114 lines
3.9 KiB
YAML
114 lines
3.9 KiB
YAML
name: Multi Cloud Account Bootstrap
|
|
|
|
concurrency:
|
|
group: terraform-bootstrap-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
paths:
|
|
- 'terraform-hcl-standard/**'
|
|
- '.github/workflows/iac-pipeline-mutli-cloud-bootstrap.yaml'
|
|
workflow_dispatch:
|
|
inputs:
|
|
deploy_action:
|
|
type: choice
|
|
options: [plan, apply, destroy]
|
|
default: plan
|
|
bootstrap_cloud:
|
|
description: "Path to bootstrap cloud"
|
|
type: string
|
|
default: terraform-hcl-standard/aws-cloud/bootstrap
|
|
gitops_repo_ref:
|
|
description: "GitOps repo ref (branch/tag/sha) to use"
|
|
type: string
|
|
default: main
|
|
gitops_repo_name:
|
|
description: "GitOps repository (URL or owner/repo)"
|
|
type: string
|
|
default: https://github.com/cloud-neutral-workshop/gitops.git
|
|
gitops_bootstrap_config:
|
|
description: "Path to bootstrap config file within the GitOps repo"
|
|
type: string
|
|
default: config/xzerolab/sit/aws-cloud/account/bootstrap.yaml
|
|
|
|
env:
|
|
TG_VERSION: 0.67.14
|
|
TG_ROOT: ${{ github.event.inputs.bootstrap_cloud }}
|
|
GITOPS_REPO: ${{ github.event.inputs.gitops_repo_name }}
|
|
DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
|
|
BOOTSTRAP_CONFIG_FILE: ${{ github.event.inputs.gitops_bootstrap_config }}
|
|
BOOTSTRAP_CONFIG_PATH: terraform-hcl-standard/aws-cloud/bootstrap/gitops/${{ github.event.inputs.gitops_bootstrap_config }}
|
|
|
|
jobs:
|
|
bootstrap:
|
|
name: "Bootstrap Modules"
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout GitOps config
|
|
run: |
|
|
git clone --branch "${{ github.event.inputs.gitops_repo_ref || 'main' }}" \
|
|
--depth 1 "${{ env.GITOPS_REPO }}" "${{ env.TG_ROOT }}/gitops"
|
|
|
|
- name: Document Bootstrap Scope
|
|
run: |
|
|
cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
|
|
## Bootstrap scope
|
|
- IAM: create Terraform deploy role and automation user for DevOps
|
|
- S3: create remote state bucket (versioned + SSE + public access block)
|
|
- DynamoDB: create state lock table with encryption + PITR
|
|
|
|
Terragrunt orchestrates state → lock → identity. Resource names and regions follow terraform-hcl-standard/aws-cloud/config/accounts/bootstrap.yaml.
|
|
SUMMARY
|
|
|
|
- uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: 1.9.5
|
|
|
|
- name: Install Terragrunt
|
|
run: |
|
|
curl -L "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" -o terragrunt
|
|
sudo install terragrunt /usr/local/bin/terragrunt
|
|
|
|
- name: AWS Credentials
|
|
uses: aws-actions/configure-aws-credentials@v4
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_BOOTSTRAP_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_BOOTSTRAP_SECRET_ACCESS_KEY }}
|
|
aws-region: ap-northeast-1
|
|
|
|
- name: Force Destroy Bootstrap Resources
|
|
if: env.DEPLOY_ACTION == 'destroy'
|
|
run: |
|
|
./scripts/aws-bootstrap-force-destroy.sh
|
|
|
|
- name: Terragrunt Plan
|
|
if: env.DEPLOY_ACTION == 'plan'
|
|
working-directory: ${{ env.TG_ROOT }}
|
|
run: terragrunt run-all plan --terragrunt-non-interactive
|
|
|
|
- name: Terragrunt Apply
|
|
if: env.DEPLOY_ACTION == 'apply'
|
|
working-directory: ${{ env.TG_ROOT }}
|
|
run: terragrunt run-all apply --terragrunt-non-interactive
|
|
|
|
- name: Save Outputs
|
|
if: env.DEPLOY_ACTION == 'apply'
|
|
working-directory: ${{ env.TG_ROOT }}
|
|
run: |
|
|
mkdir -p outputs
|
|
for dir in state lock identity; do
|
|
terragrunt output -json --terragrunt-working-dir $dir > outputs/${dir}.json
|
|
done
|
|
|
|
- uses: actions/upload-artifact@v4
|
|
if: env.DEPLOY_ACTION == 'apply'
|
|
with:
|
|
name: bootstrap-outputs
|
|
path: ${{ env.TG_ROOT }}/outputs
|
|
retention-days: 30
|