# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

default:
  image:
    name: hashicorp/terraform
    entrypoint:
      - "/usr/bin/env"
      - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

variables:
  GOOGLE_CREDENTIALS: cicd-sa-credentials.json
  FAST_OUTPUTS_BUCKET: ${outputs_bucket}
  FAST_SERVICE_ACCOUNT: ${service_account}
  FAST_WIF_PROVIDER: ${identity_provider}
  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
  %{~ if tf_providers_file != "" ~}
  TF_PROVIDERS_FILE: ${tf_providers_file}
  %{~ endif ~}
  TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n    ", tf_var_files)}

stages:
  - gcp-auth
  - tf-files
  - tf-plan
  - tf-apply

cache:
  key: gcp-auth
  paths:
    - cicd-sa-credentials.json
    - token.txt
    %{~ if tf_providers_file != "" ~}
    - ${tf_providers_file}
    %{~ endif ~}
    %{~ for f in tf_var_files ~}
    - ${f}
    %{~ endfor ~}

gcp-auth:
  id_tokens:
    GITLAB_TOKEN:
      aud:
      %{~ for aud in audiences ~}
        - ${aud}
      %{~ endfor ~}
  image:
    name: google/cloud-sdk:slim
  stage: gcp-auth
  script:
    - echo "$${GITLAB_TOKEN}" > token.txt
    - |
      gcloud iam workload-identity-pools create-cred-config \
        $${FAST_WIF_PROVIDER} \
        --service-account=$${FAST_SERVICE_ACCOUNT} \
        --service-account-token-lifetime-seconds=3600 \
        --output-file=$${GOOGLE_CREDENTIALS} \
        --credential-source-file=token.txt

tf-files:
  dependencies:
    - gcp-auth
  image:
    name: google/cloud-sdk:slim
  stage: tf-files
  script:
    # - gcloud components install -q alpha
    - gcloud config set auth/credential_file_override $${GOOGLE_CREDENTIALS}
    %{~ if tf_providers_file != "" ~}
    - gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/providers/${tf_providers_file}" ./
    %{~ endif ~}
    %{~ for f in tf_var_files ~}
    - gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/tfvars/${f}" ./
    %{~ endfor ~}
    - ls -l

tf-plan:
  dependencies:
    - tf-files
  stage: tf-plan
  # uncomment the following lines and set the SSH key secret for private modules repo
  # before_script:
  #   - |
  #     ssh-agent -a $SSH_AUTH_SOCK > /dev/null
  #     echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
  #     mkdir -p ~/.ssh
  #     ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
  #     ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
  script:
    - terraform init
    - terraform validate
    - terraform plan

tf-apply:
  dependencies:
    - tf-files
  stage: tf-apply
  # uncomment the following lines and set the SSH key secret for private modules repo
  # before_script:
  #   - |
  #     ssh-agent -a $SSH_AUTH_SOCK > /dev/null
  #     echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
  #     mkdir -p ~/.ssh
  #     ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
  #     ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
  script:
    - terraform init
    - terraform validate
    - terraform apply -input=false -auto-approve
  when: manual
  only:
    variables:
      - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH