name: Terraform CI/CD

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

env:
  NOMAD_ADDR: "${{ vars.NOMAD_ADDR }}"
  NOMAD_TOKEN: "${{ secrets.NOMAD_TOKEN }}"
  PG_CONN_STR: "${{ secrets.PG_CONN_STR }}"
  TF_CLI_ARGS: "-no-color"
  TF_IN_AUTOMATION: true
  TF_PLUGIN_CACHE_DIR: ${{ gitea.workspace }}/.terraform.d/plugin-cache

jobs:
  terraform-ci:
    name: Terraform Format, Validate, Lint, Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Setup Nomad
        uses: hashicorp/setup-nomad@main

      - name: Create Terraform Plugin Cache Dir
        run: mkdir -v -p $TF_PLUGIN_CACHE_DIR

      - name: Terraform Format Check
        run: terraform fmt -check -recursive

      - name: Nomad fmt
        run: nomad fmt -recursive -check

      - name: Cache Terraform Plugin Dir
        uses: actions/cache@v4
        with:
          path: ${{ env.TF_PLUGIN_CACHE_DIR }}
          key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
          restore-keys: |
            ${{ runner.os }}-terraform-plugins-

      - name: Cache TFLint Dir
        uses: actions/cache@v4
        with:
          path: ~/.tflint.d/plugins
          key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
          restore-keys: |
            ${{ runner.os }}-tflint-

      - name: Terraform Init
        run: terraform init

      - name: Terraform Validate
        run: terraform validate

      - name: TFLint
        uses: terraform-linters/setup-tflint@v4
      - run: |
          tflint --init
          tflint

  terraform-plan:
    name: Terraform Plan
    runs-on: ubuntu-latest
    needs: terraform-ci
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - uses: hashicorp/setup-nomad@main

      - name: Create Terraform Plugin Cache Dir
        run: mkdir -v -p $TF_PLUGIN_CACHE_DIR

      - name: Cache Terraform Plugin Dir
        uses: actions/cache@v4
        with:
          path: ${{ env.TF_PLUGIN_CACHE_DIR }}
          key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
          restore-keys: |
            ${{ runner.os }}-terraform-plugins-

      - name: Terraform Init
        run: terraform init

      - name: Terraform Plan
        run: terraform plan -out=tfplan

#      - name: Upload Terraform Plan
#        uses: actions/upload-artifact@v4
#        with:
#          name: tfplan
#          path: tfplan

  terraform-apply:
    name: Terraform Apply
    runs-on: ubuntu-latest
    needs: terraform-ci
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - uses: hashicorp/setup-nomad@main

      - name: Create Terraform Plugin Cache Dir
        run: mkdir -v -p $TF_PLUGIN_CACHE_DIR

      - name: Cache Terraform Plugin Dir
        uses: actions/cache@v4
        with:
          path: ${{ env.TF_PLUGIN_CACHE_DIR }}
          key: ${{ runner.os }}-terraform-plugins-${{ hashFiles('**/.terraform.lock.hcl') }}
          restore-keys: |
            ${{ runner.os }}-terraform-plugins-

      - name: Terraform Init
        run: terraform init

      - name: Terraform Apply
        run: terraform apply -auto-approve