name: e2e test Terraform module

on:
  workflow_dispatch:
    inputs:
      ref:
        type: string
        description: "Git ref to checkout"
        required: false
      cloudProvider:
        description: "Which cloud provider to use."
        type: choice
        options:
          - "aws"
          - "gcp"
        required: true
      regionZone:
        description: "Region or zone to create the cluster in. Leave empty for default region/zone."
        type: string
      image:
        description: "Node image version of the cluster."
        type: string
        required: true
      cliVersion:
        description: "Constellation CLI version to use. Empty value means build from source."
        type: string
        default: ""
        required: false
  workflow_call:
    inputs:
      ref:
        type: string
        description: "Git ref to checkout"
        required: false
      cloudProvider:
        description: "Which cloud provider to use."
        type: string
        required: true
      regionZone:
        description: "Which zone to use."
        type: string
      image:
        description: "Node image reference which is compatible with the current dev release version."
        type: string
        required: true
      cliVersion:
        description: "Constellation CLI version to use. Empty value means build from source."
        type: string
        default: ""
        required: false
jobs:
  build:
    runs-on: ubuntu-22.04
    permissions:
      id-token: write
      contents: read
      packages: write
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - name: Upload module
        uses: ./.github/actions/upload_terraform_module

      - name: Download Terraform module
        uses: actions/download-artifact@v3
        with:
          name: terraform-module

      - name: Unzip Terraform module
        run: unzip terraform-module.zip

      - name: Create resource prefix
        id: create-prefix
        shell: bash
        run: |
          run_id=${{ github.run_id }}
          last_three="${run_id: -3}"
          echo "prefix=e2e-${last_three}-${{ github.run_attempt }}" | tee -a "$GITHUB_OUTPUT"

      - name: Create AWS Terraform variable input file
        if: inputs.cloudProvider == 'aws'
        working-directory: ./terraform-module/aws-constellation
        run: |
          cat > terraform.tfvars <<EOF
          name = "${{ steps.create-prefix.outputs.prefix }}"
          image = "${{ inputs.image }}"
          zone = "${{ inputs.regionZone || 'us-east-2c' }}"
          name_prefix = "${{ steps.create-prefix.outputs.prefix }}"
          node_groups = {
            control_plane_default = {
              role          = "control-plane"
              zone          = "${{ inputs.regionZone || 'us-east-2c' }}"
              instance_type = "m6a.xlarge"
              disk_size     = 30
              disk_type     = "gp3"
              initial_count = 2
            },
            worker_default = {
              role          = "worker"
              zone          = "${{ inputs.regionZone || 'us-east-2c' }}"
              instance_type = "m6a.xlarge"
              disk_size     = 30
              disk_type     = "gp3"
              initial_count = 2
            }
          }
          EOF
          cat terraform.tfvars

      - name: Create GCP Terraform variable input file
        if: inputs.cloudProvider == 'gcp'
        working-directory: ./terraform-module/gcp-constellation
        run: |
          cat > terraform.tfvars <<EOF
          name = "${{ steps.create-prefix.outputs.prefix }}"
          project = "${{ secrets.GCP_E2E_PROJECT }}"
          service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
          image = "${{ inputs.image }}"
          zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
          node_groups = {
            control_plane_default = {
              role          = "control-plane"
              zone          = "${{ inputs.regionZone || 'europe-west3-b' }}"
              instance_type = "n2d-standard-4"
              disk_size     = 30
              disk_type     = "pd-ssd"
              initial_count = 2
            },
            worker_default = {
              role          = "worker"
              zone          = "${{ inputs.regionZone || 'europe-west3-b' }}"
              instance_type = "n2d-standard-4"
              disk_size     = 30
              disk_type     = "pd-ssd"
              initial_count = 2
            }
          }
          EOF
          cat terraform.tfvars

      - name: Install dependencies (Terraform)
        run: |
          sudo apt update && sudo apt install gpg
          wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
          gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
          sudo apt update
          sudo apt install terraform=1.4.4-*

      - name: Log in to the Container registry
        uses: ./.github/actions/container_registry_login
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup bazel
        if: inputs.cliVersion == ''
        uses: ./.github/actions/setup_bazel_nix
        with:
          useCache: "true"
          buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}

      - name: Build CLI
        if: inputs.cliVersion == ''
        uses: ./.github/actions/build_cli
        with:
          outputPath: "constellation"
          enterpriseCLI: true
          push: true

      - name: Download CLI
        if: inputs.cliVersion != ''
        shell: bash
        run: |
          curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
          chmod u+x ./constellation
          ./constellation version
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'

      - name: Login to AWS (IAM + Cluster role)
        if: inputs.cloudProvider == 'aws'
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
          aws-region: eu-central-1
          # extend token expiry to 6 hours to ensure constellation can terminate
          role-duration-seconds: 21600

      - name: Login to GCP (IAM + Cluster service account)
        if: inputs.cloudProvider == 'gcp'
        uses: ./.github/actions/login_gcp
        with:
          service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"

      - name: Apply Terraform Cluster
        id: apply_terraform
        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
        run: |
          cp ../../constellation .
          terraform init
          terraform apply -var-file=terraform.tfvars  -auto-approve

      - name: Destroy Terraform Cluster
        # outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
        if: always() && steps.apply_terraform.outcome != 'skipped'
        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
        run: |
          terraform init
          terraform destroy -var-file=terraform.tfvars -auto-approve

      - name: Verify cleanup
        working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
        run: |
          if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then
            echo "Files  constellation-mastersecret.json or constellation-conf.yaml still exist"
            exit 1
          fi