terraform-gcp-production.yml

---
name: Terraform | Apply
on:
  push:
    branches:
      - main
    paths:
      - "armature/prod/gcp/**"
      - "armature/prod/tf-states/**"
      - "armature/prod/b2/**"
      - ".github/workflows/**"

concurrency:
  group: tf
  cancel-in-progress: false

env:
  # renovate: datasource=github-releases depName=hashicorp/terraform
  TERRAFORM_VERSION: 1.5.6
  TF_VAR_org_id: ${{ secrets.TF_VARS_GCP_ORG_ID }}
  TF_VAR_billing_account: ${{ secrets.TF_VARS_GCP_BILLING_ACCOUNT }}
  TF_VAR_group_org_admins: ${{ secrets.TF_VARS_GCP_ORG_ADMINS }}
  TF_VAR_group_billing_admins: ${{ secrets.TF_VARS_GCP_BILLING_ADMINS }}

permissions:
  id-token: write
  contents: read
  pull-requests: write
  actions: write
  checks: write
  statuses: write

jobs:
  terraform-apply:
    strategy:
      fail-fast: false
      matrix:
        include:
          - env: 'armature/prod/gcp/bootstrap'
          - env: 'armature/prod/gcp/kutara'
          - env: 'armature/prod/gcp/top22'
          - env: 'armature/prod/tf-states'
          - env: 'armature/prod/b2'

    runs-on: ubuntu-latest
    environment: production
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - id: 'auth'
        name: 'Authenticate to Google Cloud'
        uses: google-github-actions/auth@v1.3.0
        with:
          workload_identity_provider: ${{ secrets.GCP_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2.0.3
        with:
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

      - name: Terraform Init
        run: terraform -chdir=${{ matrix.env }} init

      - name: Terraform Plan
        run: terraform -chdir=${{ matrix.env }} plan -out=infra.tfplan

      - name: Terraform Apply
        run: terraform -chdir=${{ matrix.env }} apply -auto-approve infra.tfplan