name: tfvalidate

on:
  push:
    branches:
      - main
    paths:
      - '**.tf'
  pull_request:
    paths:
      - '**.tf'
  workflow_dispatch: # Manual dispatch

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  tfvalidate:
    name: terraform validate
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
          egress-policy: audit

      - name: Clone repo
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Install terraform
        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
        with:
          terraform_version: 1.10.4
      # If we want to test more of these, consider using a matrix.  With a matrix of directories, all terraform modules could be fully tested and potentially in parallel.
      - name: Validate loadtesting
        working-directory: ./infrastructure/loadtesting/terraform
        run: |
          terraform init -backend=false
          terraform validate

      - name: Validate infrastructure
        working-directory: ./infrastructure/infrastructure/terraform
        run: |
          terraform init -backend=false
          terraform validate

      - name: Validate dogfood
        working-directory: ./infrastructure/dogfood/terraform/aws-tf-module
        run: |
          terraform init -backend=false
          terraform validate

      - name: Validate root terraform module
        working-directory: ./terraform
        run: |
          terraform init -backend=false
          terraform validate