ai-workspace-lab/xworkspace-console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): pin aws tfstate region for s3 backend

Browse Source
This commit is contained in:
Haitao Pan 2026-06-26 18:07:52 +08:00
parent 8f8e925706
commit 3b270f4959
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/deploy-ai-workspace-iac.yaml vendored
View File

@ -153,7 +153,6 @@ jobs:
TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }} TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }}
TF_STATE_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_ACCESS_KEY }} TF_STATE_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_ACCESS_KEY }}
TF_STATE_SECRET_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }} TF_STATE_SECRET_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
run: | run: |
set -euo pipefail set -euo pipefail
# 校验 REQUIRED 机密非空(不打印任何值,仅判空)。 # 校验 REQUIRED 机密非空(不打印任何值,仅判空)。
@ -163,7 +162,7 @@ jobs:
echo "::error::缺少必需机密 VULTR_API_KEY (Vault: ${VAULT_KV}/VULTR_API_KEY)" echo "::error::缺少必需机密 VULTR_API_KEY (Vault: ${VAULT_KV}/VULTR_API_KEY)"
missing=1 missing=1
fi fi
for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY TF_STATE_REGION; do for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY; do
if [ -z "$(eval echo \"\${$k:-}\")" ]; then if [ -z "$(eval echo \"\${$k:-}\")" ]; then
echo "::error::缺少必需机密 $k (Vault: ${VAULT_KV}/$k) —— 远端 S3 state 后端为强制要求" echo "::error::缺少必需机密 $k (Vault: ${VAULT_KV}/$k) —— 远端 S3 state 后端为强制要求"
missing=1 missing=1
@ -200,7 +199,6 @@ jobs:
working-directory: ${{ env.ENV_DIR }} working-directory: ${{ env.ENV_DIR }}
env: env:
TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }} TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }}
TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
run: python3 $GITHUB_WORKSPACE/${{ env.VPS_ROOT }}/scripts/render_backend_tf.py backend.tf run: python3 $GITHUB_WORKSPACE/${{ env.VPS_ROOT }}/scripts/render_backend_tf.py backend.tf
- name: generate.py render (YAML -> 显式 HCL + tfvars) - name: generate.py render (YAML -> 显式 HCL + tfvars)
@ -214,7 +212,6 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }} AWS_SECRET_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }} TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }}
TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }} TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }}
TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
run: | run: |
set -euo pipefail set -euo pipefail
# 远端 S3 兼容 state 后端强制启用backend.tf 已由上一步渲染); # 远端 S3 兼容 state 后端强制启用backend.tf 已由上一步渲染);
@ -226,7 +223,7 @@ jobs:
terraform init -input=false \ terraform init -input=false \
-backend-config="bucket=${TF_STATE_BUCKET}" \ -backend-config="bucket=${TF_STATE_BUCKET}" \
-backend-config="key=ai-workspace/terraform.tfstate" \ -backend-config="key=ai-workspace/terraform.tfstate" \
-backend-config="region=${TF_STATE_REGION}" -backend-config="region=us-east-1"
- name: Terraform ${{ github.event.inputs.terraform_action || 'apply' }} - name: Terraform ${{ github.event.inputs.terraform_action || 'apply' }}
working-directory: ${{ env.ENV_DIR }} working-directory: ${{ env.ENV_DIR }}