feat(ci): enhance Terraform IAC pipeline with account/resources matrix workflows

2025-11-17 22:28:56 +08:00 · 2025-11-17 22:28:56 +08:00 · e6fccac7e8
commit e6fccac7e8
parent d5b70c7572
2 changed files with 93 additions and 55 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-account-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-account-matrix.yaml
@ -1,4 +1,4 @@
-name: Terraform Standard - IAC-Pipeline Account Multi Env Matrix
+name: Terraform Standard - IAC Pipeline (Account/VPC Matrix)

 on:
  push:
@ -6,29 +6,21 @@ on:
      - 'iac-template/terraform-standard/envs/dev-vpc/**'
      - 'iac-template/terraform-standard/envs/dev-role/**'
      - '.github/workflows/terraform-standard-iac-pipeline-account-matrix.yaml'
-  pull_request:
-    branches: [main]
-
  workflow_dispatch:
    inputs:
-      deploy_action:
-        type: choice
-        options: [fmt, lint, plan, apply, destroy]
-        default: plan
-      deploy_dry_run:
+      dry_run:
        type: choice
        options: ['true', 'false']
        default: 'true'

 env:
  BASE_DIR: iac-template/terraform-standard/envs
-  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  DEPLOY_DRY_RUN: ${{ github.event.inputs.deploy_dry_run || 'true' }}
  AWS_REGION: ${{ secrets.AWS_REGION }}
+  DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}

 jobs:
  terraform:
-    name: "${{ matrix.env }} :: ${{ env.DEPLOY_ACTION }}"
+    name: "${{ matrix.env }} :: pipeline (dry_run=${{ env.DRY_RUN }})"
    runs-on: ubuntu-latest

    strategy:
@ -57,50 +49,24 @@ jobs:
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

-      - name: Run Terraform Action Script
+      - name: Init
        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
-        run: |
-          echo "=== 🚀 Terraform Runner ==="
-          echo "ENV: ${{ matrix.env }}"
-          echo "ACTION: $DEPLOY_ACTION"
-          echo "DRY RUN: $DEPLOY_DRY_RUN"
-          echo ""
+        run: make init

-          case "$DEPLOY_ACTION" in
-            fmt)
-              terraform fmt -check -recursive
-              ;;
-            lint)
-              tflint --init
-              tflint
-              tfsec .
-              ;;
-            plan)
-              terraform init -upgrade
-              terraform plan -no-color > plan_output.txt
-              ;;
-            apply)
-              terraform init -upgrade
-              if [ "$DEPLOY_DRY_RUN" = "false" ]; then
-                terraform apply -auto-approve
-              else
-                echo "[DRY RUN] apply skipped"
-              fi
-              ;;
-            destroy)
-              terraform init -upgrade
-              if [ "$DEPLOY_DRY_RUN" = "false" ]; then
-                terraform destroy -auto-approve
-              else
-                echo "[DRY RUN] destroy skipped"
-              fi
-              ;;
-          esac
+      - name: Plan
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        run: make plan

-      - name: Upload Plan
-        if: ${{ github.event.inputs.deploy_action == 'plan' }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: plan-${{ matrix.env }}
-          path: ${{ env.BASE_DIR }}/${{ matrix.env }}/plan_output.txt
+      - name: Apply
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        if: ${{ env.DRY_RUN == 'false' }}
+        run: make apply

+      - name: Skip Apply (dry-run)
+        if: ${{ env.DRY_RUN == 'true' }}
+        run: echo "Dry run enabled → skip apply step."
+
+      - name: Output
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        if: ${{ env.DRY_RUN == 'false' }}
+        run: terraform output -json
--- a/.github/workflows/terraform-standard-iac-pipeline-resources-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-resources-matrix.yaml
@ -0,0 +1,72 @@
+name: Terraform Standard - IAC Pipeline (Resources Matrix)
+
+on:
+  push:
+    paths:
+      - 'iac-template/terraform-standard/envs/dev-object/**'
+      - 'iac-template/terraform-standard/envs/dev-ec2/**'
+      - '.github/workflows/terraform-standard-iac-pipeline-resources-matrix.yaml'
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        type: choice
+        options: ['true', 'false']
+        default: 'true'
+
+env:
+  BASE_DIR: iac-template/terraform-standard/envs
+  AWS_REGION: ${{ secrets.AWS_REGION }}
+  DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }}
+
+jobs:
+  terraform:
+    name: "${{ matrix.env }} :: pipeline (dry_run=${{ env.DRY_RUN }})"
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        env:
+          - dev-object
+          - dev-ec2
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.5
+
+      - uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: v0.51.0
+
+      - uses: aquasecurity/tfsec-action@v1.0.3
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Init
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        run: make init
+
+      - name: Plan
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        run: make plan
+
+      - name: Apply
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        if: ${{ env.DRY_RUN == 'false' }}
+        run: make apply
+
+      - name: Skip Apply (dry-run)
+        if: ${{ env.DRY_RUN == 'true' }}
+        run: echo "Dry run enabled → skip apply step."
+
+      - name: Output
+        working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}
+        if: ${{ env.DRY_RUN == 'false' }}
+        run: terraform output -json