Conversation
|
Caution Review failedThe pull request is closed. 📝 WalkthroughWalkthroughThe pull request transitions the application from local development to production-ready configuration by replacing hardcoded values with environment-variable-driven settings across Docker, API services, batch processing, and gateway infrastructure. RDS, Redis, and Kafka are configured via environment variables while actuator monitoring is enabled. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR configures the API, Batch, and Gateway services for AWS deployment by transitioning from local-only configuration to environment variable-based infrastructure connections. The changes enable the application to connect to AWS managed services (RDS, ElastiCache Redis, MSK/Kafka) while maintaining backward compatibility with local Docker development.
Changes:
- Modified nginx gateway configuration to use AWS Service Discovery for API routing and added ALB health check endpoint
- Updated database, Redis, and Kafka configurations across API and Batch services to use environment variables with sensible defaults
- Changed API service default profile from "local" to "prod" and added Spring Boot Actuator for monitoring
- Reconfigured Kafka in docker-compose.yml with proper multi-listener setup for container networking
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| services/gateway/nginx/nginx.conf | Added AWS Service Discovery DNS resolver, updated proxy configuration to use internal domain, and added /health endpoint for ALB checks |
| services/batch/src/main/resources/application-docker.properties | Replaced hardcoded database credentials with environment variables supporting RDS connection |
| services/api/src/main/resources/application.properties | Changed default profile to "prod" and enabled all actuator endpoints |
| services/api/src/main/resources/application-prod.properties | Added environment variable support for RDS, Redis, and Kafka with appropriate defaults for both local and production environments |
| services/api/src/main/java/com/sprint/api/config/SecurityConfig.java | Updated CORS configuration to support dynamic frontend URL via environment variables |
| services/api/build.gradle | Added Spring Boot Actuator dependency for health checks and monitoring |
| docker-compose.yml | Changed API profile to "prod" and reconfigured Kafka with dual-listener setup for proper container networking |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // [핵심 수정] 환경 변수에서 프론트엔드 주소를 가져오고, 없으면 로컬 주소를 기본값으로 사용 | ||
| String frontendUrl = System.getenv("FRONTEND_URL"); | ||
| if (frontendUrl == null) frontendUrl = "http://localhost:5173"; | ||
|
|
||
| // 로컬과 실제 배포 주소를 모두 허용 목록에 넣습니다. | ||
| configuration.setAllowedOrigins(List.of(frontendUrl, "http://localhost:5173")); | ||
|
|
||
| configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); | ||
| configuration.setAllowedHeaders(List.of("*")); | ||
| // 쿠키 전송을 위해 필수 설정 | ||
| configuration.setAllowCredentials(true); | ||
| configuration.setAllowCredentials(true); // 쿠키/인증정보 전송 허용 |
There was a problem hiding this comment.
While the CORS configuration now supports environment-based frontend URLs, the actuator endpoints added in application.properties (line 11 exposes all endpoints) are not explicitly permitted in the SecurityConfig. Since the SecurityConfig requires authentication for all requests except SSE and specific auth endpoints, the actuator endpoints will be blocked. This will cause ALB health checks to fail. Consider adding a requestMatcher to permit access to actuator health endpoints.
| String frontendUrl = System.getenv("FRONTEND_URL"); | ||
| if (frontendUrl == null) frontendUrl = "http://localhost:5173"; | ||
|
|
||
| // 로컬과 실제 배포 주소를 모두 허용 목록에 넣습니다. | ||
| configuration.setAllowedOrigins(List.of(frontendUrl, "http://localhost:5173")); |
There was a problem hiding this comment.
When FRONTEND_URL environment variable is not set, "http://localhost:5173" will be added twice to the allowed origins list (once from the fallback on line 49, and once explicitly on line 52). While this won't break functionality, it's redundant. Consider using a conditional list construction or removing the explicit localhost entry if frontendUrl already contains it.
| - redis | ||
| environment: | ||
| SPRING_PROFILES_ACTIVE: docker | ||
| SPRING_PROFILES_ACTIVE: prod |
There was a problem hiding this comment.
The API service now uses "prod" profile while the Batch service still uses "docker" profile (line 70 in docker-compose.yml). For consistency and clarity in deployment configuration, consider aligning both services to use the same profile naming convention (either both use "prod" or both use "docker"). This inconsistency could lead to confusion about which environment is being used.
| spring.data.redis.host=${REDIS_HOST:my-redis} | ||
| spring.data.redis.port=${REDIS_PORT:6379} | ||
|
|
||
| # 4. Kafka (MSK \uB610\uB294 Cloud Kafka \uC5F0\uACB0\uC6A9) |
There was a problem hiding this comment.
The default Kafka bootstrap server is set to "kafka-1:29092" which matches the docker-compose.yml service name and internal port. However, this assumes the API service will always run in the same Docker network. For AWS deployment (as indicated in the PR description), this should be configured to use MSK endpoints via environment variables, which is already supported. Consider documenting this or adjusting the default value to indicate it's for local Docker environments only.
| # 4. Kafka (MSK \uB610\uB294 Cloud Kafka \uC5F0\uACB0\uC6A9) | |
| # 4. Kafka (MSK \uB610\uB294 Cloud Kafka \uC5F0\uACB0\uC6A9) | |
| # \uAE30\uBCF8\uAC12 kafka-1:29092\uB294 docker-compose.yml \uC0AC\uC6A9 \uC2DC \uB3D9\uC77C \uB124\uD2B8\uC6CC\uD06C\uC5D0\uC11C \uB3D9\uC791\uD558\uB294 \uB85C\uCEEC Docker \uD658\uACBD\uC6A9 \uC124\uC815\uC785\uB2C8\uB2E4. | |
| # AWS (MSK) \uBC0F \uC2E4\uC81C \uC6B4\uC601 \uD658\uACBD\uC5D0\uC11C\uB294 \uD544\uC218\uB85C KAFKA_BROKERS \uD658\uACBD \uBCC0\uC218\uB97C MSK \uC5D4\uB4DC\uD3EC\uC778\uD2B8\uB85C \uC124\uC815\uD574\uC57C \uD569\uB2C8\uB2E4. |
| configuration.setAllowCredentials(true); // 쿠키/인증정보 전송 허용 | ||
|
|
There was a problem hiding this comment.
CSRF protection is disabled (line 84 in the unchanged code). While the comment mentions it's for local development, the active profile is now set to "prod" and this configuration should be reviewed for production deployment. The commented code (lines 92-95) suggests CSRF should be enabled for production. Consider enabling CSRF protection with appropriate token handling for the production environment.
| configuration.setAllowCredentials(true); // 쿠키/인증정보 전송 허용 | |
| // 운영 환경(prod)에서는 CSRF 위험을 줄이기 위해 CORS 자격 증명(쿠키 등) 전송을 비활성화합니다. | |
| // SPRING_PROFILES_ACTIVE=prod 인 경우만 false, 그 외(로컬/개발 등)는 기존 동작 유지(true). | |
| String activeProfile = System.getenv("SPRING_PROFILES_ACTIVE"); | |
| boolean allowCredentials = activeProfile == null || !"prod".equalsIgnoreCase(activeProfile.trim()); | |
| configuration.setAllowCredentials(allowCredentials); |
| listen 80; | ||
|
|
||
| # [필수] AWS 내부 DNS 서버 주소 (Service Discovery를 찾기 위해 꼭 필요함) | ||
| resolver 10.0.0.2 valid=30s; |
There was a problem hiding this comment.
The resolver configuration uses a hardcoded IP address (10.0.0.2) which is AWS VPC's default DNS server. This is correct for AWS deployments, but it will break in other cloud providers or non-AWS environments. Consider making this configurable via environment variables or documenting this AWS-specific requirement clearly in the deployment documentation.
| resolver 10.0.0.2 valid=30s; | ||
|
|
||
| # [필수] 변수 정의: API 서버의 내부 도메인 주소 | ||
| set $api_url http://api.mopl.local:8080; |
There was a problem hiding this comment.
The nginx configuration now uses AWS Service Discovery domain (api.mopl.local:8080). This is specific to AWS Cloud Map service discovery. If the API service is not registered with this exact domain in AWS Service Discovery, the gateway will fail to route traffic. Ensure that the ECS service is configured with the correct Cloud Map namespace and service name, or consider making this domain configurable via environment variables for flexibility.
| # Actuator endpoint \uBAA8\uB450 \uB178\uCD9C | ||
| management.endpoints.web.exposure.include=* |
There was a problem hiding this comment.
The actuator endpoints are exposed to all (*) in the base application.properties, which conflicts with the more restrictive configuration in application-prod.properties (line 22) that only exposes health. Since the active profile is set to "prod" (line 2), this creates a security risk as the application-prod.properties configuration will be more restrictive, but this configuration applies to all profiles and could be used if someone changes the active profile. Consider removing this line or setting it to only expose health endpoints for consistency and security.
| # Actuator endpoint \uBAA8\uB450 \uB178\uCD9C | |
| management.endpoints.web.exposure.include=* | |
| # Actuator endpoint health \uB9CC \uB178\uCD9C | |
| management.endpoints.web.exposure.include=health |
| spring.datasource.url=jdbc:mysql://mysql:3306/appdb?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul | ||
| spring.datasource.username=app | ||
| spring.datasource.password=app | ||
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul |
There was a problem hiding this comment.
The JDBC URL explicitly sets useSSL=false, which disables TLS for connections to your database even though encrypted connections are available. An attacker with network visibility inside the VPC or container network could sniff database credentials and data in transit. Configure the datasource to require SSL/TLS for MySQL/RDS (e.g., enabling useSSL/requireSSL and using the RDS CA or equivalent secure settings) so that all database traffic is encrypted.
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul | |
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=true&requireSSL=true&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul |
| spring.datasource.url=jdbc:mysql://mysql:3306/appdb?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul | ||
| # 1. Database (RDS \uC5F0\uACB0\uC6A9) | ||
| # \uD658\uACBD \uBCC0\uC218\uAC00 \uC788\uC73C\uBA74 \uADF8 \uAC12\uC744 \uC4F0\uACE0, \uC5C6\uC73C\uBA74 \uAE30\uBCF8\uAC12(mysql:3306)\uC744 \uC0AC\uC6A9\uD558\uB3C4\uB85D \uC124\uC815\uD568 | ||
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul |
There was a problem hiding this comment.
The production JDBC URL uses useSSL=false, which turns off TLS for connections to your RDS/MySQL instance despite support for encrypted transport. This allows anyone with access to the network path between the API service and the database (including compromised pods/instances or network eavesdroppers) to observe credentials and sensitive data in cleartext. Update the datasource configuration to enforce SSL/TLS for database connections (e.g., useSSL/requireSSL enabled with proper CA configuration) so that all traffic to RDS is encrypted.
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul | |
| spring.datasource.url=jdbc:mysql://${RDS_HOSTNAME:mysql}:${RDS_PORT:3306}/${RDS_DB_NAME:appdb}?useSSL=true&requireSSL=true&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul |
🔖 PR 제목
[feat] AWS 배포를 위한 API · Batch · Gateway 환경 설정 및 배포 구성 추가 (#39)
✔️ Check-list
develop)🗒️ Work Description
AWS 배포를 위해 API / Batch / Gateway 서버 전반의 환경 설정을 정비했습니다.
로컬 테스트 환경과 운영 환경(prod)을 명확히 분리하고,
외부 인프라(RDS, Redis, Kafka) 연동을 환경 변수 기반으로 구성했습니다.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.