.github/workflows/terraform.yaml

name: "Terraform plan and apply"

on: # yamllint disable-line rule:truthy
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened
      - labeled
      - closed

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

permissions: {}

jobs:
  terraform:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    timeout-minutes: 10
    if: contains(github.event.pull_request.labels.*.name, 'terraform-deps')
    env:
      TF_CLOUD_WORKSPACE: ${{ vars.TF_CLOUD_WORKSPACE }}
      TERRAGRUNT_PATH: ${{ github.workspace }}/.github/scripts/tfwrapper.sh
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      # just use to login to terraform cloud
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

      - uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0
        with:
          aqua_version: v2.40.0
          aqua_opts: ""

      - name: init
        run: |
          terragrunt run-all init --terragrunt-non-interactive
        env:
          TF_CLOUD_ORGANIZATION: ${{ secrets.TF_CLOUD_ORGANIZATION }}

      - name: validate
        run: |
          terragrunt run-all validate --terragrunt-non-interactive
        env:
          TF_CLOUD_ORGANIZATION: ${{ secrets.TF_CLOUD_ORGANIZATION }}
          GITHUB_APP_ID: ${{ secrets.GH_APP_ID }}
          GITHUB_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }}
          GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: plan
        run: |
          terragrunt run-all plan --terragrunt-non-interactive
        env:
          TF_CLOUD_ORGANIZATION: ${{ secrets.TF_CLOUD_ORGANIZATION }}
          GITHUB_APP_ID: ${{ secrets.GH_APP_ID }}
          GITHUB_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }}
          GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: apply
        if: github.event.pull_request.merged == true
        run: |
          terragrunt run-all apply --terragrunt-non-interactive
        env:
          TF_CLOUD_ORGANIZATION: ${{ secrets.TF_CLOUD_ORGANIZATION }}
          GITHUB_APP_ID: ${{ secrets.GH_APP_ID }}
          GITHUB_APP_INSTALLATION_ID: ${{ secrets.GH_APP_INSTALLATION_ID }}
          GITHUB_APP_PEM_FILE: ${{ secrets.GH_APP_PEM_FILE }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  check-tf-result:
    needs: terraform
    runs-on: ubuntu-latest
    timeout-minutes: 5
    if: always()
    steps:
      - name: check results
        run: |
          FAILURE_JOBS=$(echo "${NEEDS_JSON}" | jq -r 'to_entries | map(select(.value.result == "failure")) | map(.key + " " + .value.result) | join("\n")')
          if [ -n "${FAILURE_JOBS}" ]; then
            echo "The following jobs failed: ${FAILURE_JOBS}"
            exit 1
          fi
        env:
          NEEDS_JSON: ${{ toJSON(needs) }}