name: Deploy Loadtest - Osquery Perf

on:
  workflow_dispatch:
    inputs:
      terraform_workspace:
        description: "Terraform workspace that you will be deploying to."
        type: string
        required: true
      git_tag_branch:
        description: "git Tag or Branch to use for osquery-perf deployment"
        type: string
        default: "main"
        required: true
      loadtest_containers:
        description: "Deploys osquery-perf containers all at once. Total number of osquery-perf tasks to run (should be a multiple of 8, if setting loadtest_containers_starting_index). This is also used as the end index in enroll.sh"
        type: string
        required: true
      loadtest_containers_starting_index:
        description: "Starting Index for enroll.sh. (Default: 0)."
        type: string
        default: 0
        required: true
      sleep_time:
        description: "Sleep time (in seconds) between batched osquery container deployments"
        type: string
        default: 60
        required: true
      extra_flags:
        description: "Extra flags for osquery-perf. Example: [\"--orbit_prob\", \"0.0\"]"
        type: string
        default: "[\"--orbit_prob\", \"0.0\"]"
        required: false
      terraform_action:
        description: Dry run only? No "terraform apply"
        type: choice
        options:
        - plan
        - apply
        - destroy
        default: plan

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash
    working-directory: infrastructure/loadtesting/terraform/osquery_perf

env:
  AWS_REGION: us-east-2
  AWS_IAM_ROLE: arn:aws:iam::917007347864:role/github-actions-role
  TF_ACTIONS_WORKING_DIR: infrastructure/loadtesting/terraform/osquery_perf
  TF_VAR_extra_flags: "${{ inputs.extra_flags || '[]' }}"
  TF_VAR_loadtest_containers: "${{ inputs.loadtest_containers }}"
  TF_VAR_git_tag_branch: "${{ inputs.git_tag_branch }}"

permissions:
  id-token: write
  contents: read    # This is required for actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

jobs:
  deploy:
    name: Deploy Fleet Loadtest Environment
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - id: fail-on-main
        run: "false"
        if: ${{ github.ref == 'main' }}
      - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
        with:
          role-to-assume: ${{env.AWS_IAM_ROLE}}
          aws-region: ${{ env.AWS_REGION }}
          role-duration-seconds: 10800
      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version-file: 'go.mod'
      - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
        with:
          terraform_version: 1.10.2
          terraform_wrapper: false
      - name: Terraform Init
        id: init
        run: terraform init
      - name: Terraform workspace
        id: workspace
        run: |
          if terraform workspace list | grep -q ${{ inputs.terraform_workspace }};
          then
            echo "MATCH - TF_WORKSPACE: ${{ inputs.terraform_workspace }}\n"
            
            if [[ ${{ inputs.terraform_action }} = "apply" || ${{ inputs.terraform_action }} = "plan" || ${{ inputs.terraform_action }} = "destroy" ]];
            then
              terraform workspace select ${{ inputs.terraform_workspace }}
              
              if [[ $(echo $?) = "0" ]];
              then
                echo "WORKSPACE CHANGED TO ${{ inputs.terraform_workspace }}\n"
              fi
            fi
          else
            echo "NO MATCH - TF_WORKSPACE: ${{ inputs.terraform_workspace }}\n"
            
            if [[ ${{ inputs.terraform_action }} = "apply" || ${{ inputs.terraform_action }} = "plan" ]];
            then
              echo "CREATING NEW TERRAFORM WORKSPACE: ${{ inputs.terraform_workspace }}"
              terraform workspace new ${{ inputs.terraform_workspace }}
              
              if [[ $(echo $?) = "0" ]];
              then
                echo "TERRAFORM WORKSPACE: SUCCESSFULLY CREATED"
              else
                echo "TERRAFORM WORKSPACE: ERROR CREATING"
              fi
            fi
          fi
        continue-on-error: true
      - name: Terraform fmt
        id: fmt
        run: terraform fmt -check
        continue-on-error: true
      - name: Terraform Validate
        id: validate
        run: terraform validate -no-color
      - name: Terraform Plan
        id: plan
        run: |
          if [[ `terraform workspace show` = "${{ inputs.terraform_workspace }}" ]];
          then
            echo "TERRAFORM WORKSPACE: MATCHES - ${{ inputs.terraform_workspace }}"
            terraform plan -no-color
          else
            echo "TERRAFORM WORKSPACE: DOES NOT MATCH INPUT - ${{ inputs.terraform_workspace }}"
          fi
        continue-on-error: true
      - name: Terraform Apply
        if: inputs.terraform_action == 'apply'
        id: apply
        run: |
          if [[ `terraform workspace show` = "${{ inputs.terraform_workspace }}" ]];
          then
            echo "TERRAFORM WORKSPACE: MATCHES - ${{ inputs.terraform_workspace }}"
            ./enroll.sh ${{ inputs.git_tag_branch }} ${{ inputs.loadtest_containers_starting_index}} ${{ inputs.loadtest_containers }} ${{ inputs.sleep_time }} 
          else
            echo "TERRAFORM WORKSPACE: DOES NOT MATCH INPUT - ${{ inputs.terraform_workspace }}"
          fi
      - name: Terraform Destroy
        if: inputs.terraform_action == 'destroy'
        id: destroy
        run: | 
          if [[ `terraform workspace show` = "${{ inputs.terraform_workspace }}" ]];
          then
            echo "TERRAFORM WORKSPACE: MATCHES - ${{ inputs.terraform_workspace }}"
            if [[ ${{ inputs.terraform_action }} = "destroy" ]];  
            then
              if [[ $(terraform state list | wc -l) -gt 0 ]];
              then
                echo "RESOURCES DETECTED IN TERRAFORM STATE FILE"
                echo "TERRAFORM DESTROY: STARTED"
                terraform destroy -auto-approve

                if [[ $(echo $?) = "0" ]];
                then
                  echo "TERRAFORM DESTROY: SUCCESSFUL\n"
                  TERRAFORM_DELETE_STATUS="complete"
                else
                  echo "TERRAFORM DESTROY: ERROR\n"
                  TERRAFORM_DELETE_STATUS="error"
                fi
              else
                echo "NO RESOURCES DETECTED IN TERRAFORM STATE FILE"
                TERRAFORM_DELETE_STATUS="complete"
              fi
              
              if [[ $TERRAFORM_DELETE_STATUS = "complete" ]];
              then
                echo "SETTING WORKSPACE TO DEFAULT"
                terraform workspace select default

                if [[ $(echo $?) = "0" ]];
                then
                  echo "TERRAFORM WORKSPACE: SUCCESSFULLY SELECTING DEFAULT\n"
                else
                  echo "TERRAFORM WORKSPACE: ERROR SELECTING DEFAULT\n"
                fi

                echo "REMOVING TERRAFORM WORKSPACE: ${{ inputs.terraform_workspace }}"
                terraform workspace delete ${{ inputs.terraform_workspace }}

                if [[ $(echo $?) = "0" ]];
                then
                  echo "TERRAFORM WORKSPACE: SUCCESSFULLY DELETED\n"
                else
                  echo "TERRAFORM WORKSPACE: ERROR DELETING\n"
                fi
              fi
            fi
          else
            echo "TERRAFORM WORKSPACE: DOES NOT MATCH INPUT - ${{ inputs.terraform_workspace }}"
          fi