fix(ci): source tf state region from vault

2026-06-26 18:10:28 +08:00 · 2026-06-26 18:10:28 +08:00 · 002257ce5b
commit 002257ce5b
parent 3b270f4959
1 changed files with 5 additions and 2 deletions
--- a/.github/workflows/deploy-ai-workspace-iac.yaml
+++ b/.github/workflows/deploy-ai-workspace-iac.yaml
@ -153,6 +153,7 @@ jobs:
          TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }}
          TF_STATE_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_ACCESS_KEY }}
          TF_STATE_SECRET_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
+          TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
        run: |
          set -euo pipefail
          # 校验 REQUIRED 机密非空（不打印任何值，仅判空）。
@ -162,7 +163,7 @@ jobs:
            echo "::error::缺少必需机密 VULTR_API_KEY (Vault: ${VAULT_KV}/VULTR_API_KEY)"
            missing=1
          fi
-          for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY; do
+          for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY TF_STATE_REGION; do
            if [ -z "$(eval echo \"\${$k:-}\")" ]; then
              echo "::error::缺少必需机密 $k (Vault: ${VAULT_KV}/$k) —— 远端 S3 state 后端为强制要求"
              missing=1
@ -199,6 +200,7 @@ jobs:
        working-directory: ${{ env.ENV_DIR }}
        env:
          TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }}
+          TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
        run: python3 $GITHUB_WORKSPACE/${{ env.VPS_ROOT }}/scripts/render_backend_tf.py backend.tf

      - name: generate.py render (YAML -> 显式 HCL + tfvars)
@ -212,6 +214,7 @@ jobs:
          AWS_SECRET_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
          TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }}
          TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }}
+          TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
        run: |
          set -euo pipefail
          # 远端 S3 兼容 state 后端强制启用（backend.tf 已由上一步渲染）；
@ -223,7 +226,7 @@ jobs:
          terraform init -input=false \
            -backend-config="bucket=${TF_STATE_BUCKET}" \
            -backend-config="key=ai-workspace/terraform.tfstate" \
-            -backend-config="region=us-east-1"
+            -backend-config="region=${TF_STATE_REGION}"

      - name: Terraform ${{ github.event.inputs.terraform_action || 'apply' }}
        working-directory: ${{ env.ENV_DIR }}