Merge pull request #149 from cloud-neutral-toolkit/codex/ensure-iac-modules-meet-idempotence-ljuyzg

Simplify bootstrap workflow cleanup
2025-12-08 17:58:55 +08:00 · 2025-12-08 17:58:55 +08:00 · 9efecb6703
commit 9efecb6703
parent 05392ac4ee 888a5476be
2 changed files with 30 additions and 13 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
@ -42,8 +42,8 @@ jobs:
          - IAM: create Terraform deploy role and automation user for DevOps
          - S3: create remote state bucket (versioned + SSE)
          - DynamoDB: create state lock table for Terraform CRUD workflows
-          
-          This workflow is designed to be re-runnable for create/update/destroy by restoring and uploading module state.
+
+          Resource names and regions follow iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml.
          SUMMARY

      - uses: hashicorp/setup-terraform@v3
@ -64,6 +64,28 @@ jobs:
          aws-secret-access-key: ${{ secrets.AWS_BOOTSTRAP_SECRET_ACCESS_KEY }}
          aws-region: ap-northeast-1

+      - name: Load bootstrap config for destroy
+        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
+        run: |
+          python -m pip install --quiet pyyaml
+          python - <<'PY'
+          import yaml
+          from pathlib import Path
+
+          cfg_path = Path("iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml")
+          cfg = yaml.safe_load(cfg_path.read_text())
+
+          with open("$GITHUB_ENV", "a", encoding="utf-8") as fh:
+            fh.write(f"BOOTSTRAP_BUCKET={cfg['state']['bucket_name']}\n")
+          PY
+
+      - name: Empty bootstrap S3 bucket (per config)
+        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
+        env:
+          AWS_REGION: ap-northeast-1
+        run: |
+          aws s3 rb "s3://${BOOTSTRAP_BUCKET}" --force
+
      - name: Init
        working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
        run: make init
@ -95,17 +117,6 @@ jobs:
          path: iac-template/terraform-hcl-standard/aws-cloud/outputs_${{ matrix.target }}.json
          retention-days: 30

-      - name: Save Terraform state
-        if: env.DEPLOY_ACTION != 'plan'
-        uses: actions/upload-artifact@v4
-        with:
-          name: tfstate-${{ matrix.target }}
-          path: |
-            ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate
-            ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate.backup
-          if-no-files-found: ignore
-          retention-days: 30
-
  aggregate:
    name: "Aggregate Bootstrap Outputs"
    runs-on: ubuntu-latest
--- a/iac-template/terraform-hcl-standard/aws-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md
@ -127,6 +127,12 @@ To remove bootstrap resources:

 terraform destroy

+Resource names (bucket, DynamoDB table, IAM role/user) are defined in config/accounts/bootstrap.yaml. When tearing down the S3 backend, empty the configured bucket with AWS CLI first:
+
+```
+aws s3 rb "s3://$(python -c "import yaml;print(yaml.safe_load(open('config/accounts/bootstrap.yaml'))['state']['bucket_name'])")" --force
+```
+

 # Access Key + STS 的执行流程（内部机制）