.github/workflows/deploy_terraform.yml

name: Deploy Terraform

on:
  push:
    branches:
      - master
      - production
    paths:
      - '**.tf'

jobs:
  pre_job:
    name: Set Build Environment
    concurrency: 
      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
      cancel-in-progress: true
    runs-on: ubuntu-latest
    outputs:
      env_name: ${{ steps.build_vars.outputs.env_name }}
      tf_change: ${{ steps.build_vars.outputs.has_terraform_change }}
    steps:
      - name: Check out changes
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - name: Build vars
        id: build_vars
        uses: ./.github/actions/build-vars

  confirm_changes:
    name: Check Terraform Stats - ${{ needs.pre_job.outputs.env_name }}
    if: ${{ needs.pre_job.outputs.tf_change == 'true' }}
    concurrency: 
      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
      cancel-in-progress: true
    needs:
      - pre_job
    environment: ${{ needs.pre_job.outputs.env_name }}
    runs-on: ubuntu-latest
    outputs:
      change_count: ${{ steps.stats1.outputs.change-count }}
    steps:
      - name: Check Out Changes
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - name: Connect to VPN and login to Azure
        uses: ./.github/actions/vpn-azure
        with:
          env-name: ${{ needs.pre_job.outputs.env_name }}
          tls-key: ${{ secrets.TLS_KEY }}
          ca-cert: ${{ secrets.CA_CRT}}
          user-crt: ${{ secrets.USER_CRT }}
          user-key: ${{ secrets.USER_KEY }}
          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
          tf-auth: true
      - name: Collect Terraform stats
        uses: josiahsiegel/terraform-stats@68b8cbe42c494333fbf6f8d90ac86da1fb69dcc2
        id: stats1
        with:
          terraform-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
          terraform-version: 1.7.4
          add-args: "-refresh=false"

  approve_deploy:
    name: Approve Deploy - ${{ needs.pre_job.outputs.env_name }}
    concurrency: 
      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
      cancel-in-progress: true
    needs:
      - pre_job
      - confirm_changes
    if: needs.confirm_changes.outputs.change_count > '0'
    runs-on: ubuntu-latest
    environment: ${{ needs.pre_job.outputs.env_name }}_terraform
    steps:
      - name: Echo change count
        run: echo ${{ needs.confirm_changes.outputs.change_count }}

  run_deploy:
    name: Run Deploy - ${{ needs.pre_job.outputs.env_name }}
    concurrency: 
      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
      cancel-in-progress: true
    needs:
      - pre_job
      - approve_deploy
    if: needs.confirm_changes.outputs.change_count > '0'
    runs-on: ubuntu-latest
    environment: ${{ needs.pre_job.outputs.env_name }}
    defaults:
      run:
        working-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
    steps:
      - name: Check Out Changes
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - name: Connect to VPN and login to Azure
        uses: ./.github/actions/vpn-azure
        with:
          env-name: ${{ needs.pre_job.outputs.env_name }}
          tls-key: ${{ secrets.TLS_KEY }}
          ca-cert: ${{ secrets.CA_CRT}}
          user-crt: ${{ secrets.USER_CRT }}
          user-key: ${{ secrets.USER_KEY }}
          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
          tf-auth: true
      - name: Use specific version of Terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
        with:
          terraform_version: 1.7.4
          terraform_wrapper: false
      - name: Run Terraform
        run: |
          terraform init -input=false
          terraform apply -input=false -no-color -lock-timeout=600s -auto-approve