Simplify bootstrap workflow cleanup

2025-12-08 17:51:23 +08:00 · 2025-12-08 17:51:23 +08:00 · 46d1fb2c8b
commit 46d1fb2c8b
parent 5ed05bd15d
2 changed files with 45 additions and 0 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
@ -1,5 +1,9 @@
 name: Terraform Standard - AWS Account Bootstrap

+concurrency:
+  group: terraform-bootstrap-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
  push:
    paths:
@ -31,6 +35,17 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: Document Bootstrap Scope
+        run: |
+          cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
+          ## Bootstrap scope
+          - IAM: create Terraform deploy role and automation user for DevOps
+          - S3: create remote state bucket (versioned + SSE)
+          - DynamoDB: create state lock table for Terraform CRUD workflows
+
+          Resource names and regions follow iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml.
+          SUMMARY
+
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.9.5
@ -42,6 +57,28 @@ jobs:
          aws-secret-access-key: ${{ secrets.AWS_BOOTSTRAP_SECRET_ACCESS_KEY }}
          aws-region: ap-northeast-1

+      - name: Load bootstrap config for destroy
+        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
+        run: |
+          python -m pip install --quiet pyyaml
+          python - <<'PY'
+          import yaml
+          from pathlib import Path
+
+          cfg_path = Path("iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml")
+          cfg = yaml.safe_load(cfg_path.read_text())
+
+          with open("$GITHUB_ENV", "a", encoding="utf-8") as fh:
+            fh.write(f"BOOTSTRAP_BUCKET={cfg['state']['bucket_name']}\n")
+          PY
+
+      - name: Empty bootstrap S3 bucket (per config)
+        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
+        env:
+          AWS_REGION: ap-northeast-1
+        run: |
+          aws s3 rb "s3://${BOOTSTRAP_BUCKET}" --force
+
      - name: Init
        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
        run: make init
@ -71,6 +108,7 @@ jobs:
        with:
          name: outputs-${{ matrix.target }}
          path: iac-template/terraform-hcl-standard/aws-cloud/outputs_${{ matrix.target }}.json
+          retention-days: 30

  aggregate:
    name: "Aggregate Bootstrap Outputs"
--- a/iac-template/terraform-hcl-standard/aws-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md
@ -2,6 +2,7 @@

 This repository provides bootstrap Terraform modules that must be applied before enabling a Terraform remote backend on AWS.
 It creates:
+- IAM artifacts — a deploy role plus a dedicated DevOps/automation user for Terraform
 - S3 bucket — to store Terraform remote state
 - DynamoDB table — to store Terraform state locks

@ -126,6 +127,12 @@ To remove bootstrap resources:

 terraform destroy

+Resource names (bucket, DynamoDB table, IAM role/user) are defined in config/accounts/bootstrap.yaml. When tearing down the S3 backend, empty the configured bucket with AWS CLI first:
+
+```
+aws s3 rb "s3://$(python -c "import yaml;print(yaml.safe_load(open('config/accounts/bootstrap.yaml'))['state']['bucket_name'])")" --force
+```
+

 # Access Key + STS 的执行流程（内部机制）