iac_modules/.github/workflows/iac-pipeline-aws-global-landingzone-baseline.yaml

name: AWS Cloud Global LandingZone Baseline

on:
  push:
  pull_request:
    paths:
    paths:
      - 'iac-template/terraform-hcl-standard/aws-cloud/**'
      - '.github/workflows/iac-pipeline-aws-global-landingzone-baseline.yaml'
  pull_request:
    branches: [main]
  workflow_dispatch:
    inputs:
      deploy_action:
        description: "Deployment action"
        type: choice
        options: [plan, apply, destroy]
        default: plan
      deploy_dry_run:
        description: "Dry-run mode"
        type: choice
        options: ['true', 'false']
        default: 'true'

env:
  TF_WORKDIR: iac-template/terraform-hcl-standard/aws-cloud
  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
  AWS_REGION: ap-northeast-1
  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role

jobs:
  # -------------------------------------------------------
  #  1. Landing Zone Baseline Stage
  # -------------------------------------------------------
  landingzone:
    name: "Deploy LandingZone Baseline"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.9.5

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}

      - name: Terraform Init (LandingZone)
        working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
        run: terraform init -upgrade

      - name: Terraform Plan (LandingZone)
        id: tfplan
        if: env.DEPLOY_ACTION == 'plan'
        working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
        run: terraform plan -no-color > plan_output.txt

      - name: Upload LandingZone Plan Artifact
        uses: actions/upload-artifact@v4
        with:
          name: landingzone-plan
          path: ${{ env.TF_WORKDIR }}/envs/dev-landingzone/plan_output.txt

      - name: Terraform Apply (LandingZone)
        if: env.DEPLOY_ACTION == 'apply'
        working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
        run: terraform apply -auto-approve

  # -------------------------------------------------------
  #  2. Validation Stage
  # -------------------------------------------------------
  validation:
    name: "Validate LandingZone Baseline"
    needs: landingzone
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run Validation Checks
        run: |
          echo "⚙️ Running LandingZone baseline validation..."
          chmod +x scripts/validation/validate-landingzone.sh
          scripts/validation/validate-landingzone.sh \
            ${{ env.TF_WORKDIR }}/envs/dev-landingzone          

  # -------------------------------------------------------
  #  3. Delivery / Notification Stage
  # -------------------------------------------------------
  delivery:
    name: "Delivery: Notify Rollout"
    needs: validation
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Notify
        env:
          SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}   # <-- 仅密码从 secret
          SMTP_USERNAME: "manbuzhe2009@qq.com"
        run: |
          echo "📣 Sending LandingZone rollout notification..."
          chmod +x scripts/notifications/notify-landingzone.sh
          ./scripts/notifications/notify-landingzone.sh