name: tf-apply
on:
  workflow_call:
    inputs:
      tofu-version:
        required: false
        default: 1.7.1
        type: string
    secrets:
      gpg-key:
        required: true
        type: string
      tf-api-token:
        required: true
        type: string
      ssh-private-key:
        required: true
        type: string
      ssh-known-hosts:
        required: true
        type: string

jobs:
  otf-apply:
    name: Tofu Apply
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@v4
      - name: Retrieve artifacts
        id: download
        uses: actions/download-artifact@v6
        with:
          name: artifacts
      - name: Check if job errored
        shell: bash
        id: check
        run: |
          echo "code=$(cat ${{steps.download.outputs.download-path}}/exitcode)" >> $GITHUB_OUTPUT
          if [ "$(cat ${{steps.download.outputs.download-path}}/exitcode)" -lt 2 ]; then
            exit "$(cat exitcode)";
          fi
      - name: Clone blackbox repo
        uses: actions/checkout@v4
        if: ${{ steps.check.outputs.code == 2 }}
        with:
          repository: xaked/blackbox
          path: blackbox
          ref: master
      - name: Install blackbox
        shell: bash
        if: ${{ steps.check.outputs.code == 2 }}
        run: |
          cd blackbox || exit 1;
          make copy-install;
          cd ${{ github.workspace }};
          rm -rf blackbox;
      - uses: opentofu/setup-opentofu@v1
        if: ${{ steps.check.outputs.code == 2 }}
        with:
          tofu_version: ${{ inputs.tofu-version }}
          cli_config_credentials_token: ${{ secrets.tf-api-token }}
      - name: Decrypt secrets
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: |
          echo ${{ secrets.gpg-key }} | base64 -d | gpg --import;
          blackbox_decrypt_all_files;
      - name: Setup SSH key
        if: ${{ steps.check.outputs.code == 2 }}
        uses: benoitchantre/setup-ssh-authentication-action@1.0.1
        with:
          private-key: ${{ secrets.ssh-private-key }}
          private-key-name: id_ed25519
          known-hosts: ${{ secrets.ssh-known-hosts }}
      - name: Restore tofu cache
        if: ${{ steps.check.outputs.code == 2 }}
        uses: actions/cache@v4
        id: cache-tofu-restore
        with:
          path: .terraform
          key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-otf
      - name: Run tofu init
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: tofu init
      - name: Run tofu validate
        if: ${{ steps.check.outputs.code == 2 }}
        shell: bash
        run: tofu validate
      - name: Run tofu apply
        if: ${{ steps.check.outputs.code == 2 }}
        id: tfplan
        shell: bash
        run: tofu apply -input=false -auto-approve tfplan.binary;
      - name: Save tofu cache
        if: ${{ steps.check.outputs.code == 2 }}
        uses: actions/cache/save@v4
        id: cache-tofu-save
        with:
          path: .terraform
          key: ${{ steps.cache-tofu-restore.outputs.cache-primary-key }}