erp/.gitea/workflows/vault.yaml

---
# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
name: Hashicorp Vault

on: #[push,pull_request]
  workflow_dispatch: {}
  push: &vaultPaths
    paths:
      - 'iac/*.tf'
  pull_request: *vaultPaths

# cancel any previously-started, yet still active runs of this workflow on the same branch
concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

.vault_step: &vault_step
  name: read vault secret
  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
    url: https://vault.arcodange.lab
    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_erp
    method: jwt
    path: gitea_jwt
    secrets: |
        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;

jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
    runs-on: ubuntu-latest
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:

      - name: Auth with gitea for vault
        id: gitea_vault_jwt
        run: |
          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash

  tofu:
    name: Tofu - Vault
    needs:
      - gitea_vault_auth
    runs-on: ubuntu-latest
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
      - name: prepare vault self signed cert
        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: iac
          auto_approve: true