---
# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
name: Hashicorp Vault

on: #[push,pull_request]
  workflow_dispatch: {}
  push: &vaultPaths
    paths:
      - 'iac/*.tf'
  pull_request: *vaultPaths

# cancel any previously-started, yet still active runs of this workflow on the same branch
concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

.vault_step: &vault_step
  name: read vault secret
  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
    url: https://vault.arcodange.lab
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_webapp
    method: jwt
    path: gitea_jwt
    secrets: |
        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;

jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
    runs-on: ubuntu-latest
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:

      - name: Auth with gitea for vault
        id: gitea_vault_jwt
        run: |
          curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null
          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash

  tofu:
    name: Tofu - Vault
    needs:
      - gitea_vault_auth
    runs-on: ubuntu-latest
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    steps:
      - run: |
          curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null
      - *vault_step
      - uses: actions/checkout@v4
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: iac
          auto_approve: true