diff --git a/.github/workflows/iac-pipeline-aws-global-account-matrix.yaml b/.github/workflows/iac-pipeline-mutli-cloud-account-matrix.yaml similarity index 100% rename from .github/workflows/iac-pipeline-aws-global-account-matrix.yaml rename to .github/workflows/iac-pipeline-mutli-cloud-account-matrix.yaml diff --git a/.github/workflows/iac-pipeline-aws-global-bootstrap.yaml b/.github/workflows/iac-pipeline-mutli-cloud-bootstrap..yaml similarity index 76% rename from .github/workflows/iac-pipeline-aws-global-bootstrap.yaml rename to .github/workflows/iac-pipeline-mutli-cloud-bootstrap..yaml index 70d1c021..0bd1a2a5 100644 --- a/.github/workflows/iac-pipeline-aws-global-bootstrap.yaml +++ b/.github/workflows/iac-pipeline-mutli-cloud-bootstrap..yaml @@ -1,4 +1,4 @@ -name: AWS Cloud Account Bootstrap +name: Multi Cloud Account Bootstrap concurrency: group: terraform-bootstrap-${{ github.ref }} @@ -8,14 +8,18 @@ on: push: pull_request: paths: - - '.github/workflows/iac-pipeline-aws-global-bootstrap.yaml' - - 'terraform-hcl-standard/aws-cloud/bootstrap/**' + - '.github/workflows/iac-pipeline-mutli-cloud-bootstrap.yaml' + - 'terraform-hcl-standard/**' workflow_dispatch: inputs: deploy_action: type: choice options: [plan, apply, destroy] default: plan + bootstrap_cloud: + description: "Path to bootstrap cloud" + type: string + default: terraform-hcl-standard/aws-cloud/bootstrap gitops_repo_ref: description: "GitOps repo ref (branch/tag/sha) to use" type: string @@ -30,12 +34,12 @@ on: default: config/xzerolab/sit/aws-cloud/account/bootstrap.yaml env: - TG_ROOT: terraform-hcl-standard/aws-cloud/bootstrap - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} TG_VERSION: 0.67.14 - GITOPS_REPO_ROOT: gitops - GITOPS_BOOTSTRAP_CONFIG: ${{ github.event.inputs.gitops_bootstrap_config || 'config/xzerolab/sit/aws-cloud/account/bootstrap.yaml' }} - BOOTSTRAP_CONFIG_PATH: terraform-hcl-standard/aws-cloud/bootstrap/gitops/${{ github.event.inputs.gitops_bootstrap_config || 'config/xzerolab/sit/aws-cloud/account/bootstrap.yaml' }} + TG_ROOT: ${{ github.event.inputs.bootstrap_cloud }} + GITOPS_REPO: ${{ github.event.inputs.gitops_repo_name }} + DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} + BOOTSTRAP_CONFIG_FILE: ${{ github.event.inputs.gitops_bootstrap_config }} + BOOTSTRAP_CONFIG_PATH: terraform-hcl-standard/aws-cloud/bootstrap/gitops/${{ github.event.inputs.gitops_bootstrap_config }} jobs: bootstrap: @@ -45,20 +49,11 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Normalize GitOps repo - id: gitops_repo - shell: bash - run: | - repo_input="${{ github.event.inputs.gitops_repo_name || 'https://github.com/cloud-neutral-workshop/gitops.git' }}" - repo="${repo_input#https://github.com/}" - repo="${repo%.git}" - echo "repo=$repo" >> "$GITHUB_OUTPUT" - - name: Checkout GitOps config uses: actions/checkout@v4 with: - repository: ${{ steps.gitops_repo.outputs.repo }} - path: ${{ env.GITOPS_REPO_ROOT }} + path: ${{ env.TG_ROOT }}/gitops + repository: ${{ env.GITOPS_REPO }} ref: ${{ github.event.inputs.gitops_repo_ref || 'main' }} - name: Document Bootstrap Scope @@ -90,8 +85,6 @@ jobs: - name: Force Destroy Bootstrap Resources if: env.DEPLOY_ACTION == 'destroy' - env: - CONFIG_PATH: terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml run: | ./scripts/aws-bootstrap-force-destroy.sh diff --git a/.github/workflows/iac-pipeline-aws-global-landingzone-baseline.yaml b/.github/workflows/iac-pipeline-mutli-cloud-landingzone-baseline.yaml similarity index 100% rename from .github/workflows/iac-pipeline-aws-global-landingzone-baseline.yaml rename to .github/workflows/iac-pipeline-mutli-cloud-landingzone-baseline.yaml diff --git a/.github/workflows/iac-pipeline-aws-global-resources-matrix.yaml b/.github/workflows/iac-pipeline-mutli-cloud-resources-matrix.yaml similarity index 100% rename from .github/workflows/iac-pipeline-aws-global-resources-matrix.yaml rename to .github/workflows/iac-pipeline-mutli-cloud-resources-matrix.yaml diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml deleted file mode 100644 index 57423b3e..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml +++ /dev/null @@ -1,69 +0,0 @@ -name: IAC Pipeline Alicloud Account/VPC Matrix - -on: - push: - paths: - - 'terraform-hcl-standard/ali-cloud/modules/vpc/**' - - 'terraform-hcl-standard/ali-cloud/modules/ram/**' - - 'terraform-hcl-standard/ali-cloud/envs/dev/**' - - '.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/ali-cloud/envs - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} - -jobs: - terraform: - name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: [dev] - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Export Alicloud credentials - run: | - { - echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" - echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" - echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" - echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" - echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" - } >> "$GITHUB_ENV" - - - name: Init - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade - - - name: Plan - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan - - - name: Apply - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml deleted file mode 100644 index ee6a8ee4..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml +++ /dev/null @@ -1,118 +0,0 @@ -name: Alicloud Account Bootstrap - -concurrency: - group: terraform-alicloud-bootstrap-${{ github.ref }} - cancel-in-progress: false - -on: - push: - paths: - - 'terraform-hcl-standard/ali-cloud/bootstrap/**' - - '.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml' - pull_request: - workflow_dispatch: - inputs: - deploy_action: - type: choice - options: [plan, apply, destroy] - default: plan - -env: - TF_WORKDIR: terraform-hcl-standard/ali-cloud/bootstrap - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} - -jobs: - bootstrap: - name: "Bootstrap ${{ matrix.target }}" - runs-on: ubuntu-latest - - strategy: - matrix: - target: [state, lock, identity] - - steps: - - uses: actions/checkout@v4 - - - name: Document Bootstrap Scope (Alicloud) - run: | - cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY" - ## Alicloud bootstrap scope - - state: provision OSS bucket for remote state storage - - lock: create Table Store instance/table for Terraform state locking - - identity: provision RAM role/user plus access keys for automation - - Resource names and defaults follow terraform-hcl-standard/ali-cloud/bootstrap. - SUMMARY - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Export Alicloud credentials and variables - run: | - { - echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" - echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" - echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" - echo "TF_VAR_state_bucket=${{ secrets.ALICLOUD_STATE_BUCKET }}" - echo "TF_VAR_account_id=${{ secrets.ALICLOUD_ACCOUNT_ID }}" - } >> "$GITHUB_ENV" - - - name: Terraform Init - run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} init -upgrade - - - name: Terraform Plan - if: env.DEPLOY_ACTION == 'plan' - run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} plan -no-color - - - name: Terraform Apply - if: env.DEPLOY_ACTION == 'apply' - run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} apply -auto-approve - - - name: Terraform Destroy - if: env.DEPLOY_ACTION == 'destroy' - run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} destroy -auto-approve - - - name: Save Outputs - if: env.DEPLOY_ACTION == 'apply' - run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} output -json > ../outputs_${{ matrix.target }}.json - - - uses: actions/upload-artifact@v4 - if: env.DEPLOY_ACTION == 'apply' - with: - name: outputs-${{ matrix.target }} - path: terraform-hcl-standard/ali-cloud/outputs_${{ matrix.target }}.json - retention-days: 30 - - aggregate: - name: "Aggregate Bootstrap Outputs" - runs-on: ubuntu-latest - needs: bootstrap - - if: ${{ github.event.inputs.deploy_action == 'apply' }} - - steps: - - uses: actions/download-artifact@v4 - with: - path: ./outputs - - - name: Merge Outputs - run: | - shopt -s globstar nullglob - echo "{" > final_bootstrap_outputs.json - f=true - for x in outputs/**/outputs_*.json; do - k=$(basename "$x" .json | sed 's/outputs_//') - value=$(cat "$x") - [ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json - echo "\"$k\": $value" >> final_bootstrap_outputs.json - done - echo "}" >> final_bootstrap_outputs.json - - - run: cat final_bootstrap_outputs.json - - - uses: actions/upload-artifact@v4 - with: - name: alicloud-bootstrap-final-output - path: final_bootstrap_outputs.json diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml deleted file mode 100644 index f58a0c2e..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml +++ /dev/null @@ -1,106 +0,0 @@ -name: Alicloud LandingZone Baseline - -on: - push: - paths: - - 'terraform-hcl-standard/ali-cloud/**' - - '.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml' - pull_request: - branches: [main] - workflow_dispatch: - inputs: - deploy_action: - description: "Deployment action" - type: choice - options: [plan, apply, destroy] - default: plan - deploy_dry_run: - description: "Dry-run mode" - type: choice - options: ['true', 'false'] - default: 'true' - -env: - TF_WORKDIR: terraform-hcl-standard/ali-cloud - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} - -jobs: - landingzone: - name: "Deploy LandingZone Baseline" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Export Alicloud credentials - run: | - { - echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" - echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" - echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" - echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" - echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" - } >> "$GITHUB_ENV" - - - name: Terraform Init (LandingZone) - working-directory: ${{ env.TF_WORKDIR }}/envs/dev - run: terraform init -upgrade - - - name: Terraform Plan (LandingZone) - id: tfplan - if: env.DEPLOY_ACTION == 'plan' - working-directory: ${{ env.TF_WORKDIR }}/envs/dev - run: terraform plan -no-color > plan_output.txt - - - name: Upload LandingZone Plan Artifact - uses: actions/upload-artifact@v4 - with: - name: alicloud-landingzone-plan - path: ${{ env.TF_WORKDIR }}/envs/dev/plan_output.txt - - - name: Terraform Apply (LandingZone) - if: env.DEPLOY_ACTION == 'apply' - working-directory: ${{ env.TF_WORKDIR }}/envs/dev - run: terraform apply -auto-approve - - - name: Terraform Destroy (LandingZone) - if: env.DEPLOY_ACTION == 'destroy' - working-directory: ${{ env.TF_WORKDIR }}/envs/dev - run: terraform destroy -auto-approve - - validation: - name: "Validate LandingZone Baseline" - needs: landingzone - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Run Validation Checks - run: | - echo "โš™๏ธ Running LandingZone baseline validation..." - chmod +x scripts/validation/validate-landingzone.sh - scripts/validation/validate-landingzone.sh \ - ${{ env.TF_WORKDIR }}/envs/dev - - delivery: - name: "Delivery: Notify Rollout" - needs: validation - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Notify - env: - SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} - SMTP_USERNAME: "manbuzhe2009@qq.com" - run: | - echo "๐Ÿ“ฃ Sending Alicloud LandingZone rollout notification..." - chmod +x scripts/notifications/notify-landingzone.sh - ./scripts/notifications/notify-landingzone.sh diff --git a/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml deleted file mode 100644 index 75f4e251..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml +++ /dev/null @@ -1,68 +0,0 @@ -name: IAC Pipeline Alicloud Resources Matrix - -on: - push: - paths: - - 'terraform-hcl-standard/ali-cloud/modules/**' - - 'terraform-hcl-standard/ali-cloud/envs/dev/**' - - '.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/ali-cloud/envs - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }} - -jobs: - terraform: - name: "${{ matrix.env }} :: resources (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: [dev] - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Export Alicloud credentials - run: | - { - echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}" - echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}" - echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}" - echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}" - echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}" - } >> "$GITHUB_ENV" - - - name: Init - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade - - - name: Plan - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan - - - name: Apply - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml deleted file mode 100644 index 994ce1c0..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml +++ /dev/null @@ -1,77 +0,0 @@ -name: IAC Pipeline GCP (Account/Project Matrix) - -on: - push: - paths: - - 'terraform-hcl-standard/gcp-cloud/envs/dev-vpc/**' - - 'terraform-hcl-standard/gcp-cloud/envs/dev-role/**' - - '.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/gcp-cloud/envs - GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - -jobs: - terraform: - name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: - - dev-vpc - - dev-role - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Authenticate to GCP - uses: google-github-actions/auth@v2 - with: - credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }} - project_id: ${{ env.GCP_PROJECT_ID }} - export_environment_variables: true - create_credentials_file: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - - - name: Init - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - run: make init - - - name: Plan - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - run: make plan - - - name: Apply - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - if: ${{ env.DRY_RUN == 'false' }} - run: make apply - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - if: ${{ env.DRY_RUN == 'false' }} - run: terraform output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml deleted file mode 100644 index b5eab163..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml +++ /dev/null @@ -1,194 +0,0 @@ -name: GCP Cloud Bootstrap - -concurrency: - group: terraform-bootstrap-gcp-${{ github.ref }} - cancel-in-progress: false - -on: - push: - paths: - - 'terraform-hcl-standard/gcp-cloud/bootstrap-gcs/**' - - 'terraform-hcl-standard/gcp-cloud/bootstrap-iam/**' - - '.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml' - pull_request: - workflow_dispatch: - inputs: - deploy_action: - type: choice - options: [plan, apply, destroy] - default: plan - -env: - TF_WORKDIR: terraform-hcl-standard/gcp-cloud - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - -jobs: - bootstrap: - name: "Bootstrap Modules" - runs-on: ubuntu-latest - - strategy: - matrix: - target: [bootstrap-gcs, bootstrap-iam] - - steps: - - uses: actions/checkout@v4 - - - name: Document Bootstrap Scope - run: | - cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY" - ## Bootstrap scope (GCP) - - Cloud Storage: create remote state bucket (versioned + uniform access + generation-based locking) - - IAM: create Terraform bootstrap service account and bind elevated roles - - Resource names and locations follow terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml. - SUMMARY - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Restore Terraform state - uses: actions/download-artifact@v4 - continue-on-error: true - with: - name: tfstate-${{ matrix.target }} - path: ${{ env.TF_WORKDIR }}/${{ matrix.target }} - - - name: Load bootstrap config - run: | - python -m pip install --quiet pyyaml - python - <<'PY' - import json - import yaml - import os - from pathlib import Path - - cfg_path = Path("terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml") - cfg = yaml.safe_load(cfg_path.read_text()) - - env_path = Path(os.environ["GITHUB_ENV"]) - current_env = env_path.read_text() if env_path.exists() else "" - env_path.write_text( - current_env - + f"BOOTSTRAP_PROJECT_ID={cfg['project_id']}\n" - + f"BOOTSTRAP_BUCKET_NAME={cfg['state']['bucket_name']}\n" - + f"BOOTSTRAP_BUCKET_LOCATION={cfg['state'].get('bucket_location', 'US')}\n" - + f"BOOTSTRAP_SA_ID={cfg['iam'].get('service_account_id', 'terraform-bootstrap')}\n" - + f"BOOTSTRAP_SA_ROLES={json.dumps(cfg['iam'].get('service_account_roles', []))}\n" - ) - PY - - - name: Authenticate to GCP - uses: google-github-actions/auth@v2 - with: - credentials_json: ${{ secrets.GCP_BOOTSTRAP_CREDENTIALS }} - project_id: ${{ env.BOOTSTRAP_PROJECT_ID }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ env.BOOTSTRAP_PROJECT_ID }} - - - name: Render Terraform variables - if: env.DEPLOY_ACTION != 'destroy' - working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }} - run: | - cat > bootstrap.auto.tfvars <> bootstrap.auto.tfvars <> bootstrap.auto.tfvars </dev/null 2>&1; then - gcloud storage rm --recursive "gs://${BOOTSTRAP_BUCKET_NAME}" || true - gcloud storage buckets delete "gs://${BOOTSTRAP_BUCKET_NAME}" --quiet || true - else - echo "Bucket gs://${BOOTSTRAP_BUCKET_NAME} does not exist; skipping deletion." - fi - elif [ "$TARGET" = "bootstrap-iam" ]; then - SA_EMAIL="${BOOTSTRAP_SA_ID}@${BOOTSTRAP_PROJECT_ID}.iam.gserviceaccount.com" - if gcloud iam service-accounts describe "$SA_EMAIL" >/dev/null 2>&1; then - gcloud iam service-accounts delete "$SA_EMAIL" --quiet || true - else - echo "Service account $SA_EMAIL does not exist; skipping deletion." - fi - fi - - - name: Save Outputs - if: env.DEPLOY_ACTION == 'apply' - working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }} - run: terraform output -json > ../../outputs_${{ matrix.target }}.json - - - uses: actions/upload-artifact@v4 - if: env.DEPLOY_ACTION == 'apply' - with: - name: outputs-${{ matrix.target }} - path: terraform-hcl-standard/gcp-cloud/outputs_${{ matrix.target }}.json - retention-days: 30 - - aggregate: - name: "Aggregate Bootstrap Outputs" - runs-on: ubuntu-latest - needs: bootstrap - - if: ${{ github.event.inputs.deploy_action == 'apply' }} - - steps: - - uses: actions/download-artifact@v4 - with: - path: ./outputs - - - name: Merge Outputs - run: | - echo "{" > final_bootstrap_outputs.json - f=true - for x in outputs/**/outputs_*.json; do - k=$(basename "$x" .json | sed 's/outputs_//') - [ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json - value=$(cat "$x") - echo "\"$k\": $value" >> final_bootstrap_outputs.json - done - echo "}" >> final_bootstrap_outputs.json - - - run: cat final_bootstrap_outputs.json - - - uses: actions/upload-artifact@v4 - with: - name: bootstrap-final-output - path: final_bootstrap_outputs.json diff --git a/.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml deleted file mode 100644 index 8e9b0d10..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml +++ /dev/null @@ -1,121 +0,0 @@ -name: GCP Cloud LandingZone Baseline - -on: - push: - paths: - - 'terraform-hcl-standard/gcp-cloud/**' - - '.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml' - pull_request: - branches: [main] - workflow_dispatch: - inputs: - deploy_action: - description: "Deployment action" - type: choice - options: [plan, apply, destroy] - default: plan - deploy_dry_run: - description: "Dry-run mode" - type: choice - options: ['true', 'false'] - default: 'true' - -env: - TF_WORKDIR: terraform-hcl-standard/gcp-cloud - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - - # ------------------------------- - # SMTP settings (ๆ˜Žๆ–‡ๅฏๆŽฅๅ—) - # ------------------------------- - SMTP_HOST: smtp.qq.com - SMTP_PORT: 465 - SMTP_FROM: "XControl Account " - SMTP_REPLY_TO: "no-reply@svc.plus" - TO_EMAIL: "manbuzhe2009@qq.com" - -jobs: - # ------------------------------------------------------- - # 1. Landing Zone Baseline Stage - # ------------------------------------------------------- - landingzone: - name: "Deploy LandingZone Baseline" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Authenticate to GCP - uses: google-github-actions/auth@v2 - with: - credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }} - project_id: ${{ secrets.GCP_PROJECT_ID }} - export_environment_variables: true - create_credentials_file: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - - - name: Terraform Init (LandingZone) - working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone - run: terraform init -upgrade - - - name: Terraform Plan (LandingZone) - id: tfplan - if: env.DEPLOY_ACTION == 'plan' - working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone - run: terraform plan -no-color > plan_output.txt - - - name: Upload LandingZone Plan Artifact - uses: actions/upload-artifact@v4 - with: - name: landingzone-plan - path: ${{ env.TF_WORKDIR }}/envs/dev-landingzone/plan_output.txt - - - name: Terraform Apply (LandingZone) - if: env.DEPLOY_ACTION == 'apply' - working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone - run: terraform apply -auto-approve - - # ------------------------------------------------------- - # 2. Validation Stage - # ------------------------------------------------------- - validation: - name: "Validate LandingZone Baseline" - needs: landingzone - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Run Validation Checks - run: | - echo "โš™๏ธ Running LandingZone baseline validation..." - chmod +x scripts/validation/validate-landingzone.sh - scripts/validation/validate-landingzone.sh \ - ${{ env.TF_WORKDIR }}/envs/dev-landingzone - - # ------------------------------------------------------- - # 3. Delivery / Notification Stage - # ------------------------------------------------------- - delivery: - name: "Delivery: Notify Rollout" - needs: validation - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Notify - env: - SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} # <-- ไป…ๅฏ†็ ไปŽ secret - SMTP_USERNAME: "manbuzhe2009@qq.com" - run: | - echo "๐Ÿ“ฃ Sending LandingZone rollout notification..." - chmod +x scripts/notifications/notify-landingzone.sh - ./scripts/notifications/notify-landingzone.sh diff --git a/.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml deleted file mode 100644 index 6b472d4b..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml +++ /dev/null @@ -1,77 +0,0 @@ -name: IAC Pipeline GCP Resources Matrix - -on: - push: - paths: - - 'terraform-hcl-standard/gcp-cloud/envs/dev-object/**' - - 'terraform-hcl-standard/gcp-cloud/envs/dev-ec2/**' - - '.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/gcp-cloud/envs - GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - -jobs: - terraform: - name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: - - dev-object - - dev-ec2 - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Authenticate to GCP - uses: google-github-actions/auth@v2 - with: - credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }} - project_id: ${{ env.GCP_PROJECT_ID }} - export_environment_variables: true - create_credentials_file: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@v2 - with: - project_id: ${{ env.GCP_PROJECT_ID }} - - - name: Init - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - run: make init - - - name: Plan - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - run: make plan - - - name: Apply - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - if: ${{ env.DRY_RUN == 'false' }} - run: make apply - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} - if: ${{ env.DRY_RUN == 'false' }} - run: terraform output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml deleted file mode 100644 index 2e4a65b5..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: IAC Pipeline Vultr VPS Account/VPC Matrix - -on: - push: - paths: - - 'terraform-hcl-standard/vultr-vps/modules/vpc/**' - - 'terraform-hcl-standard/vultr-vps/modules/iam/**' - - 'terraform-hcl-standard/vultr-vps/envs/dev/**' - - '.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/vultr-vps/envs - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - -jobs: - terraform: - name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: - - dev - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Export Vultr credentials - run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV" - - - name: Init - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade - - - name: Plan - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan - - - name: Apply - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json diff --git a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml deleted file mode 100644 index f669b03c..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: Vultr VPS Bootstrap - -concurrency: - group: terraform-vultr-bootstrap-${{ github.ref }} - cancel-in-progress: false - -on: - push: - paths: - - 'terraform-hcl-standard/vultr-vps/bootstrap-object-storage/**' - - 'terraform-hcl-standard/vultr-vps/bootstrap-iam/**' - - 'terraform-hcl-standard/vultr-vps/config/**' - - '.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml' - workflow_dispatch: - inputs: - deploy_action: - type: choice - options: [plan, apply, destroy] - default: plan - -env: - TF_ROOT: terraform-hcl-standard/vultr-vps - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - -jobs: - bootstrap: - name: "Bootstrap Vultr backend & provider" - runs-on: ubuntu-latest - - strategy: - matrix: - target: [bootstrap-object-storage, bootstrap-iam] - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Export Vultr API key - run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV" - - - name: Select Terraform workdir - run: echo "TF_WORKDIR=${TF_ROOT}/${{ matrix.target }}" >> "$GITHUB_ENV" - - - name: Terraform Init - run: terraform -chdir="$TF_WORKDIR" init - - - name: Terraform ${{ env.DEPLOY_ACTION }} - run: terraform -chdir="$TF_WORKDIR" "$DEPLOY_ACTION" -input=false diff --git a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml deleted file mode 100644 index 144931d5..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml +++ /dev/null @@ -1,56 +0,0 @@ -name: Vultr VPS LandingZone Baseline - -concurrency: - group: terraform-vultr-landingzone-${{ github.ref }} - cancel-in-progress: false - -on: - push: - paths: - - 'terraform-hcl-standard/vultr-vps/modules/vpc/**' - - 'terraform-hcl-standard/vultr-vps/config/**' - - '.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml' - workflow_dispatch: - inputs: - deploy_action: - description: "Deployment action" - type: choice - options: [plan, apply, destroy] - default: plan - -env: - TF_ROOT: terraform-hcl-standard/vultr-vps/modules/vpc - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - -jobs: - landingzone: - name: "Baseline VPC + Firewall + SSH keys" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Export Vultr API key - run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV" - - - name: Terraform Init - run: terraform -chdir="$TF_ROOT" init - - - name: Terraform ${{ env.DEPLOY_ACTION }} - run: terraform -chdir="$TF_ROOT" "$DEPLOY_ACTION" -input=false - - - name: Capture LandingZone outputs - if: env.DEPLOY_ACTION == 'apply' - run: terraform -chdir="$TF_ROOT" output -json > landingzone-baseline-outputs.json - - - name: Upload LandingZone outputs - if: env.DEPLOY_ACTION == 'apply' - uses: actions/upload-artifact@v4 - with: - name: vultr-landingzone-baseline-outputs - path: landingzone-baseline-outputs.json - retention-days: 7 diff --git a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml deleted file mode 100644 index 3d76eced..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml +++ /dev/null @@ -1,74 +0,0 @@ -name: Vultr VPS Resources Matrix - -concurrency: - group: terraform-vultr-resources-${{ github.ref }} - cancel-in-progress: false - -on: - push: - paths: - - 'terraform-hcl-standard/vultr-vps/envs/dev/**' - - 'terraform-hcl-standard/vultr-vps/modules/compute/**' - - 'terraform-hcl-standard/vultr-vps/modules/storage/**' - - 'terraform-hcl-standard/vultr-vps/modules/data_store/**' - - 'terraform-hcl-standard/vultr-vps/config/**' - - '.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml' - workflow_dispatch: - inputs: - deploy_action: - type: choice - options: [plan, apply, destroy] - default: plan - -env: - TF_ROOT: terraform-hcl-standard/vultr-vps/envs - DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - -jobs: - resources: - name: "${{ matrix.environment }} :: ${{ matrix.region }} :: ${{ matrix.instance_type }}" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - environment: [dev] - region: [ewr, lax, sin] - instance_type: [cpu, gpu] - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - name: Export Vultr API key - run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV" - - - name: Select Terraform workdir - run: echo "TF_WORKDIR=${TF_ROOT}/${{ matrix.environment }}" >> "$GITHUB_ENV" - - - name: Terraform Init - env: - TF_VAR_region: ${{ matrix.region }} - TF_VAR_instance_type: ${{ matrix.instance_type }} - run: terraform -chdir="$TF_WORKDIR" init - - - name: Terraform ${{ env.DEPLOY_ACTION }} - env: - TF_VAR_region: ${{ matrix.region }} - TF_VAR_instance_type: ${{ matrix.instance_type }} - run: terraform -chdir="$TF_WORKDIR" "$DEPLOY_ACTION" -input=false - - - name: Capture resource outputs - if: env.DEPLOY_ACTION == 'apply' - run: terraform -chdir="$TF_WORKDIR" output -json > vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }}.json - - - name: Upload resource outputs - if: env.DEPLOY_ACTION == 'apply' - uses: actions/upload-artifact@v4 - with: - name: vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }} - path: vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }}.json - retention-days: 7 diff --git a/.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml deleted file mode 100644 index da12a01d..00000000 --- a/.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml +++ /dev/null @@ -1,63 +0,0 @@ -name: IAC Pipeline Vultr VPS Resources Matrix - -on: - push: - paths: - - 'terraform-hcl-standard/vultr-vps/modules/compute/**' - - 'terraform-hcl-standard/vultr-vps/modules/storage/**' - - 'terraform-hcl-standard/vultr-vps/modules/data_store/**' - - 'terraform-hcl-standard/vultr-vps/envs/dev/**' - - '.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml' - workflow_dispatch: - inputs: - dry_run: - type: choice - options: ['true', 'false'] - default: 'true' - -env: - BASE_DIR: terraform-hcl-standard/vultr-vps/envs - DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} - -jobs: - terraform: - name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})" - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - env: - - dev - - steps: - - uses: actions/checkout@v4 - - - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.9.5 - - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: v0.51.0 - - - name: Export Vultr credentials - run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV" - - - name: Init - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade - - - name: Plan - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan - - - name: Apply - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve - - - name: Skip Apply (dry-run) - if: ${{ env.DRY_RUN == 'true' }} - run: echo "Dry run enabled โ†’ skip apply step." - - - name: Output - if: ${{ env.DRY_RUN == 'false' }} - run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json