name: Destroy

on:
  workflow_dispatch:
    inputs:
      confirm:
        description: 'Type "destroy" to confirm'
        required: true
        default: ''
      require_rancher_backup:
        description: 'Require an existing Rancher B2 backup before destroy'
        required: true
        default: 'true'
        type: choice
        options:
          - 'true'
          - 'false'

concurrency:
  group: prod-cluster
  cancel-in-progress: false

env:
  TF_VERSION: "1.7.0"
  TF_VAR_s3_access_key: ${{ secrets.S3_ACCESS_KEY }}
  TF_VAR_s3_secret_key: ${{ secrets.S3_SECRET_KEY }}
  TF_VAR_s3_endpoint: ${{ secrets.S3_ENDPOINT }}
  TF_VAR_s3_bucket: ${{ secrets.S3_BUCKET }}
  TF_VAR_tailscale_tailnet: ${{ secrets.TAILSCALE_TAILNET }}
  TF_VAR_proxmox_endpoint: ${{ secrets.PROXMOX_ENDPOINT }}
  TF_VAR_proxmox_api_token_id: ${{ secrets.PROXMOX_API_TOKEN_ID }}
  TF_VAR_proxmox_api_token_secret: ${{ secrets.PROXMOX_API_TOKEN_SECRET }}
  TF_VAR_proxmox_insecure: "true"
  B2_ACCOUNT_ID: ${{ secrets.B2_ACCOUNT_ID }}
  B2_APPLICATION_KEY: ${{ secrets.B2_APPLICATION_KEY }}

jobs:
  destroy:
    name: Destroy Cluster
    runs-on: ubuntu-latest
    if: github.event.inputs.confirm == 'destroy'
    environment: destroy
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ env.TF_VERSION }}

      - name: Setup SSH Keys
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          echo "${{ secrets.SSH_PUBLIC_KEY }}" > ~/.ssh/id_ed25519.pub
          chmod 644 ~/.ssh/id_ed25519.pub

      - name: Terraform Init
        working-directory: terraform
        run: |
          terraform init \
            -backend-config="endpoint=${{ secrets.S3_ENDPOINT }}" \
            -backend-config="bucket=${{ secrets.S3_BUCKET }}" \
            -backend-config="region=auto" \
            -backend-config="access_key=${{ secrets.S3_ACCESS_KEY }}" \
            -backend-config="secret_key=${{ secrets.S3_SECRET_KEY }}" \
            -backend-config="skip_requesting_account_id=true"

      - name: Verify Rancher backup exists
        if: github.event.inputs.require_rancher_backup == 'true'
        run: |
          set -euo pipefail
          if [ -z "${B2_ACCOUNT_ID}" ] || [ -z "${B2_APPLICATION_KEY}" ]; then
            echo "B2 credentials are not available in this workflow/environment; cannot verify Rancher backups." >&2
            exit 1
          fi

          CREDS=$(printf '%s:%s' "${B2_ACCOUNT_ID}" "${B2_APPLICATION_KEY}" | base64 -w0)
          AUTH_RESP=$(curl -fsS -H "Authorization: Basic ${CREDS}" https://api.backblazeb2.com/b2api/v2/b2_authorize_account) || {
            echo "Failed to authorize with B2; check B2_ACCOUNT_ID/B2_APPLICATION_KEY in the destroy environment." >&2
            exit 1
          }
          API_URL=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['apiUrl'])")
          AUTH_TOKEN=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin)['authorizationToken'])")
          BUCKET_ID=$(printf '%s' "${AUTH_RESP}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('allowed', {}).get('bucketId') or '')")

          if [ -z "${BUCKET_ID}" ]; then
            BUCKET_ID=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
              "${API_URL}/b2api/v2/b2_list_buckets?accountId=${B2_ACCOUNT_ID}&bucketName=HetznerTerra" \
              | python3 -c "import json,sys; buckets=json.load(sys.stdin).get('buckets',[]); print(buckets[0]['bucketId'] if buckets else '')")
          fi

          LATEST=$(curl -fsS -H "Authorization: Bearer ${AUTH_TOKEN}" \
            -H "Content-Type: application/json" \
            -d "{\"bucketId\":\"${BUCKET_ID}\",\"prefix\":\"rancher-backups/\",\"maxFileCount\":100}" \
            "${API_URL}/b2api/v2/b2_list_file_names" \
            | python3 -c "import json,sys; files=json.load(sys.stdin).get('files', []); tars=sorted(f['fileName'] for f in files if f['fileName'].endswith('.tar.gz')); print(tars[-1] if tars else '')")

          if [ -z "${LATEST}" ]; then
            echo "No Rancher backup found in B2; refusing to destroy cluster." >&2
            exit 1
          fi

          echo "Verified Rancher backup exists: ${LATEST}"

      - name: Skip Rancher backup verification
        if: github.event.inputs.require_rancher_backup == 'false'
        run: |
          echo "Rancher backup verification explicitly skipped for this destroy run."

      - name: Terraform Destroy
        id: destroy
        working-directory: terraform
        run: |
          set +e
          for attempt in 1 2 3; do
            echo "Terraform destroy attempt ${attempt}/3"
            terraform destroy \
              -var="ssh_public_key=$HOME/.ssh/id_ed25519.pub" \
              -var="ssh_private_key=$HOME/.ssh/id_ed25519" \
              -auto-approve
            rc=$?
            if [ "$rc" -eq 0 ]; then
              exit 0
            fi
            if [ "$attempt" -lt 3 ]; then
              echo "Terraform destroy failed with exit code ${rc}; retrying in 30s"
              sleep 30
              terraform refresh \
                -var="ssh_public_key=$HOME/.ssh/id_ed25519.pub" \
                -var="ssh_private_key=$HOME/.ssh/id_ed25519" || true
            fi
          done
          exit "$rc"

      - name: Terraform state diagnostics
        if: failure() && steps.destroy.outcome == 'failure'
        run: |
          terraform -chdir=terraform state list || true