fix(ci): require tf state region from vault

.github/workflows/deploy-ai-workspace-iac.yaml

@@ -153,6 +153,7 @@ jobs:
           TF_STATE_BUCKET: ${{ steps.vault.outputs.TF_STATE_BUCKET }}
           TF_STATE_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_ACCESS_KEY }}
           TF_STATE_SECRET_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
+          TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
         run: |
           set -euo pipefail
           # 校验 REQUIRED 机密非空（不打印任何值，仅判空）。
@@ -162,7 +163,7 @@ jobs:
             echo "::error::缺少必需机密 VULTR_API_KEY (Vault: ${VAULT_KV}/VULTR_API_KEY)"
             missing=1
           fi
-          for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY; do
+          for k in TF_STATE_ENDPOINT TF_STATE_BUCKET TF_STATE_ACCESS_KEY TF_STATE_SECRET_KEY TF_STATE_REGION; do
             if [ -z "$(eval echo \"\${$k:-}\")" ]; then
               echo "::error::缺少必需机密 $k (Vault: ${VAULT_KV}/$k) —— 远端 S3 state 后端为强制要求"
               missing=1
@@ -199,6 +200,7 @@ jobs:
         working-directory: ${{ env.ENV_DIR }}
         env:
           TF_STATE_ENDPOINT: ${{ steps.vault.outputs.TF_STATE_ENDPOINT }}
+          TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
         run: python3 $GITHUB_WORKSPACE/${{ env.VPS_ROOT }}/scripts/render_backend_tf.py backend.tf
 
       - name: generate.py render (YAML -> 显式 HCL + tfvars)
@@ -224,7 +226,7 @@ jobs:
           terraform init -input=false \
             -backend-config="bucket=${TF_STATE_BUCKET}" \
             -backend-config="key=ai-workspace/terraform.tfstate" \
-            -backend-config="region=${TF_STATE_REGION:-us-east-1}"
+            -backend-config="region=${TF_STATE_REGION}"
 
       - name: Terraform ${{ github.event.inputs.terraform_action || 'apply' }}
         working-directory: ${{ env.ENV_DIR }}