# CI/CD Plan for GCP Terraform with Gitea

This document outlines a CI/CD plan for the GCP Terraform infrastructure using Gitea Actions.

## 1. Overview

The goal is to automate the process of validating, planning, and applying Terraform changes. This will ensure that all infrastructure changes are peer-reviewed, tested, and applied in a consistent and predictable manner.

We will use Gitea Actions, the built-in CI/CD solution in Gitea, to orchestrate the workflows.

## 2. Branching Strategy

We will use a simple GitFlow-like model:
- **`main` branch:** Represents the production infrastructure. Direct pushes will be disallowed. Changes are merged via pull requests.
- **Feature branches:** All changes are developed on feature branches (e.g., `feat/add-monitoring`, `fix/firewall-rules`).

## 3. Secrets Management

GCP credentials must be handled securely. We will use Gitea's encrypted secrets to store the GCP service account key.

1.  **Create a GCP Service Account:** Create a dedicated service account in GCP with the necessary permissions to manage the infrastructure.
2.  **Generate a JSON Key:** Generate a JSON key for this service account.
3.  **Store the Key in Gitea:** Store the contents of the JSON key file as a repository secret in Gitea with the name `GCP_SA_KEY`.

## 4. Gitea Actions Workflow

We will create a single workflow file at `.gitea/workflows/terraform.yml`. This workflow will have two main jobs, triggered by different events.

### Workflow Triggers

-   **On `pull_request` to `main`:** The workflow will run `terraform init`, `terraform validate`, and `terraform plan`. The output of the plan will be added as a comment to the pull request for review.
-   **On `push` to `main`:** After a pull request is merged, the workflow will run `terraform init` and `terraform apply` to deploy the changes to production. This step will require manual approval within Gitea Actions.

### Workflow Definition (`.gitea/workflows/terraform.yml`)

```yaml
name: Terraform CI/CD

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  terraform-plan:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.8.0

      - name: Authenticate to GCP
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Terraform Init
        run: terraform init

      - name a: Terraform Validate
        run: terraform validate

      - name: Terraform Plan
        id: plan
        run: terraform plan -no-color -out=tfplan
      
      - name: Add Plan to PR
        uses: actions/github-script@v6
        with:
          script: |
            const output = `#### Terraform Plan 📖\n${{ steps.plan.outputs.stdout }}\n`
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

  terraform-apply:
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    environment: production # This can be used to require manual approval
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.8.0

      - name: Authenticate to GCP
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Terraform Init
        run: terraform init

      - name: Terraform Apply
        run: terraform apply -auto-approve tfplan

```

### 5. Manual Approval for Production

To protect the production environment, the `terraform-apply` job will be configured to require manual approval. In Gitea, you can protect the `main` branch and require reviews before merging. For the deployment, Gitea Actions can be configured with an `environment` that requires a manual approval from a specific team or user before the job runs.

## 6. Implementation Steps

1.  **Create the `.gitea/workflows` directory.**
2.  **Create the `terraform.yml` file** with the content above.
3.  **Create a dedicated GCP service account** with appropriate IAM roles.
4.  **Generate a JSON key** for the service account.
5.  **Add the JSON key as a secret** named `GCP_SA_KEY` in the Gitea repository settings.
6.  **Protect the `main` branch** in Gitea to require pull requests and reviews.
7.  **(Optional) Configure an environment** in Gitea that requires manual approval for deployments.

This plan provides a solid foundation for automating the Terraform workflow in a safe and controlled manner.