_parameter.ami_id.value
+  monitoring_instance_type = data.aws_ssm_parameter.monitoring_instance_type.value
+  key_name                 = data.aws_ssm_parameter.key_name.value
+  private_ip               = data.aws_ssm_parameter.private_ip.value
+  domain_name              = data.aws_ssm_parameter.domain_name.value
+  cert_email               = data.aws_ssm_parameter.cert_email.value
+  nginx_conf_name          = data.aws_ssm_parameter.nginx_conf_name.value
+  monitoring_ingress_rules = jsondecode(data.aws_ssm_parameter.monitoring_ingress_rules.value)
+}