name: Destroy Environment
run-name: Destroying ${{ github.event.inputs.prefix }}* by @${{ github.actor }}

on:
  # Ability to execute on demand
  workflow_dispatch:
    inputs:
      prefix:
        type: string
        description: "Delete all environments starting with `prefix`"
        required: true
      ignore-prefix:
        type: string
        description: "Ignore all environments starting with `ignore-prefix`"
      ec-api-key:
        type: string
        description: "**Optional** To delete env environments on your own organization, enter your Elastic Cloud API key."
        required: false

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  AWS_REGION: "eu-west-1"
  ENV_PREFIX: ${{ github.event.inputs.prefix }}
  ENV_IGNORE_PREFIX: ${{ github.event.inputs.ignore-prefix }}
  TF_VAR_ec_api_key: ${{ secrets.EC_API_KEY }}

jobs:
  Destroy:
    runs-on: ubuntu-20.04
    timeout-minutes: 120
    # Add "id-token" with the intended permissions.
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:
      - name: Check out the repo
        uses: actions/checkout@v4

      - name: Init Hermit
        run: ./bin/hermit env -r >> $GITHUB_ENV
        working-directory: ./

      - name: Mask API Key
        if: ${{ github.event.inputs.ec-api-key != '' }}
        run: |
          ec_api_key=$(jq -r '.inputs["ec-api-key"]' $GITHUB_EVENT_PATH)
          echo "::add-mask::$ec_api_key"
          echo "TF_VAR_ec_api_key=$ec_api_key" >> $GITHUB_ENV

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - id: google-auth
        name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Destroy Environment
        run: |
          just delete-cloud-env ${{ env.ENV_PREFIX }} '${{ env.ENV_IGNORE_PREFIX }}' "false"