default:
  before_script:
    - set -ex
    - env
  interruptible: true
  tags:
    - holi-small # build on smaller machine

variables:
  API_DOMAIN_PATH: "$CI_PROJECT_DIR/api_domain"

# job templates

.deploy:
  image: 
    name: 'hashicorp/terraform:1.1.9'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ["/bin/sh", "-c"]
  variables:
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  artifacts:
    paths:
      - "terraform/environments/scripts/crash.log" # optional, only available in case of a crash/panic
      - "terraform/environments/scripts/terraform-*.log" # separate log for every step/command
      - $API_DOMAIN_PATH
    name: "${CI_JOB_NAME}_${CI_JOB_ID}"
    #when: on_failure
    expire_in: 1 month
  script:
    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
    - terraform/environments/scripts/create-or-update-env.sh $ENVIRONMENT_ID $CI_COMMIT_SHA
    - echo "$(terraform/environments/scripts/get-api-domain.sh)" > $API_DOMAIN_PATH
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

.e2e:
  image: 'archlinux:latest'
  script:
    - API_DOMAIN=`cat $API_DOMAIN_PATH`
    - echo "e2e tests against $CI_ENVIRONMENT_SLUG environment go here and against $API_DOMAIN"
    - terraform/environments/scripts/wait-for-ssl.sh "https://${API_DOMAIN}"

# end job templates

# pipeline in chronological order

## common steps

install_lint_test:
  stage: build
  image: 'node:18-alpine'
  script:
    - yarn install
    - yarn lint
    - yarn test
  tags:
    - holi-big

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
sast:
  needs: ['install_lint_test']
  stage: test
include:
- template: Security/SAST.gitlab-ci.yml

build_docker:
  needs: ['install_lint_test']
  image: docker:20.10
  services:
    - docker:20.10-dind
  variables:
    # this could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
    GCR_IMAGE: eu.gcr.io/holi-shared/holi-unified-api
  before_script:
    - cat $GOOGLE_CLOUD_SERVICE_ACCOUNT | docker login -u _json_key --password-stdin https://eu.gcr.io
  script:
    - docker pull $GCR_IMAGE || true # Allows us to use --cache-from
    - docker build --cache-from $GCR_IMAGE -t $GCR_IMAGE:$CI_COMMIT_SHA -t $GCR_IMAGE:$CI_COMMIT_REF_SLUG .
    - docker push $GCR_IMAGE:$CI_COMMIT_SHA # this is the tag that is used for deployment
    - docker push $GCR_IMAGE:$CI_COMMIT_REF_SLUG # just for easyly knowing which is the last image for a branch

## review environments 
review_deploy:
  extends: .deploy
  needs: ['build_docker']
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: https://$CI_ENVIRONMENT_SLUG.unified.apis.project-holi.org
    on_stop: review_destroy
    auto_stop_in: 1 week
  except:
    - main
    - /^noenv\/.*/

review_e2e:
  extends: .e2e
  needs: ['review_deploy']
  except:
    - main
    - /^noenv\/.*/

review_destroy:
  needs: ['review_deploy']
  image:
    name: 'hashicorp/terraform:1.1.9'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ["/bin/sh", "-c"]
  variables:
    # has to be set to none for auto stop
    GIT_STRATEGY: none
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
  dependencies: [] # explicitly disable artifact usage
  before_script:
  script:
    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
    # branch may have been deleted, so we clone and checkout main
    - git clone $CI_REPOSITORY_URL main-clone
    - cd main-clone
    - terraform/environments/scripts/destroy-env.sh $CI_ENVIRONMENT_SLUG
  # can't use rules here: https://gitlab.com/gitlab-org/gitlab/-/issues/34077
  when: manual
  allow_failure: false
  except:
    - main
    - /^noenv\/.*/
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

## staging environment

staging_deploy:
  extends: .deploy
  needs: ['build_docker']
  environment:
    name: staging
    deployment_tier: staging
    url: https://staging.unified.apis.project-holi.org
  variables:
    ENVIRONMENT_ID: staging
  only:
    - main

staging_e2e:
  extends: .e2e
  needs: ['staging_deploy']
  only:
    - main

## production environment

production_deploy:
  extends: .deploy
  needs: ['staging_e2e']
  when: manual
  allow_failure: false
  environment:
    name: production
    deployment_tier: production
    url: https://production.unified.apis.project-holi.org
  variables:
    ENVIRONMENT_ID: production
  only:
    - main