default:
  before_script:
    - set -e
    #- env
  interruptible: true
  tags:
    - holi-small # build on smaller machine

stages:
  - build
  - build_staging
  - deploy_staging
  - deploy_review
  - build_production
  - deploy_production
  - test

variables:
  # This variable needs to be named differently than in triggering projects
  # because if not, it gets set to '/api_domain', which breaks the e2e stage
  # due to the file not being in the artifacts.
  API_DOMAIN_FILE: "$CI_PROJECT_DIR/api_domain"

# job templates

.deploy:
  image: 
    name: 'hashicorp/terraform:1.6.1'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ["/bin/sh", "-c"]
  variables:
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  artifacts:
    paths:
      - "terraform/environments/scripts/crash.log" # optional, only available in case of a crash/panic
      - "terraform/environments/scripts/terraform-*.log" # separate log for every step/command
      - $API_DOMAIN_FILE
    name: "${CI_JOB_NAME}_${CI_JOB_ID}"
    #when: on_failure
    expire_in: 1 month
  script:
    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
    - terraform/environments/scripts/create-or-update-env.sh $ENVIRONMENT_ID ${CI_COMMIT_SHA}_${CI_PIPELINE_IID}
    - echo "$(terraform/environments/scripts/get-api-domain.sh)" > $API_DOMAIN_FILE
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

.e2e:
  image: 'archlinux:latest'
  script:
    - API_DOMAIN=`cat $API_DOMAIN_FILE`
    - echo "e2e tests against $CI_ENVIRONMENT_SLUG environment go here and against $API_DOMAIN"
    - terraform/environments/scripts/wait-for-ssl.sh "https://${API_DOMAIN}"

# end job templates

# pipeline in chronological order

## common steps
install_lint_test:
  stage: build
  image: 'node:18-alpine'
  script:
    - yarn install
    - yarn lint
    - yarn test
  tags:
    - holi-big

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
sast:
  needs: ['install_lint_test']
include:
- template: Security/SAST.gitlab-ci.yml

.build_mesh:
  needs: ['install_lint_test']
  image: 'node:18-alpine'
  script:
    - yarn install
    - yarn run mesh build
    - yarn run mesh validate
  tags:
    - holi-big
  artifacts:
    paths:
      - ".mesh/"

.build_docker:
  needs: ['install_lint_test']
  image: docker:20.10
  services:
    - docker:20.10-dind
  variables:
    # this could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
    GCR_IMAGE: europe-north1-docker.pkg.dev/holi-shared/docker/holi-unified-api
  before_script:
    - cat $GOOGLE_CLOUD_SERVICE_ACCOUNT | docker login -u _json_key --password-stdin https://europe-north1-docker.pkg.dev
  script:
    - docker pull $GCR_IMAGE || true # Allows us to use --cache-from, we need to tag with latest in the next command for this to work
    - docker build --cache-from $GCR_IMAGE -t $GCR_IMAGE:latest -t $GCR_IMAGE:${CI_COMMIT_SHA}_${CI_PIPELINE_IID} -t $GCR_IMAGE:$CI_COMMIT_REF_SLUG .
    - docker push $GCR_IMAGE:${CI_COMMIT_SHA}_${CI_PIPELINE_IID} # this is the tag that is used for deployment
    - docker push $GCR_IMAGE:$CI_COMMIT_REF_SLUG # just for easyly knowing which is the last image for a branch

build_mesh_staging:
  stage: build_staging
  extends: .build_mesh
  variables:
    # these could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
    DONATIONS_API_URL: https://staging.donations.apis.holi.social/graphql
    GEO_API_URL: https://staging.geo.apis.holi.social/graphql
    GOODNEWS_API_URL: https://staging.goodnews.apis.holi.social/graphql
    OKUNA_URL: https://staging.social.apis.holi.social/graphql
    VOLUNTEERING_API_URL: https://staging.volunteering.apis.holi.social/graphql
    REDIS_HOST: 10.104.0.3
    REDIS_PORT: 6379
    REDIS_DB: 5

build_docker_staging:
  stage: build_staging
  extends: .build_docker
  needs: ['build_mesh_staging']
  variables:
    ENVIRONMENT_ID: staging

## review environments 
deploy_review:
  stage: deploy_review
  extends: .deploy
  needs: ['build_docker_staging']
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: https://$CI_ENVIRONMENT_SLUG.unified.apis.holi.social
    on_stop: destroy_review
    auto_stop_in: 1 week
  except:
    - main
    - production
    - /^noenv\/.*/

e2e_review:
  stage: test
  extends: .e2e
  needs: ['deploy_review']
  except:
    - main
    - production
    - /^noenv\/.*/

destroy_review:
  needs: ['deploy_review']
  image:
    name: 'hashicorp/terraform:1.6.1'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ["/bin/sh", "-c"]
  variables:
    # has to be set to none for auto stop
    GIT_STRATEGY: none
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
  dependencies: [] # explicitly disable artifact usage
  script:
    - export GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_CLOUD_SERVICE_ACCOUNT}
    # branch may have been deleted, so we clone and checkout main
    - git clone $CI_REPOSITORY_URL main-clone
    - cd main-clone
    - terraform/environments/scripts/destroy-env.sh $CI_ENVIRONMENT_SLUG
  # can't use rules here: https://gitlab.com/gitlab-org/gitlab/-/issues/34077
  when: manual
  allow_failure: false
  except:
    - main
    - production
    - /^noenv\/.*/
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

## staging environment

deploy_staging:
  stage: deploy_staging
  extends: .deploy
  needs: ['build_docker_staging']
  environment:
    name: staging
    deployment_tier: staging
    url: https://staging.unified.apis.holi.social
  variables:
    ENVIRONMENT_ID: staging
  only:
    - main

e2e_staging:
  extends: .e2e
  needs: ['deploy_staging']
  only:
    - main

## production environment

build_mesh_production:
  stage: build_production
  extends: .build_mesh
  variables:
    # these could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
    DONATIONS_API_URL: https://production.donations.apis.holi.social/graphql
    GEO_API_URL: https://production.geo.apis.holi.social/graphql
    GOODNEWS_API_URL: https://production.goodnews.apis.holi.social/graphql
    OKUNA_URL: https://production.social.apis.holi.social/graphql
    VOLUNTEERING_API_URL: https://production.volunteering.apis.holi.social/graphql
    REDIS_HOST: 10.104.0.3
    REDIS_PORT: 6379
    REDIS_DB: 13
  only:
    - production

build_docker_production:
  stage: build_production
  extends: .build_docker
  needs: ['build_mesh_production']
  variables:
    ENVIRONMENT_ID: production
  only:
    - production

deploy_production:
  stage: deploy_production
  extends: .deploy
  needs: ['build_docker_production']
  allow_failure: false
  environment:
    name: production
    deployment_tier: production
    url: https://production.unified.apis.holi.social
  variables:
    ENVIRONMENT_ID: production
  only:
    - production

trigger_docs_generation:
  needs: ['deploy_production']
  trigger:
    project: app/app.gitlab-pages.holi.team
    branch: main
    strategy: depend
  only:
    - production