From a168c8f3dfb93fa2d1e1a87bf85d9e67e52431ab Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Mon, 8 Dec 2025 17:20:11 +0800 Subject: [PATCH 1/3] Refine bootstrap workflow scope and retention --- ...ard-iac-pipeline-aws-global-bootstrap.yaml | 34 +++++++++++++++++++ .../aws-cloud/README.md | 1 + 2 files changed, 35 insertions(+) diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml index ad7470f2..6f976a3b 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml @@ -1,5 +1,9 @@ name: Terraform Standard - AWS Account Bootstrap +concurrency: + group: terraform-bootstrap-${{ github.ref }} + cancel-in-progress: false + on: push: paths: @@ -31,10 +35,28 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Document Bootstrap Scope + run: | + cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY" + ## Bootstrap scope + - IAM: create Terraform deploy role and automation user for DevOps + - S3: create remote state bucket (versioned + SSE) + - DynamoDB: create state lock table for Terraform CRUD workflows + + This workflow is designed to be re-runnable for create/update/destroy by restoring and uploading module state. + SUMMARY + - uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.9.5 + - name: Restore Terraform state + uses: actions/download-artifact@v4 + continue-on-error: true + with: + name: tfstate-${{ matrix.target }} + path: ${{ env.TF_WORKDIR }}/${{ matrix.target }} + - name: AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -71,6 +93,18 @@ jobs: with: name: outputs-${{ matrix.target }} path: iac-template/terraform-hcl-standard/aws-cloud/outputs_${{ matrix.target }}.json + retention-days: 30 + + - name: Save Terraform state + if: env.DEPLOY_ACTION != 'plan' + uses: actions/upload-artifact@v4 + with: + name: tfstate-${{ matrix.target }} + path: | + ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate + ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate.backup + if-no-files-found: ignore + retention-days: 30 aggregate: name: "Aggregate Bootstrap Outputs" diff --git a/iac-template/terraform-hcl-standard/aws-cloud/README.md b/iac-template/terraform-hcl-standard/aws-cloud/README.md index 94bb7342..af4f92a8 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/README.md +++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md @@ -2,6 +2,7 @@ This repository provides bootstrap Terraform modules that must be applied before enabling a Terraform remote backend on AWS. It creates: +- IAM artifacts — a deploy role plus a dedicated DevOps/automation user for Terraform - S3 bucket — to store Terraform remote state - DynamoDB table — to store Terraform state locks From 826e3d2ef12d63a4e9fe951d39277770e5e63f2b Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Mon, 8 Dec 2025 17:28:29 +0800 Subject: [PATCH 2/3] chore(iac): update AWS bootstrap config for Xzerolab account --- .../aws-cloud/config/accounts/bootstrap.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml b/iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml index 0493b968..c7ef8932 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml +++ b/iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml @@ -1,16 +1,17 @@ region: ap-northeast-1 environment: bootstrap -account_name: dev +account_name: xzerolab +account_id: 950604983695 state: - bucket_name: svc-plus-iac-state - dynamodb_table_name: svc-plus-iac-state-dynamodb-lock + bucket_name: xzerolab-iac-state + dynamodb_table_name: xzerolab-iac-state-dynamodb-lock iam: - role_name: TerraformDeployRole-Dev - terraform_user_name: sit-ci-runner + role_name: XzerolabTerraformDeployRole + terraform_user_name: github-ci-runner tags: Owner: Platform - Project: modern-container-app + Project: CloudNeutral From e77d4621fde71c54f76c5afa7ad589249031cfaa Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Mon, 8 Dec 2025 17:41:03 +0800 Subject: [PATCH 3/3] Fix bootstrap IAM defaults --- .../aws-cloud/bootstrap-iam/Makefile | 2 +- .../aws-cloud/bootstrap-iam/locals.tf | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile index e93f6131..b8b6ba68 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile @@ -1,7 +1,7 @@ account_name ?= region ?= role_name ?= - terraform_user_name ?= +terraform_user_name ?= TF_VARS := $(if $(account_name),-var="account_name=$(account_name)") $(if $(region),-var="region=$(region)") $(if $(role_name),-var="role_name=$(role_name)") $(if $(terraform_user_name),-var="terraform_user_name=$(terraform_user_name)") diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/locals.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/locals.tf index 71700a86..a85305b0 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/locals.tf +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/locals.tf @@ -10,7 +10,10 @@ locals { } locals { - account = yamldecode( - file("${path.root}/../config/accounts/${local.config_account_name}.yaml") - ) + account_file_path = "${path.root}/../config/accounts/${local.config_account_name}.yaml" + account = fileexists(local.account_file_path) ? yamldecode(file(local.account_file_path)) : { + account_id = local.bootstrap.account_id + environment = local.environment + tags = local.extra_tags + } }