From 6dac7897fdaa08cd20b015ce5238f06f933cd709 Mon Sep 17 00:00:00 2001
From: cloudneutral <haitaopanhq@gmail.com>
Date: Tue, 16 Dec 2025 18:01:31 +0800
Subject: [PATCH] Reuse config loader for AWS credentials

---
 ...ndard-iac-pipeline-aws-account-matrix.yaml | 25 ++++++++++++++--
 .../aws-cloud/component/role/Makefile         | 26 ++++++++++++----
 .../aws-cloud/component/role/main.tf          |  6 +++-
 .../aws-cloud/component/role/variables.tf     |  5 ++++
 .../aws-cloud/component/vpc/Makefile          | 30 ++++++++++++++-----
 .../aws-cloud/component/vpc/main.tf           | 13 ++++----
 .../aws-cloud/component/vpc/variables.tf      |  5 ++++
 .../utils/config_loader.py                    | 25 ++++++++++++++++
 8 files changed, 112 insertions(+), 23 deletions(-)
 create mode 100644 iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf
 create mode 100644 iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf

diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
index 6ca62f15..4bb76f62 100644
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
@@ -20,8 +20,9 @@ permissions:
 env:
   BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component/
   DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  AWS_REGION: ap-northeast-1
-  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role
+  CONFIG_FILES: |
+    config/xzerolab/sit/aws-cloud/account/accounts.yaml
+    config/xzerolab/sit/aws-cloud/resources/vpc.yaml
 
 jobs:
   terraform:
@@ -46,6 +47,26 @@ jobs:
         with:
           tflint_version: v0.51.0
 
+      - name: Load AWS config
+        run: |
+          ACCOUNT_FILE=$(printf "%s\n" "${CONFIG_FILES}" | head -n 1)
+          python - <<'PY'
+import os
+import sys
+from pathlib import Path
+
+utils_dir = Path("iac-template/terraform-hcl-standard/utils").resolve()
+sys.path.insert(0, str(utils_dir))
+
+from config_loader import load_account_credentials
+
+region, role_arn = load_account_credentials(os.environ["ACCOUNT_FILE"])
+
+with Path(os.environ["GITHUB_ENV"]).open("a", encoding="utf-8") as handle:
+    handle.write(f"AWS_REGION={region}\n")
+    handle.write(f"AWS_ROLE_ARN={role_arn}\n")
+PY
+
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: ${{ env.AWS_REGION }}
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile
index 1a7af368..09dff916 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/Makefile
@@ -2,21 +2,35 @@ SHELL := /bin/bash
 
 TF=terraform
 
+CONFIG_FILES ?=
+
+CONFIG_FILES_JSON := $(shell python - <<'PY'
+import json
+from pathlib import Path
+
+raw = '''$(CONFIG_FILES)'''
+files = [line.strip() for line in raw.splitlines() if line.strip()]
+resolved = [str(Path(path).expanduser().resolve()) for path in files]
+print(json.dumps(resolved)) if resolved else print("")
+PY)
+
+CONFIG_FILES_ENV := $(if $(CONFIG_FILES_JSON),TF_VAR_config_files='$(CONFIG_FILES_JSON)')
+
 render:
-	python ../../../utils/render_provider_backend.py \
-		--config-dir ../../config \
+        python ../../../utils/render_provider_backend.py \
+                --config-dir ../../config \
 		--template-dir ../../templates \
 		--component-dir .. \
 		--component role
 
 init:
-	$(TF) init --upgrade
+        $(CONFIG_FILES_ENV) $(TF) init --upgrade
 
 plan:
-	$(TF) plan
+        $(CONFIG_FILES_ENV) $(TF) plan
 
 apply:
-	$(TF) apply -auto-approve
+        $(CONFIG_FILES_ENV) $(TF) apply -auto-approve
 
 destroy:
-	$(TF) destroy -auto-approve
+        $(CONFIG_FILES_ENV) $(TF) destroy -auto-approve
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf b/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf
index f84c1148..5b0b0b52 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/main.tf
@@ -1,6 +1,10 @@
 locals {
+  config_files = length(var.config_files) > 0 ? var.config_files : [
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/account/accounts.yaml"),
+  ]
+
   account = yamldecode(
-    file("${path.root}/../../config/accounts/dev.yaml")
+    file(local.config_files[0])
   )
 }
 
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf b/iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf
new file mode 100644
index 00000000..146ea5a3
--- /dev/null
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/role/variables.tf
@@ -0,0 +1,5 @@
+variable "config_files" {
+  description = "Ordered list of config files: [account_config]."
+  type        = list(string)
+  default     = []
+}
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile
index dac9394c..011eea4c 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/Makefile
@@ -1,15 +1,29 @@
+CONFIG_FILES ?=
+
+CONFIG_FILES_JSON := $(shell python - <<'PY'
+import json
+from pathlib import Path
+
+raw = '''$(CONFIG_FILES)'''
+files = [line.strip() for line in raw.splitlines() if line.strip()]
+resolved = [str(Path(path).expanduser().resolve()) for path in files]
+print(json.dumps(resolved)) if resolved else print("")
+PY)
+
+CONFIG_FILES_ENV := $(if $(CONFIG_FILES_JSON),TF_VAR_config_files='$(CONFIG_FILES_JSON)')
+
 render:
-	python ../../../utils/render_provider_backend.py \
-		--config-dir ../../config \
-		--template-dir ../../templates \
-		--component-dir .. \
-		--component vpc
+        python ../../../utils/render_provider_backend.py \
+                --config-dir ../../config \
+                --template-dir ../../templates \
+                --component-dir .. \
+                --component vpc
 
 init: render
-	terraform init --upgrade
+        $(CONFIG_FILES_ENV) terraform init --upgrade
 
 plan: init
-	terraform plan
+        $(CONFIG_FILES_ENV) terraform plan
 
 apply: init
-	terraform apply -auto-approve
+        $(CONFIG_FILES_ENV) terraform apply -auto-approve
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf
index f6516642..c0ce1905 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/main.tf
@@ -1,11 +1,12 @@
 locals {
-  account = yamldecode(
-    file("${path.root}/../../config/accounts/dev.yaml")
-  )
+  config_files = length(var.config_files) > 0 ? var.config_files : [
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/account/accounts.yaml"),
+    abspath("${path.root}/../../../../../config/xzerolab/sit/aws-cloud/resources/vpc.yaml"),
+  ]
 
-  vpc_conf = yamldecode(
-    file("${path.root}/../../config/resources/vpc/dev.yaml")
-  )
+  account = yamldecode(file(local.config_files[0]))
+
+  vpc_conf = yamldecode(file(local.config_files[1]))
 }
 
 module "vpc" {
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf
new file mode 100644
index 00000000..f45de8e9
--- /dev/null
+++ b/iac-template/terraform-hcl-standard/aws-cloud/component/vpc/variables.tf
@@ -0,0 +1,5 @@
+variable "config_files" {
+  description = "Ordered list of config files: [account_config, vpc_config]."
+  type        = list(string)
+  default     = []
+}
diff --git a/iac-template/terraform-hcl-standard/utils/config_loader.py b/iac-template/terraform-hcl-standard/utils/config_loader.py
index 48e12cf7..44216b98 100644
--- a/iac-template/terraform-hcl-standard/utils/config_loader.py
+++ b/iac-template/terraform-hcl-standard/utils/config_loader.py
@@ -2,6 +2,11 @@ from __future__ import annotations
 
 """Compatibility shim that re-exports config helpers from render_provider_backend."""
 
+from pathlib import Path
+from typing import Tuple
+
+import yaml
+
 from render_provider_backend import (  # noqa: F401
     deep_merge,
     load_merged_config,
@@ -10,6 +15,26 @@ from render_provider_backend import (  # noqa: F401
 
 __all__ = [
     "deep_merge",
+    "load_account_credentials",
     "load_merged_config",
     "load_provider_backend_config",
 ]
+
+
+def load_account_credentials(account_file: str | Path) -> Tuple[str, str]:
+    """Load AWS region and role from an account YAML file."""
+
+    path = Path(account_file).expanduser()
+    if not path.exists():
+        raise FileNotFoundError(f"Account config file not found: {path}")
+
+    with path.open("r", encoding="utf-8") as handle:
+        cfg = yaml.safe_load(handle) or {}
+
+    try:
+        region = cfg["region"]
+        role_arn = cfg["role_to_assume"]
+    except KeyError as exc:  # noqa: PERF203
+        raise KeyError(f"Missing required key in account config: {exc.args[0]}") from exc
+
+    return region, role_arn