Reuse config loader for AWS credentials

2025-12-19 10:50:48 +08:00 · 2025-12-19 10:50:48 +08:00 · 14bce7a93f
commit 14bce7a93f
parent 2d41f98d76
8 changed files with 112 additions and 23 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
@ -20,8 +20,9 @@ permissions:
 env:
  BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component/
  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  AWS_REGION: ap-northeast-1
-  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role
+  CONFIG_FILES: |
+    config/xzerolab/sit/aws-cloud/account/accounts.yaml
+    config/xzerolab/sit/aws-cloud/resources/vpc.yaml

 jobs:
  terraform:
@ -46,6 +47,26 @@ jobs:
        with:
          tflint_version: v0.51.0

+      - name: Load AWS config
+        run: |
+          ACCOUNT_FILE=$(printf "%s\n" "${CONFIG_FILES}" | head -n 1)
+          python - <<'PY'
+import os
+import sys
+from pathlib import Path
+
+utils_dir = Path("iac-template/terraform-hcl-standard/utils").resolve()
+sys.path.insert(0, str(utils_dir))
+
+from config_loader import load_account_credentials
+
+region, role_arn = load_account_credentials(os.environ["ACCOUNT_FILE"])
+
+with Path(os.environ["GITHUB_ENV"]).open("a", encoding="utf-8") as handle:
+    handle.write(f"AWS_REGION={region}\n")
+    handle.write(f"AWS_ROLE_ARN={role_arn}\n")
+PY
+
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ env.AWS_REGION }}
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile
@ -2,21 +2,35 @@ SHELL := /bin/bash

 TF=terraform

+CONFIG_FILES ?=
+
+CONFIG_FILES_JSON := $(shell python - <<'PY'
+import json
+from pathlib import Path
+
+raw = '''$(CONFIG_FILES)'''
+files = [line.strip() for line in raw.splitlines() if line.strip()]
+resolved = [str(Path(path).expanduser().resolve()) for path in files]
+print(json.dumps(resolved)) if resolved else print("")
+PY)
+
+CONFIG_FILES_ENV := $(if $(CONFIG_FILES_JSON),TF_VAR_config_files='$(CONFIG_FILES_JSON)')
+
 render:
-	python ../../../utils/render_provider_backend.py \
-		--config-dir ../../config \
+        python ../../../utils/render_provider_backend.py \
+                --config-dir ../../config \
 		--template-dir ../../templates \
 		--component-dir .. \
 		--component role

 init:
-	$(TF) init --upgrade
+        $(CONFIG_FILES_ENV) $(TF) init --upgrade

 plan:
-	$(TF) plan
+        $(CONFIG_FILES_ENV) $(TF) plan

 apply:
-	$(TF) apply -auto-approve
+        $(CONFIG_FILES_ENV) $(TF) apply -auto-approve

 destroy:
-	$(TF) destroy -auto-approve
+        $(CONFIG_FILES_ENV) $(TF) destroy -auto-approve
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf
@ -1,6 +1,10 @@
 locals {
+  config_files = length(var.config_files) > 0 ? var.config_files : [
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/account/accounts.yaml"),
+  ]
+
  account = yamldecode(
-    file("${path.root}/../../config/accounts/dev.yaml")
+    file(local.config_files[0])
  )
 }

--- a/iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf
@ -0,0 +1,5 @@
+variable "config_files" {
+  description = "Ordered list of config files: [account_config]."
+  type        = list(string)
+  default     = []
+}
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile
@ -1,15 +1,29 @@
+CONFIG_FILES ?=
+
+CONFIG_FILES_JSON := $(shell python - <<'PY'
+import json
+from pathlib import Path
+
+raw = '''$(CONFIG_FILES)'''
+files = [line.strip() for line in raw.splitlines() if line.strip()]
+resolved = [str(Path(path).expanduser().resolve()) for path in files]
+print(json.dumps(resolved)) if resolved else print("")
+PY)
+
+CONFIG_FILES_ENV := $(if $(CONFIG_FILES_JSON),TF_VAR_config_files='$(CONFIG_FILES_JSON)')
+
 render:
-	python ../../../utils/render_provider_backend.py \
-		--config-dir ../../config \
-		--template-dir ../../templates \
-		--component-dir .. \
-		--component vpc
+        python ../../../utils/render_provider_backend.py \
+                --config-dir ../../config \
+                --template-dir ../../templates \
+                --component-dir .. \
+                --component vpc

 init: render
-	terraform init --upgrade
+        $(CONFIG_FILES_ENV) terraform init --upgrade

 plan: init
-	terraform plan
+        $(CONFIG_FILES_ENV) terraform plan

 apply: init
-	terraform apply -auto-approve
+        $(CONFIG_FILES_ENV) terraform apply -auto-approve
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf
@ -1,11 +1,12 @@
 locals {
-  account = yamldecode(
-    file("${path.root}/../../config/accounts/dev.yaml")
-  )
+  config_files = length(var.config_files) > 0 ? var.config_files : [
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/account/accounts.yaml"),
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/resources/vpc.yaml"),
+  ]

-  vpc_conf = yamldecode(
-    file("${path.root}/../../config/resources/vpc/dev.yaml")
-  )
+  account = yamldecode(file(local.config_files[0]))
+
+  vpc_conf = yamldecode(file(local.config_files[1]))
 }

 module "vpc" {
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf
@ -0,0 +1,5 @@
+variable "config_files" {
+  description = "Ordered list of config files: [account_config, vpc_config]."
+  type        = list(string)
+  default     = []
+}
--- a/iac-template/terraform-hcl-standard/utils/config_loader.py
+++ b/iac-template/terraform-hcl-standard/utils/config_loader.py
@ -2,6 +2,11 @@ from __future__ import annotations

 """Compatibility shim that re-exports config helpers from render_provider_backend."""

+from pathlib import Path
+from typing import Tuple
+
+import yaml
+
 from render_provider_backend import (  # noqa: F401
    deep_merge,
    load_merged_config,
@ -10,6 +15,26 @@ from render_provider_backend import (  # noqa: F401

 __all__ = [
    "deep_merge",
+    "load_account_credentials",
    "load_merged_config",
    "load_provider_backend_config",
 ]
+
+
+def load_account_credentials(account_file: str | Path) -> Tuple[str, str]:
+    """Load AWS region and role from an account YAML file."""
+
+    path = Path(account_file).expanduser()
+    if not path.exists():
+        raise FileNotFoundError(f"Account config file not found: {path}")
+
+    with path.open("r", encoding="utf-8") as handle:
+        cfg = yaml.safe_load(handle) or {}
+
+    try:
+        region = cfg["region"]
+        role_arn = cfg["role_to_assume"]
+    except KeyError as exc:  # noqa: PERF203
+        raise KeyError(f"Missing required key in account config: {exc.args[0]}") from exc
+
+    return region, role_arn