From dfef8296217dd6ad53c1cc2890ab3294b991b1ef Mon Sep 17 00:00:00 2001
From: cloudneutral <haitaopanhq@gmail.com>
Date: Mon, 8 Dec 2025 20:12:16 +0800
Subject: [PATCH] Use AWS CLI for bootstrap destroy actions

---
 ...ard-iac-pipeline-aws-global-bootstrap.yaml | 29 ++++++++++++-------
 .../aws-cloud/bootstrap-dynamodb/Makefile     |  5 ++--
 .../aws-cloud/bootstrap-iam/Makefile          | 10 +++++--
 .../aws-cloud/bootstrap-s3/Makefile           |  5 ++--
 4 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
index 868597e1..7fb53e10 100644
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
@@ -65,7 +65,7 @@ jobs:
           aws-region: ap-northeast-1
 
       - name: Load bootstrap config for destroy
-        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
+        if: env.DEPLOY_ACTION == 'destroy'
         run: |
           python -m pip install --quiet pyyaml
           python - <<'PY'
@@ -78,16 +78,16 @@ jobs:
 
           env_path = Path(os.environ["GITHUB_ENV"])
           current_env = env_path.read_text() if env_path.exists() else ""
-          env_path.write_text(current_env + f"BOOTSTRAP_BUCKET={cfg['state']['bucket_name']}\n")
+          env_path.write_text(
+              current_env
+              + f"BOOTSTRAP_BUCKET={cfg['state']['bucket_name']}\n"
+              + f"BOOTSTRAP_REGION={cfg['region']}\n"
+              + f"BOOTSTRAP_DYNAMODB_TABLE={cfg['state']['dynamodb_table_name']}\n"
+              + f"BOOTSTRAP_ROLE_NAME={cfg['iam']['role_name']}\n"
+              + f"BOOTSTRAP_TERRAFORM_USER={cfg['iam']['terraform_user_name']}\n"
+          )
           PY
 
-      - name: Empty bootstrap S3 bucket (per config)
-        if: matrix.target == 'bootstrap-s3' && env.DEPLOY_ACTION == 'destroy'
-        env:
-          AWS_REGION: ap-northeast-1
-        run: |
-          aws s3 rb "s3://${BOOTSTRAP_BUCKET}" --force
-
       - name: Init
         working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
         run: make init
@@ -105,7 +105,16 @@ jobs:
       - name: Destroy
         if: env.DEPLOY_ACTION == 'destroy'
         working-directory: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
-        run: make destroy
+        env:
+          AWS_REGION: ${{ env.BOOTSTRAP_REGION }}
+        run: |
+          if [ "${{ matrix.target }}" = "bootstrap-s3" ]; then
+            make destroy bucket_name=${BOOTSTRAP_BUCKET} region=${BOOTSTRAP_REGION}
+          elif [ "${{ matrix.target }}" = "bootstrap-dynamodb" ]; then
+            make destroy table_name=${BOOTSTRAP_DYNAMODB_TABLE} region=${BOOTSTRAP_REGION}
+          else
+            make destroy role_name=${BOOTSTRAP_ROLE_NAME} terraform_user_name=${BOOTSTRAP_TERRAFORM_USER}
+          fi
 
       - name: Save Outputs
         if: env.DEPLOY_ACTION == 'apply'
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-dynamodb/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-dynamodb/Makefile
index a9cfaa1b..e23b36f2 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-dynamodb/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-dynamodb/Makefile
@@ -16,5 +16,6 @@ plan: init
 output: init
 	terraform output
 
-destroy: init
-	terraform destroy $(TF_VARS)
+destroy:
+	@test -n "$(table_name)" || (echo "table_name is required for destroy" && exit 1)
+	aws dynamodb delete-table --table-name "$(table_name)" $(if $(region),--region $(region),)
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile
index b8b6ba68..2d0dc767 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-iam/Makefile
@@ -15,5 +15,11 @@ plan: init
 	terraform plan $(TF_VARS)
 output: init
 	terraform output
-destroy: init
-	terraform destroy $(TF_VARS)
+
+destroy:
+	@test -n "$(role_name)" || (echo "role_name is required for destroy" && exit 1)
+	@test -n "$(terraform_user_name)" || (echo "terraform_user_name is required for destroy" && exit 1)
+	aws iam delete-user-policy --user-name "$(terraform_user_name)" --policy-name "$(terraform_user_name)-iac-policy" || true
+	aws iam delete-user --user-name "$(terraform_user_name)" || true
+	aws iam detach-role-policy --role-name "$(role_name)" --policy-arn arn:aws:iam::aws:policy/AdministratorAccess || true
+	aws iam delete-role --role-name "$(role_name)" || true
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-s3/Makefile b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-s3/Makefile
index e678d15d..93ddf852 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-s3/Makefile
+++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap-s3/Makefile
@@ -17,5 +17,6 @@ plan: init
 output: init
 	terraform output
 
-destroy: init
-	terraform destroy $(TF_VARS)
+destroy:
+	@test -n "$(bucket_name)" || (echo "bucket_name is required for destroy" && exit 1)
+	aws s3 rb "s3://$(bucket_name)" --force $(if $(region),--region $(region),)