[英]Github Actions revert/destroy terraform AWS infrastructure created by Terraform Plan
我已经为 AWS 基础设施设置了 terraform,但无法设置一个工作流程,我可以在其中触发销毁使用 Terraform 计划/应用创建的基础设施。
是否可以在不推送代码或创建拉取请求的情况下手动触发 github 操作?
我不想在 hashicorp 上注册一个工作区,而是想在 Github Actions 本身上运行管道。
有用于破坏基础设施的资源,但它仅适用于Pull request close 。
使用workflow_dispath
https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
然后您可以从 web GUI 手动运行它。
以下是如何创建一个可以手动触发的工作流 Terraform 使用工作流中的输入应用和销毁。 后端负责存储 state。因此,我们将 state 文件存储在 S3 存储桶中。
为此,第一步是创建一个 S3 存储桶。
创建一个新文件 backend.tf 并在其中添加以下代码。
terraform {
backend "s3" {
bucket = "mybucket"
key = "path/to/my/key"
region = "us-east-1"
}
}
这假设我们创建了一个名为 mybucket 的存储桶。 Terraform state 写入key路径/to/my/key。
现在创建一个工作流文件。
name: "Terraform"
on:
workflow_dispatch:
inputs:
# Working directory input from user.
resource:
type: choice
description: Choose the resource
options:
- name_of_dir1
- name_of_dir2
# Terraform action you want to perform
action:
description: 'Terraform Action to Perform'
type: choice
options:
- Terraform_apply
- Terraform_destroy
jobs:
terraform_apply:
name: "Terraform_apply"
if: ${{ github.event.inputs.action == 'Terraform_apply' }}
runs-on: ubuntu-latest
defaults:
run:
working-directory: ${{ github.event.inputs.resource }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
- name: Terraform Init
id: init
run: terraform init
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Apply
id: apply
run: terraform apply -auto-approve -var-file=variables.tfvars
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
terraform_destroy:
name: "Terraform_destroy"
if: ${{ github.event.inputs.action == 'Terraform_destroy' }}
runs-on: ubuntu-latest
defaults:
run:
working-directory: ${{ github.event.inputs.resource }}
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
- name: Terraform Init
id: init
run: terraform init
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
- name: Terraform Destroy
id: destroy
working-directory: ${{ github.event.inputs.resource }}
run: terraform destroy -auto-approve -var-file=variables.tfvars
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
我创建了另一个可以手动触发的工作流程,并将使用 state 文件来破坏现有的基础设施
为此,我需要存储 state 文件。 我将文件存储在 AWS S3 上。
注意:您可以使用 terraform 后端来维护 state 文件的版本。
我没有这样做,因为我无法为不同的环境配置它,并且不允许使用变量。
以下是 Terraform create Infrastructure 作业中的更改:
- name: AWS Plan Copy
id: copyfrom
run: aws s3 cp s3://your-bucket/yourapp-${{ env.ENVIRONMENT }}.tfstate yourapp-${{ env.ENVIRONMENT }}.tfstate
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
continue-on-error: true // incase infra does not exist
- name: Terraform Plan
id: plan
if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }} // Plan creation is required both on pull_request, push
run: terraform plan
continue-on-error: true
- name: Terraform Apply
id: apply
if: github.event_name == 'push'
run: terraform apply -auto-approve
- name: AWS Plan Copy
if: github.event_name == 'push' && steps.apply.outcome == 'success'
run: aws s3 cp terraform.tfstate s3://your-bucket/yourapp-${{ env.ENVIRONMENT }}.tfstate
id: copy
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
销毁工作流程:
name: Manually triggered workflow
on:
workflow_dispatch:
inputs:
env:
description: 'Environment'
required: true
default: 'dev'
jobs:
destroy:
name: "Destroy AWS"
runs-on: ubuntu-latest
steps:
- name: AWS Plan Copy
run: aws s3 cp s3://your-bucket/yourapp-${{ github.event.inputs.env }}.tfstate terraform.tfstate
id: copy
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
- name: Show Destroy plan
run: terraform plan -destroy
continue-on-error: true
- name: Destroy resources jobs
id: destroy
run: terraform destroy -auto-approve
- name: Delete plan file
if: steps.destroy.outcome == 'success'
run: aws s3 rm s3://your-bucket/yourapp-${{ github.event.inputs.env }}.tfstate
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.REGION }}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.