feat: NCP 인프라를 테라폼을 활용하여 구성합니다 (#9)

* feat: 인프라 구성에 필요한 변수 선언 * feat: NCP 인프라 구성에 필요한 변수 선언 * feat: NCP main 구성 * feat: NCP ACG 구성 * feat: NCP DB 구성 * feat: NCP Load Balancer 구성 * feat: NCP Network Interface 구성 * feat: NCP Route Table 구성 * feat: NCP Server 구성 * feat: NCP Subnet 구성 * feat: NCP Target Group 구성 * feat: NCP VPC 구성 * feat: NCP 모듈을 포함한 main 구성 * feat: NCP 인프라 구성 실행 액션 추가 * fix: github.ref 값을 main -> infra/main 으로 수정 * fix: 노출된 access, secret key 삭제
YAPP-Github · Jun 6, 2024 · f256ae9 · f256ae9
1 parent d31354f
commit f256ae9
Show file tree

Hide file tree

Showing 14 changed files with 424 additions and 0 deletions.
diff --git a/.github/workflows/terrafrom_ncp_iac.yml b/.github/workflows/terrafrom_ncp_iac.yml
@@ -0,0 +1,43 @@
+name: NCP IaC
+
+on:
+  push:
+    branches:
+      - infra/main
+  workflow_dispatch:
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    env:
+      working-directory: ./infra/terraform
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Terraform Setup
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.8.2
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+      - name: Terraform Init
+        working-directory: ${{ env.working-directory }}
+        run: terraform init
+
+      - name: Terraform Format
+        working-directory: ${{ env.working-directory }}
+        run: terraform fmt -check
+
+      - name: Terraform Plan
+        working-directory: ${{ env.working-directory }}
+        run: terraform plan -var=ncp_access_key=${{ secrets.NCP_ACCESS_KEY_ID }} -var=ncp_secret_key=${{ secrets.NCP_SECRET_ACCESS_KEY }} -input=false
+
+      - name: Terraform Apply
+        working-directory: ${{ env.working-directory }}
+        if: github.ref == 'refs/heads/infra/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -var=ncp_access_key=${{ secrets.NCP_ACCESS_KEY_ID }} -var=ncp_secret_key=${{ secrets.NCP_SECRET_ACCESS_KEY }} -input=false
diff --git a/infra/terraform/main.tf b/infra/terraform/main.tf
@@ -0,0 +1,21 @@
+# Cloud
+terraform {
+  cloud {
+    organization = "few-org"
+    hostname     = "app.terraform.io"
+    workspaces {
+      name = "few-org-work"
+    }
+  }
+}
+
+# NCP Provider
+module "ncp" {
+  source       = "./ncp"
+  prefix       = var.prefix
+  region       = var.ncp_region
+  access_key   = var.ncp_access_key
+  secret_key   = var.ncp_secret_key
+  rds_username = var.ncp_rds_username
+  rds_password = var.ncp_rds_password
+}
diff --git a/infra/terraform/ncp/acg.tf b/infra/terraform/ncp/acg.tf
@@ -0,0 +1,66 @@
+# ACG 생성
+resource "ncloud_access_control_group" "be_server" {
+  name        = "${var.prefix}-be-server-acg"
+  description = "Backend Server Access Control Group"
+  vpc_no      = ncloud_vpc.vpc.id
+}
+
+# ACG Rule 생성
+## Backend Server ACG Rule
+resource "ncloud_access_control_group_rule" "be_server_rule" {
+  access_control_group_no = ncloud_access_control_group.be_server.id
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "22"
+    description = "accept 22 port"
+  }
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+
+  outbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+}
+
+## Database Server ACG Rule
+resource "ncloud_access_control_group_rule" "db_server_rule" {
+  access_control_group_no = ncloud_mysql.mysql.access_control_group_no_list[0]
+
+  inbound {
+    protocol                       = "TCP"
+    port_range                     = "3306"
+    source_access_control_group_no = ncloud_access_control_group.be_server.id
+    description                    = "accept 3306 port"
+  }
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = ncloud_subnet.public_a.subnet
+    port_range  = "3306"
+    description = "accept 3306 port"
+  }
+
+  inbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "3306"
+    description = "accept 3306 port"
+  }
+
+  outbound {
+    protocol    = "TCP"
+    ip_block    = "0.0.0.0/0"
+    port_range  = "1-65535"
+    description = "accept 1-65535 port"
+  }
+}
diff --git a/infra/terraform/ncp/db.tf b/infra/terraform/ncp/db.tf
@@ -0,0 +1,15 @@
+# MySQL 생성
+resource "ncloud_mysql" "mysql" {
+  user_name          = var.rds_username
+  user_password      = var.rds_password
+  host_ip            = ncloud_public_ip.be_public_ip.public_ip
+  database_name      = "${var.prefix}-db"
+  service_name       = "mysql"
+  server_name_prefix = "${var.prefix}-db"
+  subnet_no          = ncloud_subnet.db_a.id
+  data_storage_type  = "SSD"
+  is_ha              = false
+  is_backup          = false
+  port               = 3306
+}
+
diff --git a/infra/terraform/ncp/lb.tf b/infra/terraform/ncp/lb.tf
@@ -0,0 +1,15 @@
+# Load Balancer 생성
+resource "ncloud_lb" "be_lb" {
+  name           = "${var.prefix}-lb"
+  network_type   = "PUBLIC"
+  type           = "APPLICATION"
+  subnet_no_list = [ncloud_subnet.lb_a.subnet_no]
+}
+
+# Load Balancer Target Group 설정
+resource "ncloud_lb_listener" "be_lb_listener" {
+  load_balancer_no = ncloud_lb.be_lb.load_balancer_no
+  protocol         = "HTTP"
+  port             = 80
+  target_group_no  = ncloud_lb_target_group.be_tg.target_group_no
+}
diff --git a/infra/terraform/ncp/main.tf b/infra/terraform/ncp/main.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    ncloud = {
+      source = "NaverCloudPlatform/ncloud"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+provider "ncloud" {
+  support_vpc = true // VPC 사용
+  access_key  = var.access_key
+  secret_key  = var.secret_key
+  region      = var.region
+}
diff --git a/infra/terraform/ncp/nic.tf b/infra/terraform/ncp/nic.tf
@@ -0,0 +1,7 @@
+# Network Interface 생성
+resource "ncloud_network_interface" "be_server_nic" {
+  name                  = "${var.prefix}-be-server-nic"
+  description           = "Backend NIC"
+  subnet_no             = ncloud_subnet.public_a.subnet_no
+  access_control_groups = [ncloud_access_control_group.be_server.id]
+}
diff --git a/infra/terraform/ncp/rt.tf b/infra/terraform/ncp/rt.tf
@@ -0,0 +1,21 @@
+# Route Table 생성
+## Public RT 생성
+resource "ncloud_route_table" "public_rt" {
+  vpc_no                = ncloud_vpc.vpc.id
+  supported_subnet_type = "PUBLIC"
+  name                  = "${var.prefix}-public-rt"
+}
+
+## Private RT 생성
+resource "ncloud_route_table" "private_rt" {
+  vpc_no                = ncloud_vpc.vpc.id
+  supported_subnet_type = "PRIVATE"
+  name                  = "${var.prefix}-private-rt"
+}
+
+# Route Table Association 생성
+## Public RT & Public Subnet A 연결
+resource "ncloud_route_table_association" "public_a" {
+  route_table_no = ncloud_route_table.public_rt.id
+  subnet_no      = ncloud_subnet.public_a.id
+}
diff --git a/infra/terraform/ncp/server.tf b/infra/terraform/ncp/server.tf
@@ -0,0 +1,88 @@
+# SSH Key 생성
+resource "ncloud_login_key" "be_key" {
+  key_name = "${var.prefix}-be-key"
+}
+
+# SSH Key 파일 생성
+resource "local_file" "be_key" {
+  filename = "${var.prefix}_be.pem"
+  content  = ncloud_login_key.be_key.private_key
+}
+
+# Server 생성
+resource "ncloud_server" "be_server" {
+  subnet_no                 = ncloud_subnet.public_a.id
+  name                      = "${var.prefix}-be-server"
+  server_image_product_code = data.ncloud_server_image.image.product_code
+  server_product_code       = data.ncloud_server_product.product.product_code
+  login_key_name            = ncloud_login_key.be_key.key_name
+  network_interface {
+    order                = 0
+    network_interface_no = ncloud_network_interface.be_server_nic.id
+  }
+}
+
+# Server에 public ip 할당
+resource "ncloud_public_ip" "be_public_ip" {
+  server_instance_no = ncloud_server.be_server.id
+}
+
+# ubuntu 20.04 이미지 정보
+data "ncloud_server_image" "image" {
+  product_code = "SW.VSVR.OS.LNX64.UBNTU.SVR2004.B050"
+}
+
+# Server 스펙 정보
+data "ncloud_server_product" "product" {
+  server_image_product_code = data.ncloud_server_image.image.product_code
+  filter {
+    name   = "product_code"
+    values = ["SSD"]
+    regex  = true
+  }
+
+  filter {
+    name   = "cpu_count"
+    values = ["2"]
+  }
+
+  filter {
+    name   = "memory_size"
+    values = ["8GB"]
+  }
+
+  filter {
+    name   = "base_block_storage_size"
+    values = ["50GB"]
+  }
+
+  filter {
+    name   = "product_type"
+    values = ["STAND"]
+  }
+}
+
+# Server root password 정보
+data "ncloud_root_password" "be_root_password" {
+  server_instance_no = ncloud_server.be_server.id
+  private_key        = ncloud_login_key.be_key.private_key
+}
+
+resource "local_file" "be_root_password" {
+  filename = "${var.prefix}_be_root_password.txt"
+  content  = data.ncloud_root_password.be_root_password.root_password
+}
+
+# Server init script
+## 임시 init script / nginx 설치 및 실행
+resource "ncloud_init_script" "be_init_script" {
+  name    = "${var.prefix}-be-init-script"
+  content = <<EOF
+#!/bin/bash
+apt update -y
+apt install docker.io -y
+systemctl enable docker
+systemctl start docker
+docker run -d -p 8080:80 --name nginx nginx
+EOF
+}
diff --git a/infra/terraform/ncp/subnet.tf b/infra/terraform/ncp/subnet.tf
@@ -0,0 +1,31 @@
+# Subnet 생성
+## Load Balancer Subnet 생성
+resource "ncloud_subnet" "lb_a" {
+  vpc_no         = ncloud_vpc.vpc.id
+  subnet         = "10.0.0.0/24"
+  zone           = "KR-1"
+  network_acl_no = ncloud_vpc.vpc.default_network_acl_no
+  subnet_type    = "PUBLIC"
+  name           = "${var.prefix}-lb-a"
+  usage_type     = "LOADB"
+}
+
+## Public Subnet A 생성
+resource "ncloud_subnet" "public_a" {
+  vpc_no         = ncloud_vpc.vpc.id
+  subnet         = "10.0.10.0/24"
+  zone           = "KR-1"
+  network_acl_no = ncloud_vpc.vpc.default_network_acl_no
+  subnet_type    = "PUBLIC"
+  name           = "${var.prefix}-public-a"
+}
+
+## Database Subnet A 생성
+resource "ncloud_subnet" "db_a" {
+  vpc_no         = ncloud_vpc.vpc.id
+  subnet         = "10.0.100.0/24"
+  zone           = "KR-1"
+  network_acl_no = ncloud_vpc.vpc.default_network_acl_no
+  subnet_type    = "PUBLIC"
+  name           = "${var.prefix}-db-a"
+}
diff --git a/infra/terraform/ncp/tg.tf b/infra/terraform/ncp/tg.tf
@@ -0,0 +1,25 @@
+# Target Group 생성
+resource "ncloud_lb_target_group" "be_tg" {
+  vpc_no      = ncloud_vpc.vpc.id
+  protocol    = "HTTP"
+  target_type = "VSVR"
+  port        = 8080
+  description = "target group for ncp"
+  health_check {
+    protocol       = "HTTP"
+    http_method    = "GET"
+    port           = 8080
+    url_path       = "/" // todo fix
+    cycle          = 30
+    up_threshold   = 2
+    down_threshold = 2
+  }
+
+  algorithm_type = "RR"
+}
+
+# Target Group Attachment 설정
+resource "ncloud_lb_target_group_attachment" "be_tg_attachment" {
+  target_group_no = ncloud_lb_target_group.be_tg.target_group_no
+  target_no_list  = [ncloud_server.be_server.id]
+}
diff --git a/infra/terraform/ncp/variable.tf b/infra/terraform/ncp/variable.tf
@@ -0,0 +1,36 @@
+variable "prefix" {
+  type        = string
+  default     = "few"
+  description = "The prefix to use for all resources"
+}
+
+
+variable "access_key" {
+  type        = string
+  sensitive   = true
+  description = "The access key for the IAM root user"
+}
+
+variable "secret_key" {
+  type        = string
+  sensitive   = true
+  description = "The secret key for the IAM root user"
+}
+
+variable "region" {
+  type        = string
+  description = "The region where the resources will be created"
+  default     = "KR"
+}
+
+variable "rds_username" {
+  type        = string
+  default     = "thisisrdsroot"
+  description = "The username for the RDS instance"
+}
+
+variable "rds_password" {
+  type        = string
+  default     = "thisisrdspassword@1"
+  description = "The password for the RDS instance"
+}