.github/workflows/terraform_on_pr.yml

name: 'PR - Deploy to Prod'
on:
  workflow_dispatch:
  merge_group:
  pull_request:
    paths-ignore:
      - '*.tfstate'
      - '.github/workflows/*'

permissions:
  contents: write
env:
  tf_version: 1.4.6
  tf_working_dir: .
  terrahelp_shasum: b086a87b7d98c4c84767836e897663ec7fa1ae678230a55041abdc817579a04f
jobs:
  terraform:
    name: 'Terraform Plan and Apply'
    environment: prod
    runs-on: ubuntu-latest
    steps:
      - uses: hashicorp/setup-terraform@v2
      - uses: actions/checkout@v3
        with:
          ref: ${{ github.event.pull_request.head.ref }} 

      - name: 'Get Terrahelp Binary'
        run: wget -c https://github.com/opencredo/terrahelp/releases/download/v0.7.5/terrahelp_0.7.5_linux_amd64.tar.gz -O - | tar -xz

      - name: 'Check Integrity' # Double space needed between SHA and filename
        run: echo "${{ env.terrahelp_shasum }}  ./terrahelp" | shasum -a256 -c-

      - name: 'Decrypt State'
        run: ./terrahelp decrypt --mode=full --simple-key=${{ secrets.TERRAHELP_KEY }} --nobackup --file terraform.tfstate -file=terraform.tfstate.backup

      - id: init
        run: terraform init

      - id: validate
        run: terraform validate -no-color

      - id: plan
        run: terraform plan -no-color --input=false
        continue-on-error: false
        env:
          TF_VAR_cloudflare_zone_id: ${{ secrets.CF_ZONE_ID }}
          TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }}

      - id: apply
        run: terraform apply -no-color --input=false -auto-approve
        continue-on-error: false
        env:
          TF_VAR_cloudflare_zone_id: ${{ secrets.CF_ZONE_ID }}
          TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }}

      - name: 'Encrypt State'
        run: ./terrahelp encrypt --mode=full --simple-key=${{ secrets.TERRAHELP_KEY }} --nobackup --file terraform.tfstate -file=terraform.tfstate.backup
      
      - name: 'Commit New State'
        run: |
          git config --global user.name 'GitHub Actions'
          git config --global user.email 'something@users.noreply.github.com'
          git add terraform.tfstate terraform.tfstate.backup
          git commit -m "Add updated state" 
          git push origin