# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

variables:
  GOOGLE_CREDENTIALS: cicd-sa-credentials.json
  FAST_OUTPUTS_BUCKET: ${outputs_bucket}
  FAST_WIF_PROVIDER: ${identity_provider}
  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
  %{~ if tf_var_files != [] ~}
  TF_VAR_FILES: ${join("\n    ", tf_var_files)}
  %{~ endif ~}

workflow:
  rules:
    # merge / apply
    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      variables:
        COMMAND: apply
        FAST_SERVICE_ACCOUNT: ${service_accounts.apply}
        TF_PROVIDERS_FILE: 0-bootstrap-providers.tf
    # pr / plan
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      variables:
        COMMAND: plan
        FAST_SERVICE_ACCOUNT: ${service_accounts.plan}
        TF_PROVIDERS_FILE: 0-bootstrap-r-providers.tf

stages:
  - gcp-setup
  - tf-plan-apply

# TODO: document project-level deploy key used to fetch modules

gcp-setup:
  stage: gcp-setup
  image:
    name: google/cloud-sdk:slim
  artifacts:
    paths:
      - cicd-sa-credentials.json
      - providers.tf
  id_tokens:
    GITLAB_TOKEN:
      aud:
      %{~ for aud in audiences ~}
        - ${aud}
      %{~ endfor ~}
  before_script:
    - echo "$GITLAB_TOKEN" > token.txt
  script:
    - |
      gcloud iam workload-identity-pools create-cred-config \
        $FAST_WIF_PROVIDER \
        --service-account=$FAST_SERVICE_ACCOUNT \
        --service-account-token-lifetime-seconds=900 \
        --output-file=$GOOGLE_CREDENTIALS \
        --credential-source-file=token.txt
    - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS
    - gcloud alpha storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf

tf-plan-apply:
  stage: tf-plan-apply
  dependencies:
    - gcp-setup
  id_tokens:
    GITLAB_TOKEN:
      aud:
      %{~ for aud in audiences ~}
        - ${aud}
      %{~ endfor ~}
  image:
    name: hashicorp/terraform
    entrypoint:
      - "/usr/bin/env"
  variables:
    SSH_AUTH_SOCK: /tmp/ssh-agent.sock
  script:
    - |
      ssh-agent -a $SSH_AUTH_SOCK
      echo "$CICD_MODULES_KEY" | ssh-add -
      mkdir -p ~/.ssh
      ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
      ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
    - echo "$GITLAB_TOKEN" > token.txt
    - terraform init
    - terraform validate
    - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi"
    - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi"