07. Module Reference Guide
Module reference guide for MILU2 Infrastructure.
Module Index
| Module | Path | Purpose |
|---|---|---|
| github_provider | modules/github_provider/ | GitHub OIDC provider |
| cicd | modules/cicd/ | Infra deploy role |
| cicd_app_deploy | modules/cicd_app_deploy/ | App deploy role |
| core | modules/core/ | Main infrastructure (12 sub-modules) |
github_provider
Location: modules/github_provider/
Purpose
Creates AWS IAM OIDC provider for GitHub Actions authentication.
Inputs
| Variable | Type | Description |
|---|---|---|
| app_name | string | Application name prefix |
Outputs
| Output | Description |
|---|---|
| oidc_provider_arn | ARN of OIDC provider |
cicd
Location: modules/cicd/
Purpose
Creates IAM role for infrastructure deployment from GitHub Actions.
Inputs
| Variable | Type | Description |
|---|---|---|
| app_name | string | Application name prefix |
| oidc_provider_arn | string | From github_provider |
| infra_repositories | list(string) | GitHub repos allowed to deploy |
Outputs
| Output | Description |
|---|---|
| role_arn | IAM role ARN for infra deploy |
cicd_app_deploy
Location: modules/cicd_app_deploy/
Purpose
Creates IAM role for application deployment (ECR/ECS/CodeDeploy).
Allowed Actions
ECR: GetAuthorizationToken, BatchCheckLayerAvailability,
GetDownloadUrlForLayer, BatchGetImage, PutImage, etc.
ECS: RegisterTaskDefinition, DescribeTaskDefinition,
DescribeServices
CodeDeploy: CreateDeployment, GetDeployment, ContinueDeployment,
StopDeployment
Lambda: UpdateFunctionCode
S3: GetObject (milu2-app-env bucket)
IAM: PassRole (task/execution roles)Module Dependency Graph
github_provider
│
├──────────────┐
│ │
▼ ▼
cicd cicd_app_deploy
│ │
└──────┬───────┘
│
▼
core
│
┌────────┼────────┐
│ │ │
▼ ▼ ▼
security network ... (12 sub-modules)core
Location: modules/core/
Purpose
Main infrastructure composition module with 12 sub-modules.
Sub-Module List
security
Multi-region KMS keys + WAFv2
kms.tfwaf.tflog_group.tf- •KMS Tokyo + Virginia replica
- •WAFv2 rate limit 600 req/60s/IP
- •Managed rules: SQLi, PHP, Bot Control
network
VPC, subnets, security groups, endpoints
vpc.tfnat_gateway.tfsecurity_group.tfendpoint.tf- •Public + Private + GA subnets
- •14 Security Groups
- •9 VPC Endpoints
- •VPC Flow Logs
bastion
EC2 bastion host for RDS DDL bootstrap
ec2.tfkeypair.tf- •t2.micro + EIP
- •Auto-generated SSH key
- •Temporary SG for DDL
lb
Internal ALB + NLB with blue/green target groups
alb.tfnlb.tfacm.tf- •ALB HTTP:80 với X-Forwarded-App routing
- •NLB cho game nodes
- •Blue/Green target groups
cdn
4 CloudFront distributions with VPC Origin
cloudfront.tfacm.tf- •web, admin, api, assets distributions
- •VPC Origin to internal ALB
- •Custom cache policy 7 days
storage
S3 buckets for media and logs
s3.tfiam.tf- •5 media buckets (images/videos tmp/dest)
- •Lifecycle rules (1d/3d/indefinite)
- •KMS encryption
rds
Aurora MySQL 8.0 Serverless v2
rds.tflog_group.tfiam.tf- •Writer + N readers
- •Auto-pause 5 minutes
- •DDL bootstrap via bastion
- •Secrets Manager password
elasticache
ElastiCache Valkey 8.0 cluster mode
elasticache.tflog_group.tf- •Port 6380
- •TLS + auth token
- •KMS encryption
memorydb
MemoryDB Valkey 7.2 durable cache
memorydb.tf- •Port 6380
- •ACL user/password
- •Multi-AZ durable
documentdb
DocumentDB 5.0 Serverless
documentdb.tflog_group.tf- •Port 27027
- •TLS required
- •Audit + profiler logs
global_accelerator
Custom Routing for UDP/TCP game traffic
accelerator.tf- •Custom Routing accelerator
- •4 listener/endpoint groups
- •AllowAllTraffic via local-exec
lambda
6 Lambda functions for media processing
lambda_image.tflambda_cache.tflambda_ga.tflambda_scale.tfecr.tfsqs.tfsns.tf- •image-validator, video-validator
- •cache-invalidator
- •ga-port-mapping-resolver
- •scale-node-service
app
ECS clusters, services, CodeDeploy
ecs_fargate.tfecs_ec2.tfecr.tfcodedeploy.tfservice_discovery.tf- •Fargate cluster (api/web/admin/push)
- •EC2 cluster (game nodes)
- •7 ECR repositories
- •CodeDeploy Blue/Green
- •App Auto Scaling
File Naming Conventions
| Pattern | Purpose | Example |
|---|---|---|
_variables.tf | Input variables | core/_variables.tf |
_outputs.tf | Output values | core/_outputs.tf |
*.tf | Resource definitions | vpc.tf, rds.tf |
provider.tf | Provider configuration | security/provider.tf |
iam.tf | IAM resources | app/iam.tf |
log_group.tf | CloudWatch log groups | rds/log_group.tf |
Resource Naming Convention
All resources follow pattern: ${app_name}-${env}-<resource>
Example: milu2-test-api-service
Core Module Inputs
| Variable | Type | Required | Description |
|---|---|---|---|
| common_vars | any | Yes | From common_vars.hcl |
| env_vars | any | Yes | From env_vars.hcl |
Core Module Outputs
| Output | Description |
|---|---|
| vpc_id | VPC ID |
| alb_dns_name | ALB DNS name |
| nlb_dns_name | NLB DNS name |
| cloudfront_*_domain | CloudFront domains |
| rds_writer_endpoint | Aurora writer endpoint |
| elasticache_endpoint | ElastiCache endpoint |
| memorydb_endpoint | MemoryDB endpoint |
| documentdb_endpoint | DocumentDB endpoint |
| bastion_public_ip | Bastion IP |
| bastion_private_key | SSH key (sensitive) |