Skip to content

[REFACTOR] ssm+oidc 세팅#230

Merged
catomat0 merged 2 commits into
developfrom
refactor/#229-ssm-oidc-deploy
Jun 23, 2026
Merged

[REFACTOR] ssm+oidc 세팅#230
catomat0 merged 2 commits into
developfrom
refactor/#229-ssm-oidc-deploy

Conversation

@catomat0

@catomat0 catomat0 commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

📌 PR 개요

  • 배포방식 변경

🔗 관련 이슈


🛠 변경 사항

  • ssh포트를 통한 배포에서 ssm + OIDC 방식으로 배포 방식 변경

⚠️ 리뷰 시 참고 사항


✅ 체크리스트

  • 로컬에서 정상 실행됨
  • 로그 / 네이밍 정리
  • main / develop 직접 커밋 아님

Summary by CodeRabbit

릴리스 노트

  • Chores
    • CD 파이프라인에 수동 트리거 기능 추가
    • 배포 메커니즘을 AWS 기반 시스템으로 전환하여 보안 및 안정성 개선
    • 배포 실패 시 자동 복구 및 재시도 로직 구현
    • 배포 권한 설정 명시화

@catomat0 catomat0 self-assigned this Jun 23, 2026
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@catomat0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 20 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 9b56d866-b5ea-43d5-8724-5d7812e9c978

📥 Commits

Reviewing files that changed from the base of the PR and between adc3374 and fc27f88.

📒 Files selected for processing (1)
  • .github/workflows/cd.yml
📝 Walkthrough

Walkthrough

CD 워크플로(cd.yml)에 수동 트리거(workflow_dispatch)와 OIDC용 permissions 블록이 추가되었고, 기존 SSH/SCP 기반 EC2 배포 단계가 OIDC 자격증명 취득 후 AWS SSM send-command/wait/get-command-invocation을 사용하는 방식으로 교체되었다.

Changes

SSM 기반 CD 파이프라인 전환

Layer / File(s) Summary
워크플로 트리거 및 OIDC 권한 설정
.github/workflows/cd.yml
workflow_dispatch 트리거를 추가하고 permissions 블록에 id-token: write, contents: read를 선언하여 OIDC 토큰 발급이 가능하도록 워크플로 상단 설정을 변경한다.
SSH→SSM 배포 단계 교체
.github/workflows/cd.yml
appleboy/ssh-action, appleboy/scp-action 단계를 삭제하고, aws-actions/configure-aws-credentials로 OIDC 임시 자격증명을 취득한 뒤 aws ssm send-command로 EC2에 docker-compose pull appup -d(실패 시 down 후 재시도) → psdocker image prune -f 명령을 전달하며 waitget-command-invocation으로 실행 결과를 수신한다.

Sequence Diagram(s)

sequenceDiagram
  participant GHA as GitHub Actions
  participant OIDC as GitHub OIDC Provider
  participant STS as AWS STS
  participant SSM as AWS SSM
  participant EC2 as EC2 Instance

  rect rgba(135, 206, 250, 0.5)
    note over GHA,STS: OIDC 자격증명 취득
    GHA->>OIDC: ID 토큰 요청
    OIDC-->>GHA: ID 토큰 반환
    GHA->>STS: AssumeRoleWithWebIdentity
    STS-->>GHA: 임시 자격증명 발급
  end

  rect rgba(144, 238, 144, 0.5)
    note over GHA,EC2: SSM 원격 명령 실행
    GHA->>SSM: send-command (docker-compose pull/up/ps/prune)
    SSM->>EC2: 쉘 명령 전달
    EC2-->>SSM: 명령 실행 완료
    GHA->>SSM: wait command-executed
    GHA->>SSM: get-command-invocation
    SSM-->>GHA: stdout 반환
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed PR 제목이 SSH 기반 배포에서 SSM+OIDC 기반 배포로의 변경이라는 주요 변화를 명확하게 요약하고 있습니다.
Linked Issues check ✅ Passed PR의 cd.yml 수정이 이슈 #229의 세 가지 완료된 작업(IAM 역할 세팅, SSM 에이전트 설정, cd.yml 수정) 중 세 번째 항목을 모두 충족합니다.
Out of Scope Changes check ✅ Passed PR의 모든 변경사항이 이슈 #229의 배포 메커니즘 리팩토링 범위 내에 있으며, 무관한 변경사항이 없습니다.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/#229-ssm-oidc-deploy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@catomat0

catomat0 commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@CodeRabbit

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

@catomat0 안녕하세요! PR을 리뷰해 드리겠습니다.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cd.yml:
- Around line 86-94: The aws ssm wait command-executed waiter times out after
approximately 100 seconds, which can cause false deployment failures when
docker-compose operations exceed this timeout despite the remote command still
executing successfully. Additionally, when the waiter fails, the subsequent
get-command-invocation calls in the step are never executed due to the shell's
pipefail setting, and the current implementation only retrieves
StandardOutputContent while missing StandardErrorContent and Status for proper
diagnostics. Replace the aws ssm wait command-executed waiter with a custom
polling loop that properly handles longer-running operations, and modify the aws
ssm get-command-invocation call to query StandardOutputContent,
StandardErrorContent, and Status together, ensuring these diagnostic outputs are
always retrieved regardless of command success or failure status.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 34482d7c-b6b2-46c7-98d7-9613758de1e5

📥 Commits

Reviewing files that changed from the base of the PR and between 668abb1 and adc3374.

📒 Files selected for processing (1)
  • .github/workflows/cd.yml

Comment thread .github/workflows/cd.yml Outdated
@catomat0

Copy link
Copy Markdown
Collaborator Author

@CodeRabbit

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

@catomat0 안녕하세요! PR #230에 대한 리뷰를 다시 진행해 드리겠습니다.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@catomat0 catomat0 merged commit 160f6fe into develop Jun 23, 2026
2 checks passed
catomat0 added a commit that referenced this pull request Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[REFACTOR] SSM + OICD 배포 방식 변경

1 participant