.github/workflows/deployment.yml

name: deployment

on:
  push:
    branches:
      - "main"
  pull_request:
    branches:
      - "main"

jobs:
  provision:
    runs-on: ubuntu-20.04
    environment: staging

    defaults:
      run:
        working-directory: deployment

    container:
      image: hashicorp/terraform:1.4.0
      env:
        TF_IN_AUTOMATION: true

        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

        # `TF_VAR_*` are case sensitive and must match the case of variables
        TF_VAR_datawarehouse_admin_password: ${{ secrets.TF_VAR_DATAWAREHOUSE_ADMIN_PASSWORD }}
        TF_VAR_datawarehouse_admin_username: ${{ vars.TF_VAR_DATAWAREHOUSE_ADMIN_USERNAME }}
        TF_VAR_datawarehouse_di_database: ${{ vars.TF_VAR_DATAWAREHOUSE_DI_DATABASE }}
        TF_VAR_datawarehouse_di_password: ${{ secrets.TF_VAR_DATAWAREHOUSE_DI_PASSWORD }}
        TF_VAR_datawarehouse_di_username: ${{ vars.TF_VAR_DATAWAREHOUSE_DI_USERNAME }}
        TF_VAR_scaleway_access_key: ${{ secrets.TF_VAR_SCALEWAY_ACCESS_KEY }}
        TF_VAR_scaleway_project_id: ${{ vars.TF_VAR_SCALEWAY_PROJECT_ID }}
        TF_VAR_scaleway_secret_key: ${{ secrets.TF_VAR_SCALEWAY_SECRET_KEY }}
      volumes:
        - .:/deployment
      options: --workdir /deployment

    steps:
      - uses: actions/checkout@v3

      - name: tf init
        run: |
          terraform -chdir=environments/staging init \
            -backend-config "bucket=data-inclusion-terraform" \
            -backend-config "key=stack_data/staging" \
            -backend-config "region=fr-par" \
            -backend-config "endpoint=https://s3.fr-par.scw.cloud"

      - name: tf validate
        run: |
          terraform -chdir=environments/staging validate

      - name: tf plan
        run: |
          terraform -chdir=environments/staging plan

      - name: wip
        env:
          TMP_ENCRYPTION_PASSWORD: ${{ secrets.TMP_ENCRYPTION_PASSWORD }}
        run: |
          apk --no-cache add gpg
          ENCRYPTED_OUTPUTS=$(echo "foo" | gpg --symmetric --cipher-algo AES256 --batch --passphrase "${TMP_ENCRYPTION_PASSWORD}" --no-symkey-cache | base64 -w0)
          echo "encrypted_outputs=${ENCRYPTED_OUTPUTS}" >> "${GITHUB_OUTPUT}"

      # - name: tf apply
      #   run: |
      #     terraform -chdir=environments/staging apply -auto-approve

      # - name: tf output
      #   run: |
      #     terraform -chdir=environments/staging output -json

  deploy:
    runs-on: ubuntu-20.04
    environment: staging
    needs: provision

    defaults:
      run:
        working-directory: deployment/docker

    steps:
      - uses: actions/checkout@v3

      - name: wip
        env:
          ENCRYPTED_OUTPUTS: ${{ needs.provision.outputs.encrypted_outputs }}
          TMP_ENCRYPTION_PASSWORD: ${{ secrets.TMP_ENCRYPTION_PASSWORD }}
        run: |
          TF_OUTPUTS=$(echo ${ENCRYPTED_OUTPUTS} | base64 -d | gpg --batch --decrypt --passphrase "${TMP_ENCRYPTION_PASSWORD}")
          echo "${TF_OUTPUTS}"

      # - name: start services
      #   env:
      #     AIRFLOW_CONN_S3:  # TODO
      #     AIRFLOW_CONN_PG:  # TODO
      #     BAN_API_URL: ${{ vars.BAN_API_URL }}
      #     DORA_API_URL: ${{ vars.DORA_API_URL }}
      #     INSEE_FIRSTNAME_FILE_URL: ${{ vars.INSEE_FIRSTNAME_FILE_URL }}
      #     INSEE_COG_DATASET_URL: ${{ vars.INSEE_COG_DATASET_URL }}
      #     SIRENE_STOCK_ETAB_GEOCODE_FILE_URL: ${{ vars.SIRENE_STOCK_ETAB_GEOCODE_FILE_URL }}
      #     SIRENE_STOCK_ETAB_HIST_FILE_URL: ${{ vars.SIRENE_STOCK_ETAB_HIST_FILE_URL }}
      #     SIRENE_STOCK_ETAB_LIENS_SUCCESSION_URL: ${{ vars.SIRENE_STOCK_ETAB_LIENS_SUCCESSION_URL }}
      #     SIRENE_STOCK_UNITE_LEGALE_FILE_URL: ${{ vars.SIRENE_STOCK_UNITE_LEGALE_FILE_URL }}
      #   run: |
      #     docker compose up -d