CodeDeploy

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "chungnam_assume_by_codedeploy" {
  statement {
    sid     = ""
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["codedeploy.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "chungnam_codedeploy" {
  name               = "codedeploy-role"
  assume_role_policy = data.aws_iam_policy_document.chungnam_assume_by_codedeploy.json
}

data "aws_iam_policy_document" "basic_codedeploy_policy" {
  statement {
    sid    = "AllowBasicActions"
    effect = "Allow"
    actions = [
      "ecs:CreateTaskSet",
      "ecs:DeleteTaskSet",
      "ecs:DescribeServices",
      "ecs:UpdateServicePrimaryTaskSet",
      "elasticloadbalancing:DescribeListeners",
      "elasticloadbalancing:DescribeRules",
      "elasticloadbalancing:DescribeTargetGroups",
      "elasticloadbalancing:ModifyListener",
      "elasticloadbalancing:ModifyRule",
      "s3:GetObject",
      "iam:PassRole",
      "ecs:DescribeServices",
      "codedeploy:GetDeploymentGroup",
      "codedeploy:CreateDeployment",
      "codedeploy:GetDeployment",
      "codedeploy:GetDeploymentConfig",
      "codedeploy:RegisterApplicationRevision"
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "basic_codedeploy_policy" {
  name   = "basic-codedeploy-policy"
  policy = data.aws_iam_policy_document.basic_codedeploy_policy.json
}

resource "aws_iam_role_policy_attachment" "basic_codedeploy_policy_attachment" {
  role       = aws_iam_role.chungnam_codedeploy.name
  policy_arn = aws_iam_policy.basic_codedeploy_policy.arn
}

resource "aws_codedeploy_app" "deploy" {
  compute_platform = "ECS"
  name             = "wsc2024-cdy"
}

resource "aws_codedeploy_deployment_group" "deploy" {
  app_name               = aws_codedeploy_app.deploy.name
  deployment_group_name  = "lb-cdy-group"
  deployment_config_name = "CodeDeployDefault.ECSAllAtOnce"
  service_role_arn       = aws_iam_role.chungnam_codedeploy.arn

  blue_green_deployment_config {
    deployment_ready_option {
      action_on_timeout = "CONTINUE_DEPLOYMENT"
    }

    terminate_blue_instances_on_deployment_success {
      action                           = "TERMINATE"
      termination_wait_time_in_minutes = 1
    }
  }

  ecs_service {
    cluster_name = aws_ecs_cluster.cluster.name
    service_name = aws_ecs_service.svc.name
  }

  deployment_style {
    deployment_option = "WITH_TRAFFIC_CONTROL"
    deployment_type   = "BLUE_GREEN"
  }

  auto_rollback_configuration {
    enabled = true
    events  = ["DEPLOYMENT_FAILURE"]
  }

  load_balancer_info {
    target_group_pair_info {
      prod_traffic_route {
        listener_arns = [aws_alb_listener.lb.arn]
      }

      target_group {
        name = aws_alb_target_group.tg1.name
      }

      target_group {
        name = aws_alb_target_group.tg2.name
      }
    }
  }

  depends_on = [
    aws_iam_role_policy_attachment.basic_codedeploy_policy_attachment
  ]
}

data "aws_iam_policy_document" "full_codedeploy_policy" {
  statement {
    sid    = "AllowLoadBalancingAndECSModifications"
    effect = "Allow"
    actions = [
      "ecs:CreateTaskSet",
      "ecs:DeleteTaskSet",
      "ecs:DescribeServices",
      "ecs:UpdateServicePrimaryTaskSet",
      "elasticloadbalancing:DescribeListeners",
      "elasticloadbalancing:DescribeRules",
      "elasticloadbalancing:DescribeTargetGroups",
      "elasticloadbalancing:ModifyListener",
      "elasticloadbalancing:ModifyRule",
      "lambda:InvokeFunction",
      "cloudwatch:DescribeAlarms",
      "s3:GetObjectVersion",
      "s3:GetObject"
    ]
    resources = ["*"]
  }

  statement {
    sid    = "AllowPassRole"
    effect = "Allow"
    actions = ["iam:PassRole"]
    resources = ["*"]
    condition {
      test     = "StringLike"
      variable = "iam:PassedToService"
      values   = ["ecs-tasks.amazonaws.com"]
    }
  }

  statement {
    sid    = "DeployService"
    effect = "Allow"
    actions = [
      "ecs:DescribeServices",
      "codedeploy:GetDeploymentGroup",
      "codedeploy:CreateDeployment",
      "codedeploy:GetDeployment",
      "codedeploy:GetDeploymentConfig",
      "codedeploy:RegisterApplicationRevision"
    ]
    resources = [
      aws_ecs_service.svc.id,
      aws_codedeploy_deployment_group.deploy.arn,
      "arn:aws:codedeploy:us-west-1:${data.aws_caller_identity.current.account_id}:deploymentconfig:*",
      aws_codedeploy_app.deploy.arn
    ]
  }
}

resource "aws_iam_policy" "full_codedeploy_policy" {
  name   = "full-codedeploy-policy"
  policy = data.aws_iam_policy_document.full_codedeploy_policy.json

  depends_on = [
    aws_codedeploy_deployment_group.deploy
  ]
}

resource "aws_iam_role_policy_attachment" "full_codedeploy_policy_attachment" {
  role       = aws_iam_role.chungnam_codedeploy.name
  policy_arn = aws_iam_policy.full_codedeploy_policy.arn

  depends_on = [
    aws_iam_policy.full_codedeploy_policy
  ]
}
JSON
복사