RMCampos
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 160 additions & 0 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 160 additions & 0 deletions
@@ -0,0 +1,160 @@
+name: Deploy to K3s
+
+on:
+  workflow_dispatch:
+    inputs:
+      backend_image:
+        description: "Backend image tag (full image reference)"
+        required: false
+      frontend_image:
+        description: "Frontend image tag (full image reference)"
+        required: false
+      apply:
+        description: "Apply changes after plan"
+        required: false
+        default: "true"
+  push:
+    branches: [ main ]
+  workflow_run:
+    workflows: [ "Backend Build & Push", "Frontend Build & Push" ]
+    types: [ completed ]
+
+jobs:
+  terraform-plan:
+    if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v5
+
+      - name: Setup Kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_DATA }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Validate cluster access
+        run: |
+          kubectl cluster-info
+          kubectl get namespace gif-mood
+
+      - name: Determine deployment values
+        id: deploy-vars
+        run: |
+          backend_image='${{ github.event.inputs.backend_image }}'
+          frontend_image='${{ github.event.inputs.frontend_image }}'
+
+          latest_backend_tag="$(git tag --list 'api-v*' --sort=-v:refname | tail -n1)"
+          latest_frontend_tag="$(git tag --list 'app-v*' --sort=-v:refname | tail -n1)"
+
+          if [ -z "$latest_backend_tag" ]; then
+            echo "No backend tag found matching api-v*" >&2
+            exit 1
+          fi
+
+          if [ -z "$latest_frontend_tag" ]; then
+            echo "No frontend tag found matching app-v*" >&2
+            exit 1
+          fi
+
+          if [ -z "$backend_image" ]; then
+            backend_image="ghcr.io/${{ github.repository }}/backend:$latest_backend_tag"
+          fi
+          if [ -z "$frontend_image" ]; then
+            frontend_image="ghcr.io/${{ github.repository }}/frontend:$latest_frontend_tag"
+          fi
+
+          echo "Resolved backend_image=$backend_image"
+          echo "Resolved migrations_image=$migrations_image"
+          echo "Resolved frontend_image=$frontend_image"
+
+          echo "backend_image=$backend_image" >> "$GITHUB_OUTPUT"
+          echo "migrations_image=$migrations_image" >> "$GITHUB_OUTPUT"
+          echo "frontend_image=$frontend_image" >> "$GITHUB_OUTPUT"
+
+      - name: Terraform Fmt -check -diff
+        working-directory: terraform
+        run: terraform fmt -check -diff
+
+      - name: Terraform Init
+        working-directory: terraform
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: terraform init
+
+      - name: Terraform Validate
+        working-directory: terraform
+        run: terraform validate
+
+      - name: Terraform Plan
+        working-directory: terraform
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: |
+          terraform plan -out=tfplan \
+            -var="db_user=${{ secrets.DB_USER }}" \
+            -var="db_password=${{ secrets.DB_PASSWORD }}" \
+            -var="db_name=${{ secrets.DB_NAME }}" \
+            -var="security_key=${{ secrets.JWT_SECURITY_KEY }}" \
+            -var="mailgun_api_key=${{ secrets.MAILGUN_API_KEY }}" \
+            -var="backend_image=${{ steps.deploy-vars.outputs.backend_image }}" \
+            -var="frontend_image=${{ steps.deploy-vars.outputs.frontend_image }}"
+
+      - name: Upload plan artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfplan
+          path: terraform/tfplan
+
+  terraform-apply:
+    runs-on: ubuntu-latest
+    needs: terraform-plan
+    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_run' || github.event.inputs.apply == 'true' }}
+    environment:
+      name: production
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Download plan artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: tfplan
+          path: terraform
+
+      - name: Setup Kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_DATA }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Terraform Init
+        working-directory: terraform
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: terraform init
+
+      - name: Terraform Apply
+        working-directory: terraform
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+        run: timeout 1m terraform apply tfplan