name: Terraform

on:
  push:
    branches: [main]
    paths:
      - 'terraform/**'
      - '.github/workflows/terraform.yml'

# Requires these repository secrets:
#   AGE_SECRET_KEY     — age private key for SOPS decryption

jobs:
  plan:
    name: Plan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: latest

      - name: Install SOPS
        run: |
          wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
          sudo dpkg -i /tmp/sops.deb

      - name: Decrypt secrets
        env:
          SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
        run: |
          find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
            out="${f/.enc/}"
            sops -d "$f" > "$out"
            echo "Decrypted: $f -> $out"
          done

      - name: Set backend credentials
        working-directory: terraform/
        run: |
          echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
          echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"

      - name: tofu init
        working-directory: terraform/
        run: tofu init

      - name: tofu plan
        working-directory: terraform/
        run: tofu plan -out=tfplan

      - name: Upload plan
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: actions/upload-artifact@v4
        with:
          name: tfplan
          path: terraform/tfplan
          retention-days: 1

  apply:
    name: Apply
    needs: plan
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4

      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v1
        with:
          tofu_version: latest

      - name: Install SOPS
        run: |
          wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
          sudo dpkg -i /tmp/sops.deb

      - name: Decrypt secrets
        env:
          SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
        run: |
          find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
            out="${f/.enc/}"
            sops -d "$f" > "$out"
            echo "Decrypted: $f -> $out"
          done

      - name: Set backend credentials
        working-directory: terraform/
        run: |
          echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
          echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"

      - name: tofu init
        working-directory: terraform/
        run: tofu init

      - name: Download plan
        uses: actions/download-artifact@v4
        with:
          name: tfplan
          path: terraform/

      - name: tofu apply
        working-directory: terraform/
        run: tofu apply -auto-approve tfplan