name: Terraform Validate
description: >
  Validate Terraform configuration files using the official Terraform CLI.

inputs:
  terraform-dir:
    description: Directory containing .tf files
    required: false
    default: terraform
  terraform-version:
    description: Terraform version to use
    required: false
    default: "~1.15"
  workspace:
    description: Terraform workspace to use
    required: false
    default: ""
  jfrog-token:
    description: JFrog Artifactory token used for Terraform provider registry (sets TF_TOKEN_schmalz_jfrog_io)
    required: false
    default: ""
  mock-files:
    description: |-
      Newline-separated list of file paths to create as empty files before validation.
      Useful when Terraform configurations reference external files via file() that do not exist in CI.
      Paths are relative to the repository root.
    required: false
    default: ""

runs:
  using: composite
  steps:
    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
    # hashicorp/setup-terraform v4.0.0 — https://github.com/hashicorp/setup-terraform/commits/v4.0.0/
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
      with:
        terraform_version: ${{ inputs.terraform-version }}

    - name: Set Terraform plugin cache directory
      shell: bash
      run: |
        mkdir -p ~/.terraform.d/plugin-cache
        echo "TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache" >> "$GITHUB_ENV"

    - name: Cache Terraform providers
      uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
      with:
        path: ~/.terraform.d/plugin-cache
        key: ${{ runner.os }}-terraform-providers-${{ inputs.terraform-version }}-${{ hashFiles(format('{0}/.terraform.lock.hcl', inputs.terraform-dir)) }}
        restore-keys: ${{ runner.os }}-terraform-providers-${{ inputs.terraform-version }}-

    - name: Create mock files
      if: ${{ inputs.mock-files != '' }}
      shell: bash
      env:
        MOCK_FILES: ${{ inputs.mock-files }}
      run: |
        while IFS= read -r mock_file; do
          [ -z "$mock_file" ] && continue
          mkdir -p "$(dirname "$mock_file")"
          touch "$mock_file"
        done <<< "$MOCK_FILES"

    - name: Terraform Init
      shell: bash
      env:
        TF_DIR: ${{ inputs.terraform-dir }}
        TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }}
      run: terraform -chdir=${{ env.TF_DIR }} init -backend=false -no-color

    - name: Terraform Format Check
      shell: bash
      env:
        TF_DIR: ${{ inputs.terraform-dir }}
      run: terraform -chdir=${{ env.TF_DIR }} fmt -check -recursive

    - name: Terraform Validate
      shell: bash
      env:
        TF_DIR: ${{ inputs.terraform-dir }}
        TF_WORKSPACE: ${{ inputs.workspace }}
        TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }}
      run: terraform -chdir=${{ env.TF_DIR }} validate