.github/workflows/terraform_plan.yml

name: terraform plan
on:
  pull_request:
    branches:
      - main
    paths:
      - terraform/**
  pull_request_target:
    branches:
      - main
    paths:
      - terraform/**

jobs:
  validate:
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      LOGIN: ${{ github.actor }}
      PR_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./terraform
    outputs:
      valid_workflow: ${{ steps.validate_workflow.outputs.valid_workflow }}
    steps:
      - uses: actions/checkout@v2
      - name: Install and configure Poetry
        uses: snok/install-poetry@2bf112a0f6979928eb6b011f39700db589c5961e #v1
        with:
          virtualenvs-create: true
          virtualenvs-in-project: true
          version: 1.1.13
      - name: Install library
        run: |
          cd scripts
          poetry install
      - name: Run tests
        run: |
          cd scripts
          poetry run pytest --cov validate .
      - name: validate_workflow
        id: validate_workflow
        run: |
          cd scripts
          output=$(poetry run python validate.py)
          echo "valid_workflow=$output" >> "$GITHUB_OUTPUT"

  plan:
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_AWS_SECRET_ACCESS_KEY }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      TF_VAR_tvm_bot_webhook_secret: ${{ secrets.TVM_BOT_WEBHOOK_SECRET }}
      TF_VAR_tvm_bot_github_token: ${{ secrets.TVM_BOT_GITHUB_TOKEN }}
      TF_VAR_tvm_bot_repo: tvm
      TF_VAR_tvm_bot_owner: apache
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./terraform
    needs: validate
    if: needs.validate.outputs.valid_workflow == 'True'
    # These steps run if either the PR is within the same repo or if the PR is
    # on a fork and the committer has deployer access
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Terraform fmt
        id: fmt
        uses: dflook/terraform-fmt@f0d4aaacfe91d9319a40cbb2bfeb5bd0ee2f2739 #v1.25.1
        continue-on-error: true
        with:
          path: ./terraform
      - name: Terraform Validate
        id: validate
        uses: dflook/terraform-validate@85bc5b5cab93240dc66bf7b9e744570f12ace9d6 #v1.25.1
        with:
          path: ./terraform
      - name: Terraform Plan
        uses: dflook/terraform-plan@7196a67f47a16ef4f7e12ff0b55205e5eb2cee55 #v1.25.1
        id: plan
        with:
          var_file: |
            terraform/vars/tvm-ci-prod.auto.tfvars
          path: ./terraform
          workspace: tvm-ci-prod