From 46d1fb2c8b1c8d03631ebe1cdf270e70c44c20d8 Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Mon, 8 Dec 2025 17:51:23 +0800 Subject: [PATCH] Simplify bootstrap workflow cleanup --- ...ard-iac-pipeline-aws-global-bootstrap.yaml | 38 +++++++++++++++++++ .../aws-cloud/README.md | 7 ++++ 2 files changed, 45 insertions(+) diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml index ad7470f2..07e6ad12 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml @@ -1,5 +1,9 @@ name: Terraform Standard - AWS Account Bootstrap +concurrency: + group: terraform-bootstrap-${{ github.ref }} + cancel-in-progress: false + on: push: paths: @@ -31,6 +35,17 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Document Bootstrap Scope + run: | + cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY" + ## Bootstrap scope + - IAM: create Terraform deploy role and automation user for DevOps + - S3: create remote state bucket (versioned + SSE) + - DynamoDB: create state lock table for Terraform CRUD workflows + + Resource names and regions follow iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml. + SUMMARY + - uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.9.5 @@ -42,6 +57,28 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_BOOTSTRAP_SECRET_ACCESS_KEY }} aws-region: ap-northeast-1 + - name: Load bootstrap config for destroy + if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy' + run: | + python -m pip install --quiet pyyaml + python - <<'PY' + import yaml + from pathlib import Path + + cfg_path = Path("iac-template/terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml") + cfg = yaml.safe_load(cfg_path.read_text()) + + with open("$GITHUB_ENV", "a", encoding="utf-8") as fh: + fh.write(f"BOOTSTRAP_BUCKET={cfg['state']['bucket_name']}\n") + PY + + - name: Empty bootstrap S3 bucket (per config) + if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy' + env: + AWS_REGION: ap-northeast-1 + run: | + aws s3 rb "s3://${BOOTSTRAP_BUCKET}" --force + - name: Init working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }} run: make init @@ -71,6 +108,7 @@ jobs: with: name: outputs-${{ matrix.target }} path: iac-template/terraform-hcl-standard/aws-cloud/outputs_${{ matrix.target }}.json + retention-days: 30 aggregate: name: "Aggregate Bootstrap Outputs" diff --git a/iac-template/terraform-hcl-standard/aws-cloud/README.md b/iac-template/terraform-hcl-standard/aws-cloud/README.md index 94bb7342..57842b80 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/README.md +++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md @@ -2,6 +2,7 @@ This repository provides bootstrap Terraform modules that must be applied before enabling a Terraform remote backend on AWS. It creates: +- IAM artifacts — a deploy role plus a dedicated DevOps/automation user for Terraform - S3 bucket — to store Terraform remote state - DynamoDB table — to store Terraform state locks @@ -126,6 +127,12 @@ To remove bootstrap resources: terraform destroy +Resource names (bucket, DynamoDB table, IAM role/user) are defined in config/accounts/bootstrap.yaml. When tearing down the S3 backend, empty the configured bucket with AWS CLI first: + +``` +aws s3 rb "s3://$(python -c "import yaml;print(yaml.safe_load(open('config/accounts/bootstrap.yaml'))['state']['bucket_name'])")" --force +``` + # Access Key + STS 的执行流程(内部机制)