.github/workflows/dsf_single_account_cli.yml

name: 'DSF Single Account CLI - AWS'

concurrency:
  group: dsf_single_account

on:
  workflow_call:
    inputs:
      branch:
        required: true
        type: string
    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      AWS_ACCESS_KEY_ID_STAGE:
        required: true
      AWS_SECRET_ACCESS_KEY_STAGE:
        required: true
      SLACK_WEBHOOK_URL:
        required: true
      JUMP_SERVER_KEY:
        required: true
      DAM_LICENSE:
        required: true

  workflow_dispatch:
    inputs:
      branch:
        required: true
        type: string
      delay_destroy:
        description: 'Delay the destroy step and subsequent steps to allow investigation'
        type: boolean
        default: false
        required: false

  push:
    branches:
      - 'dev'
    paths:
      - 'modules/aws/**'
      - '!modules/aws/db-with-agent/*'
      - '!modules/aws/poc-db-onboarder/*'
      - '!modules/aws/rds-mssql-db/*'
      - '!modules/aws/rds-mysql-db/*'
      - '!modules/aws/rds-postgres-db/*'
      - '!modules/aws/sonar-upgrader/**'
      - 'modules/null/**'
      - 'examples/aws/installation/dsf_single_account_deployment/*'

  pull_request:
    types:
      - 'opened'
      - 'reopened'
    branches:
      - 'dev'
    paths:
      - 'modules/aws/**'
      - '!modules/aws/db-with-agent/*'
      - '!modules/aws/poc-db-onboarder/*'
      - '!modules/aws/rds-mssql-db/*'
      - '!modules/aws/rds-mysql-db/*'
      - '!modules/aws/rds-postgres-db/*'
      - '!modules/aws/sonar-upgrader/*'
      - 'modules/null/**'
      - 'examples/aws/installation/dsf_single_account_deployment/*'

env:
  TF_CLI_ARGS: "-no-color"
  TF_INPUT: 0
  TF_VAR_gw_count: 1
  EXAMPLE_DIR: ./examples/aws/installation/dsf_single_account_deployment
  AWS_REGION: ap-southeast-1
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  AWS_ACCESS_KEY_ID_STAGE: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
  AWS_SECRET_ACCESS_KEY_STAGE: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
  JUMP_SERVER_KEY: ${{ secrets.JUMP_SERVER_KEY }}
  AWS_KEY_PATH: "jump_server_key.cer"
  DESTROY_DELAY_SECONDS: 1800

permissions:
  contents: read

jobs:
  terraform:
    name: 'DSF Single Account ${{ inputs.branch }}'
    runs-on: ubuntu-latest
    environment: test
  
    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
    defaults:
      run:
        shell: bash
    steps:
    - name: Checkout
      uses: actions/checkout@v3
      with:
        ref: ${{ inputs.branch }}

    - name: Change the modules source to local
      run: |
        find ./examples/ -type f -exec sed -i -f sed.expr {} \;

    - name: Set Workspace
      run: |
        if [ ${{ inputs.branch }} == 'master' ] ||  [ ${{ inputs.branch }} == 'dev' ]; then
          echo "TF_WORKSPACE=dsf_single_account_${{ inputs.branch }}" >> $GITHUB_ENV
        else
          echo "TF_WORKSPACE=dsf_single_account" >> $GITHUB_ENV
        fi

    - name: Create terraform backend file
      run: |
        cat << EOF > $EXAMPLE_DIR/backend.tf
        terraform {
          backend "s3" {
            bucket         = "terraform-state-bucket-dsfkit-github-tests"
            key            = "states/terraform.tfstate"
            dynamodb_table = "terraform-state-lock"
            region         = "us-east-1"
          }
        }
        EOF

    - name: Create tfvars File
      run: |
        cat << EOF > $EXAMPLE_DIR/terraform.tfvars
        ${{ vars.TFVAR_PARAMETERS_DSF_SINGLE_ACCOUNT_AUTOMATION_PRIVATE_SUBNETS_V1 }}
        EOF

    - name: Cat tfvars File
      run: cat $EXAMPLE_DIR/terraform.tfvars

    - name: Create License File
      env:
        MY_SECRET: ${{ secrets.DAM_LICENSE }}
      run: |
        echo "${{ secrets.DAM_LICENSE }}" | base64 -d > $EXAMPLE_DIR/license.mprv
        cat $EXAMPLE_DIR/license.mprv

    - name: Add Profile Credentials to ~/.aws/credentials
      run: |
        aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }} --profile ${{ vars.STAGE_PROFILE_NAME }}
        aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }} --profile ${{ vars.STAGE_PROFILE_NAME }}

    - name: Get The Public IP
      run: echo curr_ip=$(curl -s https://ipinfo.io/ip) >> $GITHUB_ENV

    - name: Set IP in AWS Security Group
      env:
        AWS_REGION: ap-southeast-1
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
      run: |
        aws_sg=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --protocol tcp --port 22 --cidr $curr_ip/32)
        echo sg_id=$(echo $aws_sg | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV
        aws_sg_for_singapore=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.SINGAPORE_SG_ID }} --protocol tcp --port 0-65535 --cidr $curr_ip/32)
        echo sg_id_for_singapore=$(echo $aws_sg_for_singapore | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV

    - name: Set IP in AWS Security Group - Sydney
      env:
        AWS_REGION: ap-southeast-2
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
      run: |
        aws_sg_for_sydney=$(aws ec2 authorize-security-group-ingress --group-id ${{ vars.SYDNEY_SG_ID }} --protocol tcp --port 0-65535 --cidr $curr_ip/32)
        echo sg_id_for_sydney=$(echo $aws_sg_for_sydney | jq '.SecurityGroupRules[0].SecurityGroupRuleId') >> $GITHUB_ENV

    - name: Create Key File
      run: |
        echo "${{ secrets.JUMP_SERVER_KEY }}" > $EXAMPLE_DIR/$AWS_KEY_PATH
        sudo chmod 400 $EXAMPLE_DIR/$AWS_KEY_PATH

    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v2
      with:
        terraform_wrapper: false
        terraform_version: ~1.7.0

    - name: Setup jq
      uses: sergeysova/jq-action@v2

    # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
    - name: Terraform Init
      run: terraform -chdir=$EXAMPLE_DIR init

    - name: Cleaning environment
      run: |
        mv $EXAMPLE_DIR/main.tf{,_}
        mv $EXAMPLE_DIR/outputs.tf{,_}
        mv $EXAMPLE_DIR/dam.tf{,_}
        mv $EXAMPLE_DIR/dra.tf{,_}
        mv $EXAMPLE_DIR/sonar.tf{,_}
        mv $EXAMPLE_DIR/networking.tf{,_}
        terraform -chdir=$EXAMPLE_DIR destroy -auto-approve
        mv $EXAMPLE_DIR/main.tf{_,}
        mv $EXAMPLE_DIR/outputs.tf{_,}
        mv $EXAMPLE_DIR/dam.tf{_,}
        mv $EXAMPLE_DIR/dra.tf{_,}
        mv $EXAMPLE_DIR/sonar.tf{_,}
        mv $EXAMPLE_DIR/networking.tf{_,}

    - name: Terraform Validate
      run: terraform -chdir=$EXAMPLE_DIR validate

    # Generates an execution plan for Terraform
    - name: Terraform Plan
      run: terraform -chdir=$EXAMPLE_DIR plan

    - name: Terraform Apply
      run: terraform -chdir=$EXAMPLE_DIR apply -auto-approve

    - name: Terraform Output
      if: always()
      run: terraform -chdir=$EXAMPLE_DIR output -json

    - name: Collect Artifacts
      id: collect-artifacts
      if: always()
      uses: actions/upload-artifact@v4
      with:
        name: collected-keys-${{ env.TF_WORKSPACE }}
        path: |
          ${{ env.EXAMPLE_DIR }}/ssh_keys

    - name: Check how was the workflow run
      id: check-trigger
      if: ${{ failure() }}
      run: |
        if [ "${{ github.event_name }}" == "schedule" ]; then
          echo "run-by=Automation" >> $GITHUB_OUTPUT
        else
          echo "run-by=${{ github.actor }}" >> $GITHUB_OUTPUT
        fi

    # This step allows time for investigation of the failed resources before destroying them
    - name: Conditional Delay
      if: ${{ failure() }}
      run: |
        echo "delay_destroy: ${{ inputs.delay_destroy }}"
        if [ "${{ inputs.delay_destroy }}" == "true" ]; then
          echo "Terraform workspace: $TF_WORKSPACE"
          curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*${{ github.workflow }} ${{ env.TF_WORKSPACE }} automation Failed*\n You have ${{ env.DESTROY_DELAY_SECONDS }} seconds to investigate the environment before it is destroyed :alarm_clock:\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
          echo ""
          echo "Sleeping for $((DESTROY_DELAY_SECONDS / 60)) minutes before destroying the environment"
          sleep $DESTROY_DELAY_SECONDS
        fi

    - name: Terraform Destroy
      if: always()
      run: terraform -chdir=$EXAMPLE_DIR destroy -auto-approve

    - name: Delete Security Group
      env:
        AWS_REGION: ap-southeast-1
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
      if: always()
      run: |
        aws ec2 revoke-security-group-ingress --group-id ${{ vars.JUMP_SERVER_SG_ID }} --security-group-rule-ids ${{ env.sg_id }}
        aws ec2 revoke-security-group-ingress --group-id ${{ vars.SINGAPORE_SG_ID }} --security-group-rule-ids ${{ env.sg_id_for_singapore }}

    - name: Delete Security Group - Sydney
      env:
        AWS_REGION: ap-southeast-2
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_STAGE }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGE }}
      if: always()
      run: |
        aws ec2 revoke-security-group-ingress --group-id ${{ vars.SYDNEY_SG_ID }} --security-group-rule-ids ${{ env.sg_id_for_sydney }}

    # Send job failure to Slack
    - name: Send Slack When Failure
      run: |
        if [ ${{ inputs.branch }} == 'master' ]; then
          curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*DSF Single Account Prod ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#dsfkit-prod"}' ${{ secrets.SLACK_WEBHOOK_URL }}
        else
          curl -X POST -H 'Content-type: application/json' --data '{"text":":exclamation: :exclamation: :exclamation:\n*DSF Single Account Dev nightly ${{ inputs.workspace }} automation Failed*\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Please check the job!>\nRun by: ${{ steps.check-trigger.outputs.run-by }}", "channel": "#edsf_automation"}' ${{ secrets.SLACK_WEBHOOK_URL }}
        fi
      if: ${{ failure() }}