From 359cb0f9f50b4d6c11a7ae452a6c23e4930e856a Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Tue, 9 Dec 2025 22:43:20 +0800 Subject: [PATCH] Add Alicloud Terraform pipeline workflows --- ...-iac-pipeline-alicloud-account-matrix.yaml | 67 ++++++++++ ...ndard-iac-pipeline-alicloud-bootstrap.yaml | 115 ++++++++++++++++++ ...ipeline-alicloud-landingzone-baseline.yaml | 104 ++++++++++++++++ ...ac-pipeline-alicloud-resources-matrix.yaml | 66 ++++++++++ 4 files changed, 352 insertions(+) create mode 100644 .github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml create mode 100644 .github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml create mode 100644 .github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml create mode 100644 .github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml new file mode 100644 index 00000000..1b82689c --- /dev/null +++ b/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml @@ -0,0 +1,67 @@ +name: Terraform Standard - IAC Pipeline (Alicloud Account/VPC Matrix) + +on: + push: + paths: + - 'iac-template/terraform-hcl-standard/ali-cloud/modules/vpc/**' + - 'iac-template/terraform-hcl-standard/ali-cloud/modules/ram/**' + - 'iac-template/terraform-hcl-standard/ali-cloud/envs/dev/**' + - '.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml' + workflow_dispatch: + inputs: + dry_run: + type: choice + options: ['true', 'false'] + default: 'true' + +env: + BASE_DIR: iac-template/terraform-hcl-standard/ali-cloud/envs + DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} + ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} + +jobs: + terraform: + name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + env: [dev] + + steps: + - uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.5 + + - uses: terraform-linters/setup-tflint@v4 + with: + tflint_version: v0.51.0 + + - name: Export Alicloud credentials + run: | + echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" >> "$GITHUB_ENV" + echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" >> "$GITHUB_ENV" + echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" >> "$GITHUB_ENV" + + - name: Init + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade + + - name: Plan + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan + + - name: Apply + if: ${{ env.DRY_RUN == 'false' }} + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve + + - name: Skip Apply (dry-run) + if: ${{ env.DRY_RUN == 'true' }} + run: echo "Dry run enabled → skip apply step." + + - name: Output + if: ${{ env.DRY_RUN == 'false' }} + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml new file mode 100644 index 00000000..bf489967 --- /dev/null +++ b/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml @@ -0,0 +1,115 @@ +name: Terraform Standard - Alicloud Account Bootstrap + +concurrency: + group: terraform-alicloud-bootstrap-${{ github.ref }} + cancel-in-progress: false + +on: + push: + paths: + - 'iac-template/terraform-hcl-standard/ali-cloud/bootstrap/**' + - '.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml' + pull_request: + workflow_dispatch: + inputs: + deploy_action: + type: choice + options: [plan, apply, destroy] + default: plan + +env: + TF_WORKDIR: iac-template/terraform-hcl-standard/ali-cloud/bootstrap + DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} + ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} + +jobs: + bootstrap: + name: "Bootstrap ${{ matrix.target }}" + runs-on: ubuntu-latest + + strategy: + matrix: + target: [state, lock, identity] + + steps: + - uses: actions/checkout@v4 + + - name: Document Bootstrap Scope (Alicloud) + run: | + cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY" + ## Alicloud bootstrap scope + - state: provision OSS bucket for remote state storage + - lock: create Table Store instance/table for Terraform state locking + - identity: provision RAM role/user plus access keys for automation + + Resource names and defaults follow iac-template/terraform-hcl-standard/ali-cloud/bootstrap. + SUMMARY + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.5 + + - name: Export Alicloud credentials and variables + run: | + echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" >> "$GITHUB_ENV" + echo "TF_VAR_state_bucket=${{ secrets.ALICLOUD_STATE_BUCKET }}" >> "$GITHUB_ENV" + echo "TF_VAR_account_id=${{ secrets.ALICLOUD_ACCOUNT_ID }}" >> "$GITHUB_ENV" + + - name: Terraform Init + run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} init -upgrade + + - name: Terraform Plan + if: env.DEPLOY_ACTION == 'plan' + run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} plan -no-color + + - name: Terraform Apply + if: env.DEPLOY_ACTION == 'apply' + run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} apply -auto-approve + + - name: Terraform Destroy + if: env.DEPLOY_ACTION == 'destroy' + run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} destroy -auto-approve + + - name: Save Outputs + if: env.DEPLOY_ACTION == 'apply' + run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} output -json > ../outputs_${{ matrix.target }}.json + + - uses: actions/upload-artifact@v4 + if: env.DEPLOY_ACTION == 'apply' + with: + name: outputs-${{ matrix.target }} + path: iac-template/terraform-hcl-standard/ali-cloud/outputs_${{ matrix.target }}.json + retention-days: 30 + + aggregate: + name: "Aggregate Bootstrap Outputs" + runs-on: ubuntu-latest + needs: bootstrap + + if: ${{ github.event.inputs.deploy_action == 'apply' }} + + steps: + - uses: actions/download-artifact@v4 + with: + path: ./outputs + + - name: Merge Outputs + run: | + shopt -s globstar nullglob + echo "{" > final_bootstrap_outputs.json + f=true + for x in outputs/**/outputs_*.json; do + k=$(basename $x .json | sed 's/outputs_//') + [ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json + echo "\"$k\": $(cat $x)" >> final_bootstrap_outputs.json + done + echo "}" >> final_bootstrap_outputs.json + + - run: cat final_bootstrap_outputs.json + + - uses: actions/upload-artifact@v4 + with: + name: alicloud-bootstrap-final-output + path: final_bootstrap_outputs.json diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml new file mode 100644 index 00000000..527a1c03 --- /dev/null +++ b/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml @@ -0,0 +1,104 @@ +name: Terraform Standard - Alicloud Global LandingZone Baseline + +on: + push: + paths: + - 'iac-template/terraform-hcl-standard/ali-cloud/**' + - '.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml' + pull_request: + branches: [main] + workflow_dispatch: + inputs: + deploy_action: + description: "Deployment action" + type: choice + options: [plan, apply, destroy] + default: plan + deploy_dry_run: + description: "Dry-run mode" + type: choice + options: ['true', 'false'] + default: 'true' + +env: + TF_WORKDIR: iac-template/terraform-hcl-standard/ali-cloud + DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} + ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} + +jobs: + landingzone: + name: "Deploy LandingZone Baseline" + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.5 + + - name: Export Alicloud credentials + run: | + echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" >> "$GITHUB_ENV" + echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" >> "$GITHUB_ENV" + echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" >> "$GITHUB_ENV" + + - name: Terraform Init (LandingZone) + working-directory: ${{ env.TF_WORKDIR }}/envs/dev + run: terraform init -upgrade + + - name: Terraform Plan (LandingZone) + id: tfplan + if: env.DEPLOY_ACTION == 'plan' + working-directory: ${{ env.TF_WORKDIR }}/envs/dev + run: terraform plan -no-color > plan_output.txt + + - name: Upload LandingZone Plan Artifact + uses: actions/upload-artifact@v4 + with: + name: alicloud-landingzone-plan + path: ${{ env.TF_WORKDIR }}/envs/dev/plan_output.txt + + - name: Terraform Apply (LandingZone) + if: env.DEPLOY_ACTION == 'apply' + working-directory: ${{ env.TF_WORKDIR }}/envs/dev + run: terraform apply -auto-approve + + - name: Terraform Destroy (LandingZone) + if: env.DEPLOY_ACTION == 'destroy' + working-directory: ${{ env.TF_WORKDIR }}/envs/dev + run: terraform destroy -auto-approve + + validation: + name: "Validate LandingZone Baseline" + needs: landingzone + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Run Validation Checks + run: | + echo "⚙️ Running LandingZone baseline validation..." + chmod +x scripts/validation/validate-landingzone.sh + scripts/validation/validate-landingzone.sh \ + ${{ env.TF_WORKDIR }}/envs/dev + + delivery: + name: "Delivery: Notify Rollout" + needs: validation + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Notify + env: + SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} + SMTP_USERNAME: "manbuzhe2009@qq.com" + run: | + echo "📣 Sending Alicloud LandingZone rollout notification..." + chmod +x scripts/notifications/notify-landingzone.sh + ./scripts/notifications/notify-landingzone.sh diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml new file mode 100644 index 00000000..c6e94d21 --- /dev/null +++ b/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml @@ -0,0 +1,66 @@ +name: Terraform Standard - IAC Pipeline (Alicloud Resources Matrix) + +on: + push: + paths: + - 'iac-template/terraform-hcl-standard/ali-cloud/modules/**' + - 'iac-template/terraform-hcl-standard/ali-cloud/envs/dev/**' + - '.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml' + workflow_dispatch: + inputs: + dry_run: + type: choice + options: ['true', 'false'] + default: 'true' + +env: + BASE_DIR: iac-template/terraform-hcl-standard/ali-cloud/envs + DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} + ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} + +jobs: + terraform: + name: "${{ matrix.env }} :: resources (dry_run=${{ inputs.dry_run }})" + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + env: [dev] + + steps: + - uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.5 + + - uses: terraform-linters/setup-tflint@v4 + with: + tflint_version: v0.51.0 + + - name: Export Alicloud credentials + run: | + echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" >> "$GITHUB_ENV" + echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" >> "$GITHUB_ENV" + echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" >> "$GITHUB_ENV" + echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" >> "$GITHUB_ENV" + + - name: Init + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade + + - name: Plan + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan + + - name: Apply + if: ${{ env.DRY_RUN == 'false' }} + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve + + - name: Skip Apply (dry-run) + if: ${{ env.DRY_RUN == 'true' }} + run: echo "Dry run enabled → skip apply step." + + - name: Output + if: ${{ env.DRY_RUN == 'false' }} + run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json