.github/workflows/_run-terraform.yml

on:
  workflow_call:
    inputs:
      terraform_path:
        description: 'The name of the terraform path'
        required: true
        type: string
      workspace:
        description: 'Terraform workspace'
        required: true
        type: string
      container_version:
        description: 'Image tag to use'
        required: false
        type: string
        default: ''
      apply:
        description: 'Whether to apply terraform'
        required: false
        type: string
        default: 'false'
      specific_path:
        description: "Build on a specific path"
        required: false
        default: 'all'
        type: string
      add_ttl:
        description: "Build on a specific path"
        required: false
        default: 'false'
        type: string
      extra_vars:
        description: "Extra vars to pass to terraform (-var foo=bar)"
        required: false
        default: ''
        type: string

jobs:
  terraform_workflow:
    runs-on: ubuntu-latest
    steps:
      - name: export versions to use
        id: version-output
        env:
          TAG: ${{ inputs.container_version }}
          SPECIFIC_PATH: ${{ inputs.specific_path }}
        run: |
          if [[ ${SPECIFIC_PATH} == "terraform" ]]
          then
            echo "tag=$(echo latest)" >> $GITHUB_OUTPUT
            echo "admin-tag=$(echo latest)" >> $GITHUB_OUTPUT
          elif [[ ${SPECIFIC_PATH} == "admin" ]]
          then
            echo "tag=$(echo latest)" >> $GITHUB_OUTPUT
            echo "admin-tag=$(echo ${TAG})" >> $GITHUB_OUTPUT
          else
            echo "tag=$(echo ${TAG})" >> $GITHUB_OUTPUT
            echo "admin-tag=$(echo ${TAG})" >> $GITHUB_OUTPUT
          fi

      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 # pin@v3
        with:
          fetch-depth: '0'

      - name: Set Terraform version
        working-directory: ./terraform/${{ inputs.terraform_path }}
        id: set-terraform-version
        run: |
          TF_VERSION=$(cat .terraform-version)
          echo "TF_VERSION=$TF_VERSION" >> $GITHUB_OUTPUT

      - uses: unfor19/install-aws-cli-action@27d6061dae5d39e89be4d2246824f15e111a7e06 # pin@v1.0.3

      - uses: hashicorp/setup-terraform@344fef46b6edc7c46ce8b3b8b0a3ece7e77e05f0 # pin@v2.0.0
        with:
          terraform_version: ${{ steps.set-terraform-version.outputs.TF_VERSION }}

      - name: configure AWS credentials for getting pagerduty token
        uses: aws-actions/configure-aws-credentials@f171d5c895855a39c1ef93ab625499424407e172 # pin@v1.7.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
          role-to-assume: arn:aws:iam::367815980639:role/opg-use-an-lpa-ci
          aws-region: eu-west-1
          role-duration-seconds: 1800
          role-session-name: OPGUseAnLPADevAssumeGithubAction

      - name: set pagerduty token
        run: |
          export TF_VAR_pagerduty_token=$(aws secretsmanager get-secret-value --secret-id \
            pagerduty_api_key --region eu-west-1 | jq -r '.SecretString' 2>/dev/null)
          echo "::add-mask::$TF_VAR_pagerduty_token"
          echo TF_VAR_pagerduty_token=$TF_VAR_pagerduty_token >> $GITHUB_ENV

      - name: configure AWS credentials for terraform
        uses: aws-actions/configure-aws-credentials@f171d5c895855a39c1ef93ab625499424407e172 # pin@v1.7.0
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
          aws-region: eu-west-1
          role-duration-seconds: 1800
          role-session-name: OPGUseAnLPATerraformGithubAction

      - uses: webfactory/ssh-agent@72c0bfd31ab22a2e11716951e3f107a9647dc97e # pin@v0.5.4
        with:
          ssh-private-key: ${{ secrets.USE_AN_LPA_DEPLOY_KEY_PRIVATE_KEY }}

      - name: output terraform variables
        env:
          TF_PATH: ${{ inputs.terraform_path }}
          TF_WORKSPACE: ${{ inputs.workspace }}
          TAG: ${{ steps.version-output.outputs.tag }}
          ADMIN_TAG: ${{ steps.version-output.outputs.admin-tag }}
        run: |
          echo "Path: ${TF_PATH}"
          echo "Workspace: ${TF_WORKSPACE}"
          echo "Image tag: ${TAG}"
          echo "Admin image tag: ${ADMIN_TAG}"
        working-directory: terraform/${{ inputs.terraform_path }}
        continue-on-error: true

      - name: terraform init
        run: terraform init -input=false
        working-directory: terraform/${{ inputs.terraform_path }}

      - name: terraform plan ${{ inputs.terraform_path }}
        env:
          TF_WORKSPACE: ${{ inputs.workspace }}
          TF_VAR_container_version: ${{ steps.version-output.outputs.tag }}
          TF_VAR_admin_container_version: ${{ steps.version-output.outputs.admin-tag }}
        run: |
          terraform workspace show
          terraform plan -input=false -parallelism=30 -lock-timeout=5m ${{ inputs.extra_vars }}
        working-directory: terraform/${{ inputs.terraform_path }}

      - name: add TTL to dynamodb for environment
        if: inputs.apply == 'true' && inputs.add_ttl == 'true'
        env:
          TF_WORKSPACE: ${{ inputs.workspace }}
        run: scripts/pipeline/workspace_cleanup/put_workspace_linux -workspace=${TF_WORKSPACE}

      - name: terraform apply ${{ inputs.terraform_path }}
        if: inputs.apply == 'true'
        env:
          TF_WORKSPACE: ${{ inputs.workspace }}
          TF_VAR_container_version: ${{ steps.version-output.outputs.tag }}
          TF_VAR_admin_container_version: ${{ steps.version-output.outputs.admin-tag }}
          CI: true
        run: |
          terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30 ${{ inputs.extra_vars }}
        working-directory: terraform/${{ inputs.terraform_path }}

      - name: upload environment cluster config file
        if: inputs.terraform_path == 'environment'
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # pin@v3.1.0
        with:
          name: environment_config_file_${{ inputs.workspace }}
          path: terraform/environment/cluster_config.json