Merge pull request #155 from cloud-neutral-toolkit/codex/update-terraform-gcp-template-components

Refine GCP bootstrap naming for GCS locking
2025-12-09 09:06:24 +08:00 · 2025-12-09 09:06:24 +08:00 · 31336325fc
commit 31336325fc
parent c8ff8441f9 d194aea546
5 changed files with 5 additions and 56 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml
@ -7,9 +7,8 @@ concurrency:
 on:
  push:
    paths:
-      - 'iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-s3/**'
+      - 'iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-gcs/**'
      - 'iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-iam/**'
-      - 'iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-dynamodb/**'
      - '.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml'
  pull_request:
  workflow_dispatch:
@ -30,7 +29,7 @@ jobs:

    strategy:
      matrix:
-        target: [bootstrap-dynamodb, bootstrap-s3, bootstrap-iam]
+        target: [bootstrap-gcs, bootstrap-iam]

    steps:
      - uses: actions/checkout@v4
@ -39,8 +38,7 @@ jobs:
        run: |
          cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
          ## Bootstrap scope (GCP)
-          - Cloud Storage: create remote state bucket (versioned + uniform access)
-          - Firestore: enable Datastore mode database for state locking and metadata
+          - Cloud Storage: create remote state bucket (versioned + uniform access + generation-based locking)
          - IAM: create Terraform bootstrap service account and bind elevated roles

          Resource names and locations follow iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml.
@ -76,7 +74,6 @@ jobs:
              + f"BOOTSTRAP_PROJECT_ID={cfg['project_id']}\n"
              + f"BOOTSTRAP_BUCKET_NAME={cfg['state']['bucket_name']}\n"
              + f"BOOTSTRAP_BUCKET_LOCATION={cfg['state'].get('bucket_location', 'US')}\n"
-              + f"BOOTSTRAP_FIRESTORE_LOCATION={cfg['state'].get('firestore_location', 'us-central')}\n"
              + f"BOOTSTRAP_SA_ID={cfg['iam'].get('service_account_id', 'terraform-bootstrap')}\n"
              + f"BOOTSTRAP_SA_ROLES={json.dumps(cfg['iam'].get('service_account_roles', []))}\n"
          )
@ -102,15 +99,11 @@ jobs:
          project_id = "${BOOTSTRAP_PROJECT_ID}"
          EOF

-          if [ "${{ matrix.target }}" = "bootstrap-s3" ]; then
+          if [ "${{ matrix.target }}" = "bootstrap-gcs" ]; then
            cat >> bootstrap.auto.tfvars <<EOF
          bucket_name = "${BOOTSTRAP_BUCKET_NAME}"
          location    = "${BOOTSTRAP_BUCKET_LOCATION}"
          EOF
-          elif [ "${{ matrix.target }}" = "bootstrap-dynamodb" ]; then
-            cat >> bootstrap.auto.tfvars <<EOF
-          location = "${BOOTSTRAP_FIRESTORE_LOCATION}"
-          EOF
          elif [ "${{ matrix.target }}" = "bootstrap-iam" ]; then
            cat >> bootstrap.auto.tfvars <<EOF
          service_account_id    = "${BOOTSTRAP_SA_ID}"
--- a/iac-template/terraform-hcl-standard/gcp-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/gcp-cloud/README.md
@ -3,9 +3,8 @@
 该目录提供与 `aws-cloud` 模板一一对应的 GCP 版本，用于在 GCP 上快速引导基础设施。结构与 AWS 目录保持一致，包括引导阶段 (bootstrap)、环境示例 (envs) 与模块库 (modules)。

 ## 模板映射
- **bootstrap-dynamodb → Firestore**：使用 Firestore（Datastore 模式）作为无服务器键值存储。
 - **bootstrap-iam → IAM**：创建基础服务账号与自定义角色，替代 AWS IAM 角色与策略。
- **bootstrap-s3 → Cloud Storage**：创建 GCS 存储桶并启用版本化，对应 AWS S3。
+- **bootstrap-gcs → Cloud Storage**：创建启用版本化和 generation-based locking 的 GCS 存储桶，对应 AWS S3 + DynamoDB 锁表。
 - **modules**：保留原始模块命名（alb、nlb、vpc 等），内部实现改为 GCP 资源：
  - `alb`/`nlb`：使用 Google HTTP(S) / TCP 负载均衡。
  - `ec2`：映射到 Compute Engine 实例或 MIG。
--- a/iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-dynamodb/main.tf
+++ b/iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-dynamodb/main.tf
@ -1,42 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 5.0"
-    }
-  }
-}
-
-variable "project_id" {
-  description = "GCP project id where Firestore will be enabled"
-  type        = string
-}
-
-variable "location" {
-  description = "Firestore location"
-  type        = string
-  default     = "us-central"
-}
-
-resource "google_project_service" "firestore" {
-  service = "firestore.googleapis.com"
-  project = var.project_id
-}
-
-resource "google_project_service" "cloudresourcemanager" {
-  service = "cloudresourcemanager.googleapis.com"
-  project = var.project_id
-}
-
-resource "google_firestore_database" "default" {
-  name        = "(default)"
-  location_id = var.location
-  project     = var.project_id
-  type        = "DATASTORE_MODE"
-  depends_on  = [google_project_service.firestore, google_project_service.cloudresourcemanager]
-}
-
-output "firestore_database" {
-  description = "Firestore database ID"
-  value       = google_firestore_database.default.name
-}
--- a/iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-gcs/main.tf
+++ b/iac-template/terraform-hcl-standard/gcp-cloud/bootstrap-gcs/main.tf
--- a/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml
+++ b/iac-template/terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml
@ -4,7 +4,6 @@ environment: bootstrap
 state:
  bucket_name: svc-plus-gcp-iac-state
  bucket_location: US
-  firestore_location: us-central

 iam:
  service_account_id: terraform-bootstrap