繁体   English   中英

Github 操作恢复/销毁 terraform Terraform 计划创建的 AWS 基础设施

[英]Github Actions revert/destroy terraform AWS infrastructure created by Terraform Plan

我已经为 AWS 基础设施设置了 terraform,但无法设置一个工作流程,我可以在其中触发销毁使用 Terraform 计划/应用创建的基础设施。

是否可以在不推送代码或创建拉取请求的情况下手动触发 github 操作?

我不想在 hashicorp 上注册一个工作区,而是想在 Github Actions 本身上运行管道。

有用于破坏基础设施的资源,但它仅适用于Pull request close

以下是如何创建一个可以手动触发的工作流 Terraform 使用工作流中的输入应用和销毁。 后端负责存储 state。因此,我们将 state 文件存储在 S3 存储桶中。

为此,第一步是创建一个 S3 存储桶。

创建一个新文件 backend.tf 并在其中添加以下代码。

terraform {
  backend "s3" {
    bucket = "mybucket"
    key    = "path/to/my/key"
    region = "us-east-1"
  }
}

这假设我们创建了一个名为 mybucket 的存储桶。 Terraform state 写入key路径/to/my/key。

现在创建一个工作流文件。

name: "Terraform"

on:
  workflow_dispatch:
    inputs:
      # Working directory input from user.
      resource:
        type: choice
        description: Choose the resource
        options:
        - name_of_dir1
        - name_of_dir2
      # Terraform action you want to perform
      action:
        description: 'Terraform Action to Perform'
        type: choice
        options:
        - Terraform_apply
        - Terraform_destroy

jobs:
  terraform_apply:
    name: "Terraform_apply"
    if: ${{ github.event.inputs.action == 'Terraform_apply' }}
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ github.event.inputs.resource }}
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1

      - name: Terraform Init
        id: init
        run: terraform init
        env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}
      
      - name: Terraform Validate
        id: validate
        run: terraform validate -no-color

      - name: Terraform Apply
        id: apply
        run: terraform apply -auto-approve -var-file=variables.tfvars
        env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}
  
  terraform_destroy:
    name: "Terraform_destroy"
    if: ${{ github.event.inputs.action == 'Terraform_destroy' }}
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ${{ github.event.inputs.resource }}
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1

      - name: Terraform Init
        id: init
        run: terraform init
        env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}
      
      - name: Terraform Destroy
        id: destroy
        working-directory: ${{ github.event.inputs.resource }}
        run: terraform destroy -auto-approve -var-file=variables.tfvars
        env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}

我创建了另一个可以手动触发的工作流程,并将使用 state 文件来破坏现有的基础设施

为此,我需要存储 state 文件。 我将文件存储在 AWS S3 上。

注意:您可以使用 terraform 后端来维护 state 文件的版本

我没有这样做,因为我无法为不同的环境配置它,并且不允许使用变量。

以下是 Terraform create Infrastructure 作业中的更改:

- name: AWS Plan Copy
        id: copyfrom
        run: aws s3 cp s3://your-bucket/yourapp-${{ env.ENVIRONMENT }}.tfstate yourapp-${{ env.ENVIRONMENT }}.tfstate
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.REGION }}
        continue-on-error: true // incase infra does not exist

- name: Terraform Plan
        id: plan
        if: ${{ github.event_name == 'pull_request' || github.event_name == 'push' }} // Plan creation is required both on pull_request, push
        run: terraform plan 
        continue-on-error: true

- name: Terraform Apply
        id: apply
        if: github.event_name == 'push'
        run: terraform apply -auto-approve
      
      - name: AWS Plan Copy
        if: github.event_name == 'push' && steps.apply.outcome == 'success'
        run: aws s3 cp terraform.tfstate s3://your-bucket/yourapp-${{ env.ENVIRONMENT }}.tfstate
        id: copy
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.REGION }}

销毁工作流程:

name: Manually triggered workflow
on:
  workflow_dispatch:
    inputs:
      env:
        description: 'Environment'
        required: true
        default: 'dev'

jobs:
  destroy:
    name: "Destroy AWS"
    runs-on: ubuntu-latest
    steps:
        - name: AWS Plan Copy
          run: aws s3 cp s3://your-bucket/yourapp-${{ github.event.inputs.env }}.tfstate terraform.tfstate
          id: copy
          env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}

        - name: Show Destroy plan
          run: terraform plan -destroy
          continue-on-error: true

        - name: Destroy resources jobs
          id: destroy
          run: terraform destroy -auto-approve

        - name: Delete plan file
          if: steps.destroy.outcome == 'success'
          run: aws s3 rm s3://your-bucket/yourapp-${{ github.event.inputs.env }}.tfstate
          env:
            AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
            AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
            AWS_DEFAULT_REGION: ${{ secrets.REGION }}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM