name: Terraform Plan

on:
  push:
    branches:
      - stage
      - test

jobs:
  terraform:
    name: "Terraform Plan"
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Create secrets.tfvars
        working-directory: terraform
        run: |
          echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          EOF
          cat > backend.hcl << EOF
          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
          key                         = "terraform.tfstate"
          region                      = "us-east-005"
          endpoints = {
            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
          }
          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
          skip_credentials_validation = true
          skip_metadata_api_check     = true
          skip_region_validation      = true
          skip_requesting_account_id  = true
          use_path_style              = true
          EOF
          echo "Created secrets.auto.tfvars:"
          cat secrets.auto.tfvars | sed 's/=.*/=***/'
          echo "Using token ID from terraform.tfvars:"
          grep '^pm_api_token_id' terraform.tfvars

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.6

      - name: Terraform Init
        working-directory: terraform
        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Terraform Format Check
        working-directory: terraform
        run: terraform fmt -check -recursive

      - name: Terraform Validate
        working-directory: terraform
        run: terraform validate

      - name: Terraform Plan
        working-directory: terraform
        run: terraform plan -out=tfplan

      - name: Block accidental destroy
        env:
          ALLOW_TF_DESTROY: ${{ secrets.ALLOW_TF_DESTROY }}
        working-directory: terraform
        run: |
          terraform show -json tfplan > tfplan.json
          DESTROY_COUNT=$(python3 -c 'import json; p=json.load(open("tfplan.json")); print(sum(1 for rc in p.get("resource_changes", []) if "delete" in rc.get("change", {}).get("actions", [])))')
          echo "Planned deletes: $DESTROY_COUNT"
          if [ "$DESTROY_COUNT" -gt 0 ] && [ "${ALLOW_TF_DESTROY}" != "true" ]; then
            echo "Destroy actions detected. Set ALLOW_TF_DESTROY=true to allow."
            exit 1
          fi

      - name: Upload Terraform Plan
        uses: actions/upload-artifact@v3
        with:
          name: terraform-plan
          path: terraform/tfplan