name: tf-apply
on:
  workflow_call:
    secrets:
      gpg-key:
        required: true
        type: string
      tf-api-token:
        required: true
        type: string
      ssh-private-key:
        required: true
        type: string
      ssh-known-hosts:
        required: true
        type: string

jobs:
  tf-apply:
    name: Terraform Apply
    runs-on: ubuntu-latest

    steps:
      - name: Retrieve artifacts
        id: download
        uses: actions/download-artifact@v3
        with:
          name: artifacts
      - name: Check if job errored
        shell: bash
        id: check
        run: |
          ls -laR .
          echo "code=$(cat ${{steps.download.outputs.download-path}}/artifacts/exitcode)" >> $GITHUB_OUTPUT
          if [ "$(cat ${{steps.download.outputs.download-path}}/artifacts/exitcode)" -lt 2 ]; then
            exit "$(cat exitcode)";
          fi
      - name: Clone blackbox repo
        uses: actions/checkout@v4
        if: ${{ steps.check.outputs.code == 2 }}
        with:
          repository: xaked/blackbox
          path: blackbox
          ref: master
      - name: Install blackbox
        shell: bash
        if: ${{ steps.check.outputs.code == 2 }}
        run: |
          cd blackbox || exit 1;
          make copy-install;
          cd ${{ github.workspace }};
          rm -rf blackbox;
      - uses: hashicorp/setup-terraform@v2
        if: ${{ steps.check.outputs.code == 2 }}
        with:
          terraform_version: 1.5.7
          cli_config_credentials_token: ${{ secrets.tf-api-token }}
      - name: Clone repo
        if: ${{ steps.check.outputs.code == 2 }}
        uses: actions/checkout@v4
      - name: Decrypt secrets
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: |
          echo ${{ secrets.gpg-key }} | base64 -d | gpg --import;
          blackbox_decrypt_all_files;
      - name: Setup SSH key
        if: ${{ steps.check.outputs.code == 2 }}
        uses: benoitchantre/setup-ssh-authentication-action@1.0.1
        with:
          private-key: ${{ secrets.ssh-private-key }}
          private-key-name: id_ed25519
          known-hosts: ${{ secrets.ssh-known-hosts }}
      - name: Restore terraform cache
        if: ${{ steps.check.outputs.code == 2 }}
        uses: actions/cache@v3
        id: cache-terraform-restore
        with:
          path: .terraform
          key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-tf
      - name: Run terraform init
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: terraform init
      - name: Run terraform validate
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: terraform validate
      - name: Run terraform apply
        if: ${{ steps.check.outputs.code == 2 }}
        id: tfplan
        shell: bash
        run: |
          terraform apply -input=false -auto-approve tfplan.binary;
      - name: Save terraform cache
        if: ${{ steps.check.outputs.code == 2 }}
        uses: actions/cache/save@v3
        id: cache-terraform-save
        with:
          path: .terraform
          key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}