add workflows: terraform-standard-iac-pipeline-aws-global-bootstrap.yaml

2025-11-17 20:04:45 +08:00 · 2025-11-17 20:04:45 +08:00 · 64cb67d4ba
commit 64cb67d4ba
parent 4b6f2b50b7
1 changed files with 101 additions and 0 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
@ -0,0 +1,101 @@
+name: Terraform Standard - AWS Account Bootstrap
+
+on:
+  push:
+    paths:
+      - 'iac-template/terraform-standard/**'
+      - '.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml'
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      deploy_action:
+        type: choice
+        options: [init, plan, apply, destroy]
+        default: plan
+      deploy_dry_run:
+        type: choice
+        options: ['true', 'false']
+        default: 'true'
+
+env:
+  TF_WORKDIR: iac-template/terraform-standard
+  DRY_RUN: ${{ github.event.inputs.deploy_dry_run || 'true' }}
+
+jobs:
+  bootstrap:
+    name: "Bootstrap Modules"
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        target: [bootstrap-dynamodb, bootstrap-s3, bootstrap-iam]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.5
+
+      - name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_BOOTSTRAP_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_BOOTSTRAP_SECRET_ACCESS_KEY }}
+          aws-region: ap-northeast-1
+
+      - name: Init
+        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
+        run: terraform init -upgrade
+
+      - name: Plan
+        if: env.DRY_RUN == 'true'
+        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
+        run: terraform plan -no-color
+
+      - name: Apply
+        if: env.DRY_RUN == 'false'
+        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
+        run: terraform apply -auto-approve
+
+      - name: Save Outputs
+        if: env.DRY_RUN == 'false'
+        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
+        run: terraform output -json > ../../outputs_${{ matrix.target }}.json
+
+      - uses: actions/upload-artifact@v4
+        if: env.DRY_RUN == 'false'
+        with:
+          name: outputs-${{ matrix.target }}
+          path: iac-template/terraform-standard/outputs_${{ matrix.target }}.json
+
+  aggregate:
+    name: "Aggregate Bootstrap Outputs"
+    runs-on: ubuntu-latest
+    needs: bootstrap
+
+    # ❗ Job-level 不能用 env.DRY_RUN，要用 github.event.inputs.*
+    if: ${{ github.event.inputs.deploy_dry_run == 'false' }}
+
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: ./outputs
+
+      - name: Merge Outputs
+        run: |
+          echo "{" > final_bootstrap_outputs.json
+          f=true
+          for x in outputs/**/outputs_*.json; do
+            k=$(basename $x .json | sed 's/outputs_//')
+            [ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json
+            echo "\"$k\": $(cat $x)" >> final_bootstrap_outputs.json
+          done
+          echo "}" >> final_bootstrap_outputs.json
+
+      - run: cat final_bootstrap_outputs.json
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: bootstrap-final-output
+          path: final_bootstrap_outputs.json