lunarfront-infra/.gitea/workflows/terraform.yml

name: Terraform

on:
  push:
    branches: [main]
    paths:
      - 'terraform/**'
  workflow_dispatch:
    inputs:
      action:
        description: 'Terraform action to run'
        required: true
        default: 'plan'
        type: choice
        options:
          - plan
          - apply
          - destroy

jobs:
  terraform:
    runs-on: ubuntu-latest
    container: registry.lunarfront.tech/ryan/ci-runner:latest
    defaults:
      run:
        working-directory: terraform

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Terraform Init
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }}
        run: terraform init

      - name: Terraform Plan
        if: github.event_name == 'push' || inputs.action == 'plan'
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }}
          TF_VAR_do_token: ${{ secrets.DO_TOKEN }}
          TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }}
          TF_VAR_ssh_key_name: ${{ secrets.DO_SSH_KEY_NAME }}
          TF_VAR_domain: ${{ secrets.DOMAIN }}
          TF_VAR_admin_ip: ${{ secrets.ADMIN_IP }}
        run: terraform plan

      - name: Terraform Apply
        if: inputs.action == 'apply'
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }}
          TF_VAR_do_token: ${{ secrets.DO_TOKEN }}
          TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }}
          TF_VAR_ssh_key_name: ${{ secrets.DO_SSH_KEY_NAME }}
          TF_VAR_domain: ${{ secrets.DOMAIN }}
          TF_VAR_admin_ip: ${{ secrets.ADMIN_IP }}
        run: terraform apply -auto-approve

      - name: Terraform Destroy
        if: inputs.action == 'destroy'
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.SPACES_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.SPACES_SECRET_KEY }}
          TF_VAR_do_token: ${{ secrets.DO_TOKEN }}
          TF_VAR_cloudflare_api_token: ${{ secrets.CF_API_TOKEN }}
          TF_VAR_ssh_key_name: ${{ secrets.DO_SSH_KEY_NAME }}
          TF_VAR_domain: ${{ secrets.DOMAIN }}
          TF_VAR_admin_ip: ${{ secrets.ADMIN_IP }}
        run: terraform destroy -auto-approve