ai-workspace-infra/iac_modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(ci): rename alicloud workflows and adjust gitops inputs

Browse Source
This commit is contained in:
Haitao Pan 2025-12-24 15:02:33 +08:00
parent b125e72333
commit dad3339ee2
17 changed files with 14 additions and 1157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
.github/workflows/iac-pipeline-aws-global-account-matrix.yaml → .github/workflows/iac-pipeline-mutli-cloud-account-matrix.yaml vendored
View File

35
.github/workflows/iac-pipeline-aws-global-bootstrap.yaml → .github/workflows/iac-pipeline-mutli-cloud-bootstrap..yaml vendored
View File

@ -1,4 +1,4 @@
name: AWS Cloud Account Bootstrap name: Multi Cloud Account Bootstrap
concurrency: concurrency:
group: terraform-bootstrap-${{ github.ref }} group: terraform-bootstrap-${{ github.ref }}
@ -8,14 +8,18 @@ on:
push: push:
pull_request: pull_request:
paths: paths:
- '.github/workflows/iac-pipeline-aws-global-bootstrap.yaml' - '.github/workflows/iac-pipeline-mutli-cloud-bootstrap.yaml'
- 'terraform-hcl-standard/aws-cloud/bootstrap/**' - 'terraform-hcl-standard/**'
workflow_dispatch: workflow_dispatch:
inputs: inputs:
deploy_action: deploy_action:
type: choice type: choice
options: [plan, apply, destroy] options: [plan, apply, destroy]
default: plan default: plan
bootstrap_cloud:
description: "Path to bootstrap cloud"
type: string
default: terraform-hcl-standard/aws-cloud/bootstrap
gitops_repo_ref: gitops_repo_ref:
description: "GitOps repo ref (branch/tag/sha) to use" description: "GitOps repo ref (branch/tag/sha) to use"
type: string type: string
@ -30,12 +34,12 @@ on:
default: config/xzerolab/sit/aws-cloud/account/bootstrap.yaml default: config/xzerolab/sit/aws-cloud/account/bootstrap.yaml
env: env:
TG_ROOT: terraform-hcl-standard/aws-cloud/bootstrap
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
TG_VERSION: 0.67.14 TG_VERSION: 0.67.14
GITOPS_REPO_ROOT: gitops TG_ROOT: ${{ github.event.inputs.bootstrap_cloud }}
GITOPS_BOOTSTRAP_CONFIG: ${{ github.event.inputs.gitops_bootstrap_config || 'config/xzerolab/sit/aws-cloud/account/bootstrap.yaml' }} GITOPS_REPO: ${{ github.event.inputs.gitops_repo_name }}
BOOTSTRAP_CONFIG_PATH: terraform-hcl-standard/aws-cloud/bootstrap/gitops/${{ github.event.inputs.gitops_bootstrap_config || 'config/xzerolab/sit/aws-cloud/account/bootstrap.yaml' }} DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
BOOTSTRAP_CONFIG_FILE: ${{ github.event.inputs.gitops_bootstrap_config }}
BOOTSTRAP_CONFIG_PATH: terraform-hcl-standard/aws-cloud/bootstrap/gitops/${{ github.event.inputs.gitops_bootstrap_config }}
jobs: jobs:
bootstrap: bootstrap:
@ -45,20 +49,11 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Normalize GitOps repo
id: gitops_repo
shell: bash
run: |
repo_input="${{ github.event.inputs.gitops_repo_name || 'https://github.com/cloud-neutral-workshop/gitops.git' }}"
repo="${repo_input#https://github.com/}"
repo="${repo%.git}"
echo "repo=$repo" >> "$GITHUB_OUTPUT"
- name: Checkout GitOps config - name: Checkout GitOps config
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
repository: ${{ steps.gitops_repo.outputs.repo }} path: ${{ env.TG_ROOT }}/gitops
path: ${{ env.GITOPS_REPO_ROOT }} repository: ${{ env.GITOPS_REPO }}
ref: ${{ github.event.inputs.gitops_repo_ref || 'main' }} ref: ${{ github.event.inputs.gitops_repo_ref || 'main' }}
- name: Document Bootstrap Scope - name: Document Bootstrap Scope
@ -90,8 +85,6 @@ jobs:
- name: Force Destroy Bootstrap Resources - name: Force Destroy Bootstrap Resources
if: env.DEPLOY_ACTION == 'destroy' if: env.DEPLOY_ACTION == 'destroy'
env:
CONFIG_PATH: terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml
run: | run: |
./scripts/aws-bootstrap-force-destroy.sh ./scripts/aws-bootstrap-force-destroy.sh

0
.github/workflows/iac-pipeline-aws-global-landingzone-baseline.yaml → .github/workflows/iac-pipeline-mutli-cloud-landingzone-baseline.yaml vendored
View File

0
.github/workflows/iac-pipeline-aws-global-resources-matrix.yaml → .github/workflows/iac-pipeline-mutli-cloud-resources-matrix.yaml vendored
View File

69
.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml vendored
View File

@ -1,69 +0,0 @@
name: IAC Pipeline Alicloud Account/VPC Matrix
on:
push:
paths:
- 'terraform-hcl-standard/ali-cloud/modules/vpc/**'
- 'terraform-hcl-standard/ali-cloud/modules/ram/**'
- 'terraform-hcl-standard/ali-cloud/envs/dev/**'
- '.github/workflows/terraform-standard-iac-pipeline-alicloud-account-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/ali-cloud/envs
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }}
jobs:
terraform:
name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env: [dev]
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Export Alicloud credentials
run: |
{
echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}"
echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}"
echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}"
echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}"
echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}"
} >> "$GITHUB_ENV"
- name: Init
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade
- name: Plan
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan
- name: Apply
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json

118
.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml vendored
View File

@ -1,118 +0,0 @@
name: Alicloud Account Bootstrap
concurrency:
group: terraform-alicloud-bootstrap-${{ github.ref }}
cancel-in-progress: false
on:
push:
paths:
- 'terraform-hcl-standard/ali-cloud/bootstrap/**'
- '.github/workflows/terraform-standard-iac-pipeline-alicloud-bootstrap.yaml'
pull_request:
workflow_dispatch:
inputs:
deploy_action:
type: choice
options: [plan, apply, destroy]
default: plan
env:
TF_WORKDIR: terraform-hcl-standard/ali-cloud/bootstrap
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }}
jobs:
bootstrap:
name: "Bootstrap ${{ matrix.target }}"
runs-on: ubuntu-latest
strategy:
matrix:
target: [state, lock, identity]
steps:
- uses: actions/checkout@v4
- name: Document Bootstrap Scope (Alicloud)
run: |
cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
## Alicloud bootstrap scope
- state: provision OSS bucket for remote state storage
- lock: create Table Store instance/table for Terraform state locking
- identity: provision RAM role/user plus access keys for automation
Resource names and defaults follow terraform-hcl-standard/ali-cloud/bootstrap.
SUMMARY
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Export Alicloud credentials and variables
run: |
{
echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}"
echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}"
echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}"
echo "TF_VAR_state_bucket=${{ secrets.ALICLOUD_STATE_BUCKET }}"
echo "TF_VAR_account_id=${{ secrets.ALICLOUD_ACCOUNT_ID }}"
} >> "$GITHUB_ENV"
- name: Terraform Init
run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} init -upgrade
- name: Terraform Plan
if: env.DEPLOY_ACTION == 'plan'
run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} plan -no-color
- name: Terraform Apply
if: env.DEPLOY_ACTION == 'apply'
run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} apply -auto-approve
- name: Terraform Destroy
if: env.DEPLOY_ACTION == 'destroy'
run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} destroy -auto-approve
- name: Save Outputs
if: env.DEPLOY_ACTION == 'apply'
run: terraform -chdir=${{ env.TF_WORKDIR }}/${{ matrix.target }} output -json > ../outputs_${{ matrix.target }}.json
- uses: actions/upload-artifact@v4
if: env.DEPLOY_ACTION == 'apply'
with:
name: outputs-${{ matrix.target }}
path: terraform-hcl-standard/ali-cloud/outputs_${{ matrix.target }}.json
retention-days: 30
aggregate:
name: "Aggregate Bootstrap Outputs"
runs-on: ubuntu-latest
needs: bootstrap
if: ${{ github.event.inputs.deploy_action == 'apply' }}
steps:
- uses: actions/download-artifact@v4
with:
path: ./outputs
- name: Merge Outputs
run: |
shopt -s globstar nullglob
echo "{" > final_bootstrap_outputs.json
f=true
for x in outputs/**/outputs_*.json; do
k=$(basename "$x" .json | sed 's/outputs_//')
value=$(cat "$x")
[ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json
echo "\"$k\": $value" >> final_bootstrap_outputs.json
done
echo "}" >> final_bootstrap_outputs.json
- run: cat final_bootstrap_outputs.json
- uses: actions/upload-artifact@v4
with:
name: alicloud-bootstrap-final-output
path: final_bootstrap_outputs.json

106
.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml vendored
View File

@ -1,106 +0,0 @@
name: Alicloud LandingZone Baseline
on:
push:
paths:
- 'terraform-hcl-standard/ali-cloud/**'
- '.github/workflows/terraform-standard-iac-pipeline-alicloud-landingzone-baseline.yaml'
pull_request:
branches: [main]
workflow_dispatch:
inputs:
deploy_action:
description: "Deployment action"
type: choice
options: [plan, apply, destroy]
default: plan
deploy_dry_run:
description: "Dry-run mode"
type: choice
options: ['true', 'false']
default: 'true'
env:
TF_WORKDIR: terraform-hcl-standard/ali-cloud
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }}
jobs:
landingzone:
name: "Deploy LandingZone Baseline"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Export Alicloud credentials
run: |
{
echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}"
echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}"
echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}"
echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}"
echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}"
} >> "$GITHUB_ENV"
- name: Terraform Init (LandingZone)
working-directory: ${{ env.TF_WORKDIR }}/envs/dev
run: terraform init -upgrade
- name: Terraform Plan (LandingZone)
id: tfplan
if: env.DEPLOY_ACTION == 'plan'
working-directory: ${{ env.TF_WORKDIR }}/envs/dev
run: terraform plan -no-color > plan_output.txt
- name: Upload LandingZone Plan Artifact
uses: actions/upload-artifact@v4
with:
name: alicloud-landingzone-plan
path: ${{ env.TF_WORKDIR }}/envs/dev/plan_output.txt
- name: Terraform Apply (LandingZone)
if: env.DEPLOY_ACTION == 'apply'
working-directory: ${{ env.TF_WORKDIR }}/envs/dev
run: terraform apply -auto-approve
- name: Terraform Destroy (LandingZone)
if: env.DEPLOY_ACTION == 'destroy'
working-directory: ${{ env.TF_WORKDIR }}/envs/dev
run: terraform destroy -auto-approve
validation:
name: "Validate LandingZone Baseline"
needs: landingzone
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Validation Checks
run: |
echo "⚙️ Running LandingZone baseline validation..."
chmod +x scripts/validation/validate-landingzone.sh
scripts/validation/validate-landingzone.sh \
${{ env.TF_WORKDIR }}/envs/dev
delivery:
name: "Delivery: Notify Rollout"
needs: validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Notify
env:
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
SMTP_USERNAME: "manbuzhe2009@qq.com"
run: |
echo "📣 Sending Alicloud LandingZone rollout notification..."
chmod +x scripts/notifications/notify-landingzone.sh
./scripts/notifications/notify-landingzone.sh

68
.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml vendored
View File

@ -1,68 +0,0 @@
name: IAC Pipeline Alicloud Resources Matrix
on:
push:
paths:
- 'terraform-hcl-standard/ali-cloud/modules/**'
- 'terraform-hcl-standard/ali-cloud/envs/dev/**'
- '.github/workflows/terraform-standard-iac-pipeline-alicloud-resources-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/ali-cloud/envs
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
ALICLOUD_REGION: ${{ secrets.ALICLOUD_REGION }}
jobs:
terraform:
name: "${{ matrix.env }} :: resources (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env: [dev]
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Export Alicloud credentials
run: |
{
echo "ALICLOUD_ACCESS_KEY=${{ secrets.ALICLOUD_ACCESS_KEY }}"
echo "ALICLOUD_SECRET_KEY=${{ secrets.ALICLOUD_SECRET_KEY }}"
echo "ALICLOUD_REGION=${ALICLOUD_REGION:-cn-hangzhou}"
echo "TF_VAR_rds_password=${{ secrets.ALICLOUD_RDS_PASSWORD }}"
echo "TF_VAR_redis_password=${{ secrets.ALICLOUD_REDIS_PASSWORD }}"
} >> "$GITHUB_ENV"
- name: Init
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade
- name: Plan
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan
- name: Apply
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json

77
.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml vendored
View File

@ -1,77 +0,0 @@
name: IAC Pipeline GCP (Account/Project Matrix)
on:
push:
paths:
- 'terraform-hcl-standard/gcp-cloud/envs/dev-vpc/**'
- 'terraform-hcl-standard/gcp-cloud/envs/dev-role/**'
- '.github/workflows/terraform-standard-iac-pipeline-gcp-account-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/gcp-cloud/envs
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
jobs:
terraform:
name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env:
- dev-vpc
- dev-role
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }}
project_id: ${{ env.GCP_PROJECT_ID }}
export_environment_variables: true
create_credentials_file: true
- name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
- name: Init
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
run: make init
- name: Plan
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
run: make plan
- name: Apply
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
if: ${{ env.DRY_RUN == 'false' }}
run: make apply
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
if: ${{ env.DRY_RUN == 'false' }}
run: terraform output -json

194
.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml vendored
View File

@ -1,194 +0,0 @@
name: GCP Cloud Bootstrap
concurrency:
group: terraform-bootstrap-gcp-${{ github.ref }}
cancel-in-progress: false
on:
push:
paths:
- 'terraform-hcl-standard/gcp-cloud/bootstrap-gcs/**'
- 'terraform-hcl-standard/gcp-cloud/bootstrap-iam/**'
- '.github/workflows/terraform-standard-iac-pipeline-gcp-global-bootstrap.yaml'
pull_request:
workflow_dispatch:
inputs:
deploy_action:
type: choice
options: [plan, apply, destroy]
default: plan
env:
TF_WORKDIR: terraform-hcl-standard/gcp-cloud
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
jobs:
bootstrap:
name: "Bootstrap Modules"
runs-on: ubuntu-latest
strategy:
matrix:
target: [bootstrap-gcs, bootstrap-iam]
steps:
- uses: actions/checkout@v4
- name: Document Bootstrap Scope
run: |
cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
## Bootstrap scope (GCP)
- Cloud Storage: create remote state bucket (versioned + uniform access + generation-based locking)
- IAM: create Terraform bootstrap service account and bind elevated roles
Resource names and locations follow terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml.
SUMMARY
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Restore Terraform state
uses: actions/download-artifact@v4
continue-on-error: true
with:
name: tfstate-${{ matrix.target }}
path: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
- name: Load bootstrap config
run: |
python -m pip install --quiet pyyaml
python - <<'PY'
import json
import yaml
import os
from pathlib import Path
cfg_path = Path("terraform-hcl-standard/gcp-cloud/config/accounts/bootstrap.yaml")
cfg = yaml.safe_load(cfg_path.read_text())
env_path = Path(os.environ["GITHUB_ENV"])
current_env = env_path.read_text() if env_path.exists() else ""
env_path.write_text(
current_env
+ f"BOOTSTRAP_PROJECT_ID={cfg['project_id']}\n"
+ f"BOOTSTRAP_BUCKET_NAME={cfg['state']['bucket_name']}\n"
+ f"BOOTSTRAP_BUCKET_LOCATION={cfg['state'].get('bucket_location', 'US')}\n"
+ f"BOOTSTRAP_SA_ID={cfg['iam'].get('service_account_id', 'terraform-bootstrap')}\n"
+ f"BOOTSTRAP_SA_ROLES={json.dumps(cfg['iam'].get('service_account_roles', []))}\n"
)
PY
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_BOOTSTRAP_CREDENTIALS }}
project_id: ${{ env.BOOTSTRAP_PROJECT_ID }}
create_credentials_file: true
export_environment_variables: true
- name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ env.BOOTSTRAP_PROJECT_ID }}
- name: Render Terraform variables
if: env.DEPLOY_ACTION != 'destroy'
working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
run: |
cat > bootstrap.auto.tfvars <<EOF
project_id = "${BOOTSTRAP_PROJECT_ID}"
EOF
if [ "${{ matrix.target }}" = "bootstrap-gcs" ]; then
cat >> bootstrap.auto.tfvars <<EOF
bucket_name = "${BOOTSTRAP_BUCKET_NAME}"
location = "${BOOTSTRAP_BUCKET_LOCATION}"
EOF
elif [ "${{ matrix.target }}" = "bootstrap-iam" ]; then
cat >> bootstrap.auto.tfvars <<EOF
service_account_id = "${BOOTSTRAP_SA_ID}"
service_account_roles = ${BOOTSTRAP_SA_ROLES}
EOF
fi
- name: Init
if: env.DEPLOY_ACTION != 'destroy'
working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
run: terraform init -upgrade
- name: Plan
if: env.DEPLOY_ACTION == 'plan'
working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
run: terraform plan -no-color
- name: Apply
if: env.DEPLOY_ACTION == 'apply'
working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
run: terraform apply -auto-approve
- name: Destroy (gcloud)
if: env.DEPLOY_ACTION == 'destroy'
env:
TARGET: ${{ matrix.target }}
run: |
set -euo pipefail
if [ "$TARGET" = "bootstrap-gcs" ]; then
if gcloud storage buckets describe "gs://${BOOTSTRAP_BUCKET_NAME}" >/dev/null 2>&1; then
gcloud storage rm --recursive "gs://${BOOTSTRAP_BUCKET_NAME}" || true
gcloud storage buckets delete "gs://${BOOTSTRAP_BUCKET_NAME}" --quiet || true
else
echo "Bucket gs://${BOOTSTRAP_BUCKET_NAME} does not exist; skipping deletion."
fi
elif [ "$TARGET" = "bootstrap-iam" ]; then
SA_EMAIL="${BOOTSTRAP_SA_ID}@${BOOTSTRAP_PROJECT_ID}.iam.gserviceaccount.com"
if gcloud iam service-accounts describe "$SA_EMAIL" >/dev/null 2>&1; then
gcloud iam service-accounts delete "$SA_EMAIL" --quiet || true
else
echo "Service account $SA_EMAIL does not exist; skipping deletion."
fi
fi
- name: Save Outputs
if: env.DEPLOY_ACTION == 'apply'
working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
run: terraform output -json > ../../outputs_${{ matrix.target }}.json
- uses: actions/upload-artifact@v4
if: env.DEPLOY_ACTION == 'apply'
with:
name: outputs-${{ matrix.target }}
path: terraform-hcl-standard/gcp-cloud/outputs_${{ matrix.target }}.json
retention-days: 30
aggregate:
name: "Aggregate Bootstrap Outputs"
runs-on: ubuntu-latest
needs: bootstrap
if: ${{ github.event.inputs.deploy_action == 'apply' }}
steps:
- uses: actions/download-artifact@v4
with:
path: ./outputs
- name: Merge Outputs
run: |
echo "{" > final_bootstrap_outputs.json
f=true
for x in outputs/**/outputs_*.json; do
k=$(basename "$x" .json | sed 's/outputs_//')
[ "$f" = true ] && f=false || echo "," >> final_bootstrap_outputs.json
value=$(cat "$x")
echo "\"$k\": $value" >> final_bootstrap_outputs.json
done
echo "}" >> final_bootstrap_outputs.json
- run: cat final_bootstrap_outputs.json
- uses: actions/upload-artifact@v4
with:
name: bootstrap-final-output
path: final_bootstrap_outputs.json

121
.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml vendored
View File

@ -1,121 +0,0 @@
name: GCP Cloud LandingZone Baseline
on:
push:
paths:
- 'terraform-hcl-standard/gcp-cloud/**'
- '.github/workflows/terraform-standard-iac-pipeline-gcp-global-landingzone-baseline.yaml'
pull_request:
branches: [main]
workflow_dispatch:
inputs:
deploy_action:
description: "Deployment action"
type: choice
options: [plan, apply, destroy]
default: plan
deploy_dry_run:
description: "Dry-run mode"
type: choice
options: ['true', 'false']
default: 'true'
env:
TF_WORKDIR: terraform-hcl-standard/gcp-cloud
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
# -------------------------------
# SMTP settings (明文可接受)
# -------------------------------
SMTP_HOST: smtp.qq.com
SMTP_PORT: 465
SMTP_FROM: "XControl Account <manbuzhe2009@qq.com>"
SMTP_REPLY_TO: "no-reply@svc.plus"
TO_EMAIL: "manbuzhe2009@qq.com"
jobs:
# -------------------------------------------------------
# 1. Landing Zone Baseline Stage
# -------------------------------------------------------
landingzone:
name: "Deploy LandingZone Baseline"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }}
project_id: ${{ secrets.GCP_PROJECT_ID }}
export_environment_variables: true
create_credentials_file: true
- name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
- name: Terraform Init (LandingZone)
working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
run: terraform init -upgrade
- name: Terraform Plan (LandingZone)
id: tfplan
if: env.DEPLOY_ACTION == 'plan'
working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
run: terraform plan -no-color > plan_output.txt
- name: Upload LandingZone Plan Artifact
uses: actions/upload-artifact@v4
with:
name: landingzone-plan
path: ${{ env.TF_WORKDIR }}/envs/dev-landingzone/plan_output.txt
- name: Terraform Apply (LandingZone)
if: env.DEPLOY_ACTION == 'apply'
working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
run: terraform apply -auto-approve
# -------------------------------------------------------
# 2. Validation Stage
# -------------------------------------------------------
validation:
name: "Validate LandingZone Baseline"
needs: landingzone
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Validation Checks
run: |
echo "⚙️ Running LandingZone baseline validation..."
chmod +x scripts/validation/validate-landingzone.sh
scripts/validation/validate-landingzone.sh \
${{ env.TF_WORKDIR }}/envs/dev-landingzone
# -------------------------------------------------------
# 3. Delivery / Notification Stage
# -------------------------------------------------------
delivery:
name: "Delivery: Notify Rollout"
needs: validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Notify
env:
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} # <-- 仅密码从 secret
SMTP_USERNAME: "manbuzhe2009@qq.com"
run: |
echo "📣 Sending LandingZone rollout notification..."
chmod +x scripts/notifications/notify-landingzone.sh
./scripts/notifications/notify-landingzone.sh

77
.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml vendored
View File

@ -1,77 +0,0 @@
name: IAC Pipeline GCP Resources Matrix
on:
push:
paths:
- 'terraform-hcl-standard/gcp-cloud/envs/dev-object/**'
- 'terraform-hcl-standard/gcp-cloud/envs/dev-ec2/**'
- '.github/workflows/terraform-standard-iac-pipeline-gcp-resources-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/gcp-cloud/envs
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
jobs:
terraform:
name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env:
- dev-object
- dev-ec2
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_TERRAFORM_CREDENTIALS }}
project_id: ${{ env.GCP_PROJECT_ID }}
export_environment_variables: true
create_credentials_file: true
- name: Set up gcloud CLI
uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ env.GCP_PROJECT_ID }}
- name: Init
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
run: make init
- name: Plan
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
run: make plan
- name: Apply
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
if: ${{ env.DRY_RUN == 'false' }}
run: make apply
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
if: ${{ env.DRY_RUN == 'false' }}
run: terraform output -json

62
.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml vendored
View File

@ -1,62 +0,0 @@
name: IAC Pipeline Vultr VPS Account/VPC Matrix
on:
push:
paths:
- 'terraform-hcl-standard/vultr-vps/modules/vpc/**'
- 'terraform-hcl-standard/vultr-vps/modules/iam/**'
- 'terraform-hcl-standard/vultr-vps/envs/dev/**'
- '.github/workflows/terraform-standard-iac-pipeline-vultr-account-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/vultr-vps/envs
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
jobs:
terraform:
name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env:
- dev
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Export Vultr credentials
run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV"
- name: Init
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade
- name: Plan
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan
- name: Apply
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json

51
.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml vendored
View File

@ -1,51 +0,0 @@
name: Vultr VPS Bootstrap
concurrency:
group: terraform-vultr-bootstrap-${{ github.ref }}
cancel-in-progress: false
on:
push:
paths:
- 'terraform-hcl-standard/vultr-vps/bootstrap-object-storage/**'
- 'terraform-hcl-standard/vultr-vps/bootstrap-iam/**'
- 'terraform-hcl-standard/vultr-vps/config/**'
- '.github/workflows/terraform-standard-iac-pipeline-vultr-global-bootstrap.yaml'
workflow_dispatch:
inputs:
deploy_action:
type: choice
options: [plan, apply, destroy]
default: plan
env:
TF_ROOT: terraform-hcl-standard/vultr-vps
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
jobs:
bootstrap:
name: "Bootstrap Vultr backend & provider"
runs-on: ubuntu-latest
strategy:
matrix:
target: [bootstrap-object-storage, bootstrap-iam]
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Export Vultr API key
run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV"
- name: Select Terraform workdir
run: echo "TF_WORKDIR=${TF_ROOT}/${{ matrix.target }}" >> "$GITHUB_ENV"
- name: Terraform Init
run: terraform -chdir="$TF_WORKDIR" init
- name: Terraform ${{ env.DEPLOY_ACTION }}
run: terraform -chdir="$TF_WORKDIR" "$DEPLOY_ACTION" -input=false

56
.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml vendored
View File

@ -1,56 +0,0 @@
name: Vultr VPS LandingZone Baseline
concurrency:
group: terraform-vultr-landingzone-${{ github.ref }}
cancel-in-progress: false
on:
push:
paths:
- 'terraform-hcl-standard/vultr-vps/modules/vpc/**'
- 'terraform-hcl-standard/vultr-vps/config/**'
- '.github/workflows/terraform-standard-iac-pipeline-vultr-global-landingzone-baseline.yaml'
workflow_dispatch:
inputs:
deploy_action:
description: "Deployment action"
type: choice
options: [plan, apply, destroy]
default: plan
env:
TF_ROOT: terraform-hcl-standard/vultr-vps/modules/vpc
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
jobs:
landingzone:
name: "Baseline VPC + Firewall + SSH keys"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Export Vultr API key
run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV"
- name: Terraform Init
run: terraform -chdir="$TF_ROOT" init
- name: Terraform ${{ env.DEPLOY_ACTION }}
run: terraform -chdir="$TF_ROOT" "$DEPLOY_ACTION" -input=false
- name: Capture LandingZone outputs
if: env.DEPLOY_ACTION == 'apply'
run: terraform -chdir="$TF_ROOT" output -json > landingzone-baseline-outputs.json
- name: Upload LandingZone outputs
if: env.DEPLOY_ACTION == 'apply'
uses: actions/upload-artifact@v4
with:
name: vultr-landingzone-baseline-outputs
path: landingzone-baseline-outputs.json
retention-days: 7

74
.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml vendored
View File

@ -1,74 +0,0 @@
name: Vultr VPS Resources Matrix
concurrency:
group: terraform-vultr-resources-${{ github.ref }}
cancel-in-progress: false
on:
push:
paths:
- 'terraform-hcl-standard/vultr-vps/envs/dev/**'
- 'terraform-hcl-standard/vultr-vps/modules/compute/**'
- 'terraform-hcl-standard/vultr-vps/modules/storage/**'
- 'terraform-hcl-standard/vultr-vps/modules/data_store/**'
- 'terraform-hcl-standard/vultr-vps/config/**'
- '.github/workflows/terraform-standard-iac-pipeline-vultr-global-resources-matrix.yaml'
workflow_dispatch:
inputs:
deploy_action:
type: choice
options: [plan, apply, destroy]
default: plan
env:
TF_ROOT: terraform-hcl-standard/vultr-vps/envs
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
jobs:
resources:
name: "${{ matrix.environment }} :: ${{ matrix.region }} :: ${{ matrix.instance_type }}"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
environment: [dev]
region: [ewr, lax, sin]
instance_type: [cpu, gpu]
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- name: Export Vultr API key
run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV"
- name: Select Terraform workdir
run: echo "TF_WORKDIR=${TF_ROOT}/${{ matrix.environment }}" >> "$GITHUB_ENV"
- name: Terraform Init
env:
TF_VAR_region: ${{ matrix.region }}
TF_VAR_instance_type: ${{ matrix.instance_type }}
run: terraform -chdir="$TF_WORKDIR" init
- name: Terraform ${{ env.DEPLOY_ACTION }}
env:
TF_VAR_region: ${{ matrix.region }}
TF_VAR_instance_type: ${{ matrix.instance_type }}
run: terraform -chdir="$TF_WORKDIR" "$DEPLOY_ACTION" -input=false
- name: Capture resource outputs
if: env.DEPLOY_ACTION == 'apply'
run: terraform -chdir="$TF_WORKDIR" output -json > vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }}.json
- name: Upload resource outputs
if: env.DEPLOY_ACTION == 'apply'
uses: actions/upload-artifact@v4
with:
name: vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }}
path: vultr-resources-${{ matrix.environment }}-${{ matrix.region }}-${{ matrix.instance_type }}.json
retention-days: 7

63
.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml vendored
View File

@ -1,63 +0,0 @@
name: IAC Pipeline Vultr VPS Resources Matrix
on:
push:
paths:
- 'terraform-hcl-standard/vultr-vps/modules/compute/**'
- 'terraform-hcl-standard/vultr-vps/modules/storage/**'
- 'terraform-hcl-standard/vultr-vps/modules/data_store/**'
- 'terraform-hcl-standard/vultr-vps/envs/dev/**'
- '.github/workflows/terraform-standard-iac-pipeline-vultr-resources-matrix.yaml'
workflow_dispatch:
inputs:
dry_run:
type: choice
options: ['true', 'false']
default: 'true'
env:
BASE_DIR: terraform-hcl-standard/vultr-vps/envs
DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
jobs:
terraform:
name: "${{ matrix.env }} :: pipeline (dry_run=${{ inputs.dry_run }})"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
env:
- dev
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.9.5
- uses: terraform-linters/setup-tflint@v4
with:
tflint_version: v0.51.0
- name: Export Vultr credentials
run: echo "TF_VAR_vultr_api_key=${{ secrets.VULTR_API_KEY }}" >> "$GITHUB_ENV"
- name: Init
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} init -upgrade
- name: Plan
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} plan
- name: Apply
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} apply -auto-approve
- name: Skip Apply (dry-run)
if: ${{ env.DRY_RUN == 'true' }}
run: echo "Dry run enabled → skip apply step."
- name: Output
if: ${{ env.DRY_RUN == 'false' }}
run: terraform -chdir=${{ env.BASE_DIR }}/${{ matrix.env }} output -json