name: Deploy Lambda (Terraform)

on:
  workflow_call:
    inputs:
      lambda_name:
        required: true
        type: string

      lambda_path:
        required: true
        type: string

      stage:
        required: true
        type: string

      ecr_repo:
        required: false
        type: string
        default: ''

      image_digest:
        required: false
        type: string
        default: ''

      terraform_apply:
        required: false
        type: string
        default: 'false'
        # can only be 'true' or 'false'

      terraform_destroy:
        required: false
        type: string
        default: 'false'
        # can only be 'true' or 'false'

    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      AWS_REGION:
        required: true
      TF_VAR_db_host:
        required: false
      TF_VAR_db_name:
        required: false
      TF_VAR_db_port:
        required: false
      TF_VAR_api_key:
        required: false
      TF_VAR_secret_key:
        required: false
      TF_VAR_domain_name:
        required: false
      TF_VAR_epc_auth_token:
        required: false
      TF_VAR_google_solar_api_key:
        required: false
      TF_VAR_ordnance_survey_api_key:
        required: false

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Debug inputs
        run: |
          echo "lambda_name=${{ inputs.lambda_name }}"
          echo "lambda_path=${{ inputs.lambda_path }}"
          echo "stage=${{ inputs.stage }}"
          echo "ecr_repo_url=${{ inputs.ecr_repo_url }}"
          echo "image_digest=${{ inputs.image_digest }}"


      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}

      - uses: hashicorp/setup-terraform@v3

      - uses: aws-actions/amazon-ecr-login@v2

      - name: Resolve ECR repo URL
        id: repo
        env:
          AWS_REGION: ${{ secrets.AWS_REGION }}
        run: |
          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
          ECR_REPO_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${{ inputs.ecr_repo }}"
          echo "ecr_repo_url=$ECR_REPO_URL" >> "$GITHUB_OUTPUT"

      - name: Terraform Init
        working-directory: ${{ inputs.lambda_path }}
        run: terraform init -reconfigure

      - name: Terraform Workspace
        working-directory: ${{ inputs.lambda_path }}
        run: |
          terraform workspace select ${{ inputs.stage }} \
            || terraform workspace new ${{ inputs.stage }}

      - name: Terraform Plan
        working-directory: ${{ inputs.lambda_path }}
        env:
          TF_VAR_db_host: ${{ secrets.TF_VAR_db_host }}
          TF_VAR_db_name: ${{ secrets.TF_VAR_db_name }}
          TF_VAR_db_port: ${{ secrets.TF_VAR_db_port }}
          TF_VAR_api_key: ${{ secrets.TF_VAR_api_key }}
          TF_VAR_secret_key: ${{ secrets.TF_VAR_secret_key }}
          TF_VAR_domain_name: ${{ secrets.TF_VAR_domain_name }}
          TF_VAR_epc_auth_token: ${{ secrets.TF_VAR_epc_auth_token }}
          TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
          TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
        run: |
          EXTRA_VARS=""
          if [[ -n "${{ inputs.ecr_repo }}" ]]; then
            EXTRA_VARS="-var=ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }} -var=image_digest=${{ inputs.image_digest }}"
          fi

          terraform plan \
            -var="stage=${{ inputs.stage }}" \
            -var="lambda_name=${{ inputs.lambda_name }}" \
            $EXTRA_VARS \
            -out=lambdaplan

      - name: Terraform Apply
        if: inputs.terraform_apply == 'true' && inputs.terraform_destroy != 'true'
        working-directory: ${{ inputs.lambda_path }}
        run: terraform apply -auto-approve lambdaplan

      - name: Terraform Destroy
        if: inputs.terraform_destroy == 'true' && inputs.terraform_apply != 'true'
        working-directory: ${{ inputs.lambda_path }}
        env:
          TF_VAR_db_host: ${{ secrets.TF_VAR_db_host }}
          TF_VAR_db_name: ${{ secrets.TF_VAR_db_name }}
          TF_VAR_db_port: ${{ secrets.TF_VAR_db_port }}
          TF_VAR_api_key: ${{ secrets.TF_VAR_api_key }}
          TF_VAR_secret_key: ${{ secrets.TF_VAR_secret_key }}
          TF_VAR_domain_name: ${{ secrets.TF_VAR_domain_name }}
          TF_VAR_epc_auth_token: ${{ secrets.TF_VAR_epc_auth_token }}
          TF_VAR_google_solar_api_key: ${{ secrets.TF_VAR_google_solar_api_key }}
          TF_VAR_ordnance_survey_api_key: ${{ secrets.TF_VAR_ordnance_survey_api_key}}
        run: |
          EXTRA_VARS=""
          if [[ -n "${{ inputs.ecr_repo }}" ]]; then
            EXTRA_VARS="-var=ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }} -var=image_digest=${{ inputs.image_digest }}"
          fi

          terraform destroy -auto-approve \
            -var="stage=${{ inputs.stage }}" \
            -var="lambda_name=${{ inputs.lambda_name }}" \
            $EXTRA_VARS