Model/.github/workflows/deploy_terraform.yml

name: Deploy infrastructure

on:
  push:
    branches:
      - "**"


jobs:
  determine_stage:
    runs-on: ubuntu-latest
    outputs:
      stage: ${{ steps.set-stage.outputs.stage }}

    steps:
      - name: Determine stage from branch
        id: set-stage
        shell: bash
        run: |
          BRANCH="${GITHUB_REF_NAME}"

          if [[ "$BRANCH" == "prod" ]]; then
            echo "stage=prod" >> "$GITHUB_OUTPUT"
          elif [[ "$BRANCH" == "dev" ]]; then
            echo "stage=dev" >> "$GITHUB_OUTPUT"
          else
            echo "stage=dev" >> "$GITHUB_OUTPUT"
          fi

          echo "Resolved STAGE=$BRANCH → $(cat $GITHUB_OUTPUT)"
  # ============================================================
  # 1️⃣ Shared Terraform (plan only for now)
  # ============================================================
  shared_terraform:
    needs: determine_stage
    runs-on: ubuntu-latest
    env:
      STAGE: ${{ needs.determine_stage.outputs.stage }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          # This will need to be changed to env imports when we have different env to dynamically allocate prod, staging etc
          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.DEV_AWS_REGION }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Init (shared)
        working-directory: infrastructure/terraform/shared
        run: terraform init -reconfigure

      - name: Terraform Workspace (shared)
        working-directory: infrastructure/terraform/shared
        run: terraform workspace select ${STAGE} || terraform workspace new ${STAGE}

      - name: Terraform Plan (shared)
        working-directory: infrastructure/terraform/shared
        run: terraform plan -var-file=${STAGE}.tfvars -out=tfplan

      # - name: Terraform Apply (shared)
      #   working-directory: infrastructure/terraform/shared
      #   run: terraform apply -auto-approve -var-file=${STAGE}.tfvars tfplan

  # ============================================================
  # 2️⃣ Build Docker image (tag = GitHub SHA, digest resolved)
  # ============================================================
  image:
    needs: determine_stage
    uses: ./.github/workflows/_build_image.yml
    with:
      ecr_repo: address2uprn-${{ needs.determine_stage.outputs.stage }}
      dockerfile_path: backend/address2UPRN/Dockerfile
      build_context: backend/address2UPRN
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}




  # # # ============================================================
  # # # 3️⃣ Deploy Lambda (Terraform, immutable digest)
  # # # ============================================================
  # deploy_lambda:
  #   needs: [image, determine_stage]
  #   uses: ./.github/workflows/_deploy_lambda.yml
  #   with:
  #     lambda_name: address2uprn
  #     lambda_path: infrastructure/terraform/lambda/address2uprn
  #     stage: ${{ needs.determine_stage.outputs.stage }}
  #     aws_region: ${{ secrets.DEV_AWS_REGION }}
  #     image_digest: ${{ needs.image.outputs.image_digest }}
  #   secrets:
  #     AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
  #     AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
  #     AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}