feat: stage 환경 구축

.github/workflows/image_resizer_stage_CD.yaml

@@ -0,0 +1,86 @@
+name: image_resizer_stage_CD
+
+on:
+  pull_request:
+    branches:
+      - stage
+    types:
+      - closed
+    paths:
+      - 'lambda/image_resizer/**'
+      - '!lambda/image_resizer/README.md'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  LAMBDA: stage-image-resizer
+  STAGE_BUCKET_NAME: stage-daedong-image-637423658689
+
+jobs:
+  upload_zip_to_lambda:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: lambda/image_resizer
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Make zip
+        run: |
+          sed -i "s/BUCKET_NAME/${{ env.STGAGE_BUCKET_NAME }}/gi" index.js
+          docker build --tag sharp_on_lambda:nodejs20 .
+          docker run --name sharp_on_lambda_container sharp_on_lambda:nodejs20
+          docker cp sharp_on_lambda_container:/image_resizer.zip .
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.STG_AWS_GITHUB_ACTION_ROLE }}
+          aws-region: ap-northeast-2
+
+      - name: Upload and Publish Lambda
+        id: upload-lambda
+        run: |
+          aws lambda update-function-code \
+          --region us-east-1 \
+          --function-name ${{ env.LAMBDA }} \
+          --zip-file fileb://image_resizer.zip
+
+          while [[ "$(aws lambda get-function --region us-east-1 --function-name ${{ env.LAMBDA }} --query 'Configuration.LastUpdateStatus')" != "\"Successful\"" ]]; do
+            echo "Waiting for function update to complete..."
+            sleep 10
+          done
+
+          echo "Function update completed."
+          
+          echo "LAMBDA_ARN=$(
+            aws lambda publish-version \
+            --region us-east-1 \
+            --function-name ${{ env.LAMBDA }} \
+            --query 'FunctionArn'\
+            --output text
+          )" >> $GITHUB_OUTPUT
+
+      - name: Distribute Lambda@Edge
+        env:
+          LAMBDA_ARN: ${{ steps.upload-lambda.outputs.LAMBDA_ARN }}
+        run: |
+          aws cloudfront get-distribution-config \
+          --id ${{ secrets.STG_IMAGE_CLOUDFRONT_ID }} \
+          --output json > distribution-config-with-etag.json
+
+          ETag=$(jq -r '.ETag' distribution-config-with-etag.json)
+          jq -r '.DistributionConfig' distribution-config-with-etag.json > distribution-config.json
+
+          jq --arg lambda_arn $LAMBDA_ARN \
+          '.DefaultCacheBehavior.LambdaFunctionAssociations.Items[0].LambdaFunctionARN = $lambda_arn' \
+          distribution-config.json > modified-config.json
+
+          aws cloudfront update-distribution \
+          --id ${{ secrets.STG_IMAGE_CLOUDFRONT_ID }} \
+          --if-match $ETag \
+          --distribution-config file://modified-config.json

.github/workflows/prod_initial_setting.yaml

@@ -23,8 +23,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 
+          role-to-assume: ${{ secrets.PRD_AWS_GITHUB_ACTION_ROLE }}
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Setup Terraform

.github/workflows/stage_CD.yaml

@@ -0,0 +1,114 @@
+name: stage_CD
+
+on:
+  pull_request:
+    branches:
+      - stage
+    types:
+      - closed
+    paths:
+      - 'modules/**'
+      - 'root/stage/**'
+      - '!modules/READMD.md'
+      - '!root/stage/READMD.md'
+  workflow_dispatch:
+
+env:
+  AWS_REGION: ap-northeast-2
+
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
+jobs:
+  terraform-apply:
+    if: ${{ (github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == true)) && github.ref == 'refs/heads/stage' }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: root/stage
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.STG_AWS_GITHUB_ACTION_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+            terraform_version: 1.7.3
+
+      - name: Terraform init
+        id: init
+        run: terraform init
+
+      - name: Terraform plan
+        env:
+          RDS_PASSWORD: ${{ secrets.STG_RDS_PASSWORD }}
+          JWT_KEY: ${{ secrets.STG_JWT_KEY }}
+          JWT_ADMIN_KEY: ${{ secrets.STG_JWT_ADMIN_KEY }}
+          OPEN_SEARCH_USERNAME: ${{ secrets.STG_OPEN_SEARCH_USERNAME }}
+          OPEN_SEARCH_PASSWORD: ${{ secrets.STG_OPEN_SEARCH_PASSWORD }}
+          SGIS_KEY: ${{ secrets.SGIS_KEY }}
+          SGIS_SECRET: ${{ secrets.SGIS_SECRET }}
+          FIREBASE_PROJECTID: ${{ secrets.STG_FIREBASE_PROJECTID }}
+          FIREBASE_CREDENTIALS: ${{ secrets.STG_FIREBASE_CREDENTIALS }}
+        run: |
+          terraform plan -lock-timeout=3m --var-file=prod.tfvars -no-color \
+            -var rds_password=$RDS_PASSWORD \
+            -var jwt_key=$JWT_KEY \
+            -var jwt_admin_key=$JWT_ADMIN_KEY \
+            -var search_master_user_name=$OPEN_SEARCH_USERNAME \
+            -var search_master_user_password=$OPEN_SEARCH_PASSWORD \
+            -var sgis_key=$SGIS_KEY \
+            -var sgis_secret=$SGIS_SECRET \
+            -var firebase_projectid=$FIREBASE_PROJECTID \
+            -var firebase_credentials="$FIREBASE_CREDENTIALS" \
+            -out tfplan
+
+      - name: Terraform apply
+        run: |
+          terraform apply tfplan
+
+      - name: CD notification to Slack
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: repo,workflow,job
+          custom_payload: |
+            {
+              text: '*[개발 환경]* Terraform Apply',
+              attachments: [{
+                color: '${{ job.status }}' === 'success' ? 'good' : 'danger',
+                fields: [
+                  {
+                    title: 'Result',
+                    value: '${{ job.status }}' === 'success' ? 'Success' : 'Fail',
+                    short: false
+                  },
+                  {
+                    "title": 'Resource',
+                    "value": '${{ contains(github.event.pull_request.body, '[API]') && 'API' || 'Infra' }}',
+                    "short": false
+                  },
+                  {
+                    title: 'Repository',
+                    value: `${process.env.AS_REPO}`,
+                    short: false
+                  },
+                  {
+                    title: 'Action',
+                    value: `${process.env.AS_WORKFLOW}`,
+                    short: false
+                  }
+                ]
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: always()

.github/workflows/stage_CI.yaml

@@ -0,0 +1,76 @@
+name: stage_CI
+
+on:
+  pull_request:
+    branches:
+      - stage
+    paths:
+      - 'modules/**'
+      - 'root/stage/**'
+      - '!modules/READMD.md'
+      - '!root/stage/READMD.md'
+  workflow_dispatch:
+
+env:
+  AWS_REGION: ap-northeast-2
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform-validate:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: root/stage
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.STG_AWS_GITHUB_ACTION_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.7.3
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -recursive -check
+        continue-on-error: true
+
+      - name: Terraform init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform plan
+        env:
+          RDS_PASSWORD: ${{ secrets.STG_RDS_PASSWORD }}
+          JWT_KEY: ${{ secrets.STG_JWT_KEY }}
+          JWT_ADMIN_KEY: ${{ secrets.STG_JWT_ADMIN_KEY }}
+          OPEN_SEARCH_USERNAME: ${{ secrets.STG_OPEN_SEARCH_USERNAME }}
+          OPEN_SEARCH_PASSWORD: ${{ secrets.STG_OPEN_SEARCH_PASSWORD }}
+          SGIS_KEY: ${{ secrets.SGIS_KEY }}
+          SGIS_SECRET: ${{ secrets.SGIS_SECRET }}
+          FIREBASE_PROJECTID: ${{ secrets.STG_FIREBASE_PROJECTID }}
+          FIREBASE_CREDENTIALS: ${{ secrets.STG_FIREBASE_CREDENTIALS }}
+        run: |
+          terraform plan -lock-timeout=3m --var-file=stage.tfvars -no-color \
+            -var rds_password=$RDS_PASSWORD \
+            -var jwt_key=$JWT_KEY \
+            -var jwt_admin_key=$JWT_ADMIN_KEY \
+            -var search_master_user_name=$OPEN_SEARCH_USERNAME \
+            -var search_master_user_password=$OPEN_SEARCH_PASSWORD \
+            -var sgis_key=$SGIS_KEY \
+            -var sgis_secret=$SGIS_SECRET \
+            -var firebase_projectid=$FIREBASE_PROJECTID \
+            -var firebase_credentials="$FIREBASE_CREDENTIALS"

.github/workflows/stage_initial_setting.yaml

@@ -0,0 +1,53 @@
+name: stage_initial_setting
+
+on:
+  workflow_dispatch:
+
+env:
+  AWS_REGION: ap-northeast-2
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform-apply:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: global/stage
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.STG_AWS_GITHUB_ACTION_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.7.3
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -recursive -check
+        continue-on-error: true
+
+      - name: Terraform init
+        id: init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform plan
+        run: |
+          terraform plan -no-color -out planfile
+
+      - name: Terraform apply
+        run: |
+          terraform apply planfile

global/stage/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+    backend "s3" {
+        bucket         = "stage-daedong-terraform-remote-state-637423658689" // TODO
+        key            = "global/stage/terraform.tfstate"        // TODO
+        region         = "ap-northeast-2"
+        dynamodb_table = "stage-daedong-terraform-state-lock-637423658689" // TODO
+        encrypt        = true
+    }
+}