07. Module Reference Guide

Module reference guide for MILU2 Infrastructure.

Module Index

ModulePathPurpose
github_providermodules/github_provider/GitHub OIDC provider
cicdmodules/cicd/Infra deploy role
cicd_app_deploymodules/cicd_app_deploy/App deploy role
coremodules/core/Main infrastructure (12 sub-modules)

github_provider

Location: modules/github_provider/

Purpose

Creates AWS IAM OIDC provider for GitHub Actions authentication.

Inputs

VariableTypeDescription
app_namestringApplication name prefix

Outputs

OutputDescription
oidc_provider_arnARN of OIDC provider

cicd

Location: modules/cicd/

Purpose

Creates IAM role for infrastructure deployment from GitHub Actions.

Inputs

VariableTypeDescription
app_namestringApplication name prefix
oidc_provider_arnstringFrom github_provider
infra_repositorieslist(string)GitHub repos allowed to deploy

Outputs

OutputDescription
role_arnIAM role ARN for infra deploy

cicd_app_deploy

Location: modules/cicd_app_deploy/

Purpose

Creates IAM role for application deployment (ECR/ECS/CodeDeploy).

Allowed Actions

ECR:        GetAuthorizationToken, BatchCheckLayerAvailability,
            GetDownloadUrlForLayer, BatchGetImage, PutImage, etc.
ECS:        RegisterTaskDefinition, DescribeTaskDefinition,
            DescribeServices
CodeDeploy: CreateDeployment, GetDeployment, ContinueDeployment,
            StopDeployment
Lambda:     UpdateFunctionCode
S3:         GetObject (milu2-app-env bucket)
IAM:        PassRole (task/execution roles)

Module Dependency Graph

github_provider
      │
      ├──────────────┐
      │              │
      ▼              ▼
    cicd      cicd_app_deploy
      │              │
      └──────┬───────┘
             │
             ▼
           core
             │
    ┌────────┼────────┐
    │        │        │
    ▼        ▼        ▼
security  network   ... (12 sub-modules)

core

Location: modules/core/

Purpose

Main infrastructure composition module with 12 sub-modules.

Sub-Module List

🔐

security

Multi-region KMS keys + WAFv2

Files:
kms.tfwaf.tflog_group.tf
Features:
  • KMS Tokyo + Virginia replica
  • WAFv2 rate limit 600 req/60s/IP
  • Managed rules: SQLi, PHP, Bot Control
🌐

network

VPC, subnets, security groups, endpoints

Files:
vpc.tfnat_gateway.tfsecurity_group.tfendpoint.tf
Features:
  • Public + Private + GA subnets
  • 14 Security Groups
  • 9 VPC Endpoints
  • VPC Flow Logs
🖥️

bastion

EC2 bastion host for RDS DDL bootstrap

Files:
ec2.tfkeypair.tf
Features:
  • t2.micro + EIP
  • Auto-generated SSH key
  • Temporary SG for DDL
⚖️

lb

Internal ALB + NLB with blue/green target groups

Files:
alb.tfnlb.tfacm.tf
Features:
  • ALB HTTP:80 với X-Forwarded-App routing
  • NLB cho game nodes
  • Blue/Green target groups
🌍

cdn

4 CloudFront distributions with VPC Origin

Files:
cloudfront.tfacm.tf
Features:
  • web, admin, api, assets distributions
  • VPC Origin to internal ALB
  • Custom cache policy 7 days
📦

storage

S3 buckets for media and logs

Files:
s3.tfiam.tf
Features:
  • 5 media buckets (images/videos tmp/dest)
  • Lifecycle rules (1d/3d/indefinite)
  • KMS encryption
🗄️

rds

Aurora MySQL 8.0 Serverless v2

Files:
rds.tflog_group.tfiam.tf
Features:
  • Writer + N readers
  • Auto-pause 5 minutes
  • DDL bootstrap via bastion
  • Secrets Manager password

elasticache

ElastiCache Valkey 8.0 cluster mode

Files:
elasticache.tflog_group.tf
Features:
  • Port 6380
  • TLS + auth token
  • KMS encryption
💾

memorydb

MemoryDB Valkey 7.2 durable cache

Files:
memorydb.tf
Features:
  • Port 6380
  • ACL user/password
  • Multi-AZ durable
📄

documentdb

DocumentDB 5.0 Serverless

Files:
documentdb.tflog_group.tf
Features:
  • Port 27027
  • TLS required
  • Audit + profiler logs
🚀

global_accelerator

Custom Routing for UDP/TCP game traffic

Files:
accelerator.tf
Features:
  • Custom Routing accelerator
  • 4 listener/endpoint groups
  • AllowAllTraffic via local-exec
λ

lambda

6 Lambda functions for media processing

Files:
lambda_image.tflambda_cache.tflambda_ga.tflambda_scale.tfecr.tfsqs.tfsns.tf
Features:
  • image-validator, video-validator
  • cache-invalidator
  • ga-port-mapping-resolver
  • scale-node-service
📱

app

ECS clusters, services, CodeDeploy

Files:
ecs_fargate.tfecs_ec2.tfecr.tfcodedeploy.tfservice_discovery.tf
Features:
  • Fargate cluster (api/web/admin/push)
  • EC2 cluster (game nodes)
  • 7 ECR repositories
  • CodeDeploy Blue/Green
  • App Auto Scaling

File Naming Conventions

PatternPurposeExample
_variables.tfInput variablescore/_variables.tf
_outputs.tfOutput valuescore/_outputs.tf
*.tfResource definitionsvpc.tf, rds.tf
provider.tfProvider configurationsecurity/provider.tf
iam.tfIAM resourcesapp/iam.tf
log_group.tfCloudWatch log groupsrds/log_group.tf

Resource Naming Convention

All resources follow pattern: ${app_name}-${env}-<resource>

Example: milu2-test-api-service

Core Module Inputs

VariableTypeRequiredDescription
common_varsanyYesFrom common_vars.hcl
env_varsanyYesFrom env_vars.hcl

Core Module Outputs

OutputDescription
vpc_idVPC ID
alb_dns_nameALB DNS name
nlb_dns_nameNLB DNS name
cloudfront_*_domainCloudFront domains
rds_writer_endpointAurora writer endpoint
elasticache_endpointElastiCache endpoint
memorydb_endpointMemoryDB endpoint
documentdb_endpointDocumentDB endpoint
bastion_public_ipBastion IP
bastion_private_keySSH key (sensitive)