name: Terraform

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  TF_VAR_netbird_token: ${{ secrets.NETBIRD_TOKEN }}

jobs:
  terraform:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.7.0

      - name: Terraform Init
        run: terraform init

      - name: Terraform Format Check
        run: terraform fmt -check
        continue-on-error: true

      - name: Terraform Validate
        run: terraform validate

      - name: Terraform Plan
        if: github.event_name == 'pull_request'
        run: terraform plan -no-color

      - name: Terraform Apply
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: terraform apply -auto-approve

      - name: Commit state changes
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          git config user.name "Terraform CI"
          git config user.email "ci@localhost"
          git add terraform.tfstate terraform.tfstate.backup 2>/dev/null || true
          if ! git diff --staged --quiet; then
            git commit -m "chore: update terraform state [skip ci]"
            git push
          fi