name: test-ci-bootstrap

# cancel existing runs of the same workflow on the same ref
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
    paths:
      - enos/ci/**
      - .github/workflows/test-ci-bootstrap.yml
  push:
    branches:
      - main
    paths:
      - enos/ci/**
      - .github/workflows/test-ci-bootstrap.yml

jobs:
  bootstrap-ci:
    runs-on: ubuntu-latest
    env:
      TF_WORKSPACE: "${{ github.event.repository.name }}-ci-enos-bootstrap"
      TF_VAR_repository: ${{ github.event.repository.name }}
      TF_VAR_aws_ssh_public_key: ${{ secrets.SSH_KEY_PUBLIC_CI }}
      TF_TOKEN_app_terraform_io: ${{ secrets.TF_API_TOKEN }}
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v3
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
          aws-region: us-east-1
          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
          role-skip-session-tagging: true
          role-duration-seconds: 3600
      - name: Init Terraform
        id: tf_init
        run: |
          terraform -chdir=enos/ci/bootstrap init
      - name: Plan Terraform
        id: tf_plan
        run: |
          terraform -chdir=enos/ci/bootstrap plan
      - name: Apply Terraform
        if: ${{ github.ref == 'refs/heads/main' }}
        id: tf_apply
        run: |
          terraform -chdir=enos/ci/bootstrap apply -auto-approve