.github/workflows/_add-aws-credentials-to-workspace.terraform.reusable.yml

name: zReusable - Add AWS credentials to workspace

on:
  workflow_call:
    inputs:
      workspace-name:
        required: true
        type: string
      organisation-name:
        required: true
        type: string
      terraform-api-organizations-endpoint:
        required: false
        type: string
        default: 'https://app.terraform.io/api/v2/organizations/'
      terraform-workspace-api-endpoint:
        required: false
        type: string
        default: 'https://app.terraform.io/api/v2/workspaces/'

    secrets:
      TF_API_TOKEN:
        required: true
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      GPG_SECRET_SIGNING_PASSPHRASE:
        required: true

jobs:
  # Copy of _get-workspace-id.terraform.reusable.yml, using raw for call depth issues
  get-workspace-id:
    runs-on: ubuntu-latest
    outputs:
      workspace-id: ${{ steps.get-workspace-id.outputs.workspace-id }}
    steps:
      - name: Execute api request
        id: get-workspace-id
        run: >-
          WORKSPACE_ID=$(curl
          --header "Authorization: Bearer ${{ secrets.TF_API_TOKEN }}"
          --header "Content-Type: application/vnd.api+json"
          --request GET
          ${{ inputs.terraform-api-organizations-endpoint }}${{ inputs.organisation-name }}/workspaces/${{ inputs.workspace-name }}
          | jq '.data.id')
          
          echo $WORKSPACE_ID
        
          echo "::set-output name=workspace-id::$WORKSPACE_ID"

  json-payloads:
    runs-on: ubuntu-latest
    outputs:
      aws-access-key-id-payload: ${{ steps.aws-access-key-id-payload.outputs.payload }}
      aws-secret-access-key-payload: ${{ steps.aws-secret-access-key-payload.outputs.payload }}

    steps:
      - name: Generate aws access key id payload
        id: aws-access-key-id-payload
        run: >-
          AWS_ACCESS_KEY_ID_JSON_PAYLOAD=$(
          jq -r '.' <<< '
          {
            "data": 
              { 
                "type": "vars", 
                "attributes": {
                  "key": "AWS_ACCESS_KEY_ID",
                  "value": "${{ secrets.AWS_ACCESS_KEY_ID }}",
                  "description":"Aws access key id",
                  "category":"env",
                  "hcl":false,
                  "sensitive": true
                } 
              }
          }')
          
          AWS_ACCESS_KEY_ID_JSON_PAYLOAD_WITHOUT_WHITESPACES=$(echo $AWS_ACCESS_KEY_ID_JSON_PAYLOAD | sed 's/ //g')
          
          ENCRYPTED_PAYLOAD=$(
          gpg --symmetric --batch 
          --passphrase "${{ secrets.GPG_SECRET_SIGNING_PASSPHRASE }}"
          --output - <(echo "$AWS_ACCESS_KEY_ID_JSON_PAYLOAD_WITHOUT_WHITESPACES") 
          | base64 -w0
          )

          echo "::set-output name=payload::$ENCRYPTED_PAYLOAD"
        

      - name: Generate aws secret access key payload
        id: aws-secret-access-key-payload
        run: >-
          AWS_SECRET_ACCESS_KEY_JSON_PAYLOAD=$(
          jq -r '.' <<< '
          {
            "data": 
              { 
                "type": "vars", 
                "attributes": {
                  "key": "AWS_SECRET_ACCESS_KEY",
                  "value": "${{ secrets.AWS_SECRET_ACCESS_KEY }}",
                  "description":"Aws access key secret",
                  "category":"env",
                  "hcl":false,
                  "sensitive": true
                } 
              }
          }')
          
          AWS_SECRET_ACCESS_KEY_JSON_PAYLOAD_WITHOUT_WHITESPACES=$(echo $AWS_SECRET_ACCESS_KEY_JSON_PAYLOAD | sed 's/ //g')

          ENCRYPTED_PAYLOAD=$(
          gpg --symmetric --batch 
          --passphrase "${{ secrets.GPG_SECRET_SIGNING_PASSPHRASE }}"
          --output - <(echo "$AWS_SECRET_ACCESS_KEY_JSON_PAYLOAD_WITHOUT_WHITESPACES") 
          | base64 -w0
          )

          echo "::set-output name=payload::$ENCRYPTED_PAYLOAD"
          

  # Copy of _set-workspace-variable.terraform.reusable.yml, using raw for call depth issues
  set-workspace-variable:
    runs-on: ubuntu-latest
    needs:
      - get-workspace-id
      - json-payloads
    strategy:
      matrix:
        include: 
          - var: "aws-access-key-id"
            data: ${{ needs.json-payloads.outputs.aws-access-key-id-payload }}
          - var: "aws-secret-access-key"
            data: ${{ needs.json-payloads.outputs.aws-secret-access-key-payload }}

    steps:
      - name: Set ${{ matrix.var }} variable on workspace
        run: >-
          gpg --decrypt --quiet --batch 
          --passphrase "${{ secrets.GPG_SECRET_SIGNING_PASSPHRASE }}"
          --output - <(echo "${{ matrix.data }}" 
          | base64 --decode) > payload
          
          curl -s
          --header "Authorization: Bearer ${{ secrets.TF_API_TOKEN }}"
          --header "Content-Type: application/vnd.api+json"
          --request POST
          --data @payload
          ${{ inputs.terraform-workspace-api-endpoint }}${{ needs.get-workspace-id.outputs.workspace-id }}/vars
          > /dev/null