.github/workflows/infra.yml

name: Infrastructure

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4

      - name: Install Dependencies
        uses: ./.github/actions/setup-terragrunt

      - name: Check Formatting
        working-directory: ${{ steps.extract-information.outputs.account }}
        run: |
          terragrunt hclfmt
          git diff --exit-code

  prepare:
    runs-on: ubuntu-latest
    outputs:
      accounts: ${{ steps.generate-matrixes.outputs.accounts }}
      management_accounts: ${{ steps.generate-matrixes.outputs.management_accounts }}
      governance_accounts: ${{ steps.generate-matrixes.outputs.governance_accounts }}
      workload_accounts: ${{ steps.generate-matrixes.outputs.workload_accounts }}
      sandbox_accounts: ${{ steps.generate-matrixes.outputs.sandbox_accounts }}
    steps:
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
        with:
          token: ${{ secrets.INFRASTRUCTURE_PRIVATE_PAT }}
          submodules: 'true'

      - name: Extract Info
        id: extract-information
        uses: ./.github/actions/extract-account-info
        with:
          accounts-file: ./_private/accounts.json

      - name: Generate Matrixes
        id: generate-matrixes
        env:
          ACCOUNTS: ${{ steps.extract-information.outputs.accounts }}
          MANAGEMENT_ACCOUNTS: ${{ steps.extract-information.outputs.management-accounts }}
          GOVERNANCE_ACCOUNTS: ${{ steps.extract-information.outputs.governance-accounts }}
          WORKLOAD_ACCOUNTS: ${{ steps.extract-information.outputs.workload-accounts }}
          SANDBOX_ACCOUNTS: ${{ steps.extract-information.outputs.sandbox-accounts }}
        run: |
          # Create a string that looks like this: management_accounts=["account1", "account2"]
          ACCOUNTS_STRING=$(echo $ACCOUNTS | jq -Rc 'split(" ")')
          MANAGEMENT_ACCOUNTS_STRING=$(echo $MANAGEMENT_ACCOUNTS | jq -Rc 'split(" ")')
          GOVERNANCE_ACCOUNTS_STRING=$(echo $GOVERNANCE_ACCOUNTS | jq -Rc 'split(" ")')
          WORKLOAD_ACCOUNTS_STRING=$(echo $WORKLOAD_ACCOUNTS | jq -Rc 'split(" ")')
          SANDBOX_ACCOUNTS_STRING=$(echo $SANDBOX_ACCOUNTS | jq -Rc 'split(" ")')
          echo "accounts=$ACCOUNTS_STRING" >> $GITHUB_OUTPUT
          echo "management_accounts=$MANAGEMENT_ACCOUNTS_STRING" >> $GITHUB_OUTPUT
          echo "governance_accounts=$GOVERNANCE_ACCOUNTS_STRING" >> $GITHUB_OUTPUT
          echo "workload_accounts=$WORKLOAD_ACCOUNTS_STRING" >> $GITHUB_OUTPUT
          echo "sandbox_accounts=$SANDBOX_ACCOUNTS_STRING" >> $GITHUB_OUTPUT

  plan:
    uses: ./.github/workflows/_plan.yml
    secrets: inherit
    needs: prepare
    permissions:
      id-token: write
      contents: read
    strategy:
      fail-fast: false
      matrix:
        account: ${{ fromJson(needs.prepare.outputs.accounts) }}
    with:
      accounts-file: ./_private/accounts.json
      account: ${{ matrix.account }}

  deploy-management:
    uses: ./.github/workflows/_deploy.yml
    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
    secrets: inherit
    needs: [prepare, plan]
    permissions:
      id-token: write
      contents: read
    strategy:
      matrix:
        account: ${{ fromJson(needs.prepare.outputs.management_accounts) }}
    with:
      accounts-file: ./_private/accounts.json
      account: ${{ matrix.account }}

  deploy-governance:
    uses: ./.github/workflows/_deploy.yml
    if: github.event_name != 'pull_request'
    secrets: inherit
    needs: [prepare, plan, deploy-management]
    permissions:
      id-token: write
      contents: read
    strategy:
      matrix:
        account: ${{ fromJson(needs.prepare.outputs.governance_accounts) }}
    with:
      accounts-file: ./_private/accounts.json
      account: ${{ matrix.account }}

  deploy-workload:
    uses: ./.github/workflows/_deploy.yml
    if: github.event_name != 'pull_request'
    secrets: inherit
    needs: [prepare, plan, deploy-management, deploy-governance]
    permissions:
      id-token: write
      contents: read
    strategy:
      matrix:
        account: ${{ fromJson(needs.prepare.outputs.workload_accounts) }}
    with:
      accounts-file: ./_private/accounts.json
      account: ${{ matrix.account }}

  deploy-sandbox:
    uses: ./.github/workflows/_deploy.yml
    if: github.event_name != 'pull_request'
    secrets: inherit
    needs: [prepare, plan, deploy-management, deploy-governance]
    permissions:
      id-token: write
      contents: read
    strategy:
      matrix:
        account: ${{ fromJson(needs.prepare.outputs.sandbox_accounts) }}
    with:
      accounts-file: ./_private/accounts.json
      account: ${{ matrix.account }}