name: Deploy Dogfood Environment

on:
  workflow_dispatch:
    inputs:
      DOCKER_IMAGE:
        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror.'
        required: true

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash
    working-directory: infrastructure/dogfood/terraform/aws-tf-module

env:
  AWS_REGION: us-east-2
  ECR_REPOSITORY: fleet-test
  AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role
  TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws-tf-module
  TF_WORKSPACE: fleet
  TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE || 'fleetdm/fleet:main' }}
  TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
  TF_VAR_slack_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
  TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
  TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
  TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
  TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}

permissions:
  id-token: write
  contents: read    # This is required for actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

jobs:
  deploy:
    name: Deploy Fleet Dogfood Environment
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - id: fail-on-main
        run: "false"
        if: ${{ github.ref == 'main' }}
      - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
        with:
          role-to-assume: ${{env.AWS_IAM_ROLE}}
          aws-region: ${{ env.AWS_REGION }}
      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}
      - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
        with:
          terraform_version: 1.6.3
          terraform_wrapper: false
      - name: Terraform Init
        id: init
        run: terraform init
      - name: Terraform fmt
        id: fmt
        run: terraform fmt -check
        continue-on-error: true
      - name: Terraform Validate
        id: validate
        run: terraform validate -no-color
      - name: Terraform Plan
        id: plan
        run: terraform plan -no-color
        continue-on-error: true
        # first we'll scale everything down and create the new task definitions
      - name: Terraform Apply
        id: apply
        run: terraform apply -auto-approve