.PHONY: init plan apply apply-if-changes format pre-commit VAULT_AUTH_METHOD ?= approle VAULT_K8S_ROLE ?= woodpecker_terraform_git VAULT_K8S_MOUNT ?= auth/k8s/au/syd1 VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token define vault_env @export VAULT_ADDR="https://vault.service.consul:8200" && \ if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \ export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \ else \ export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \ fi && \ export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-git) && \ export GITEA_TOKEN=$$(vault kv get -field=token kv/service/gitea/gitadmin/tokens/terraform-git) && \ export WOODPECKER_TOKEN=$$(vault kv get -field=token kv/service/woodpecker/tokens/gitadmin) endef init: @$(call vault_env) && \ terragrunt run --all --non-interactive init -- -upgrade plan: init @$(call vault_env) && \ terragrunt run --all --parallelism 4 --non-interactive plan apply-if-changes: init @$(call vault_env) && \ terragrunt run --all --parallelism 4 --non-interactive plan -- -detailed-exitcode -out=tfplan; \ EXIT_CODE=$$?; \ if [ $$EXIT_CODE -eq 2 ]; then \ $(call vault_env) && \ terragrunt run --all --parallelism 2 --non-interactive apply -- tfplan; \ elif [ $$EXIT_CODE -eq 0 ]; then \ echo "No changes detected, skipping apply."; \ else \ exit $$EXIT_CODE; \ fi apply: init @$(call vault_env) && \ terragrunt run --all --parallelism 2 --non-interactive apply format: @echo "Formatting OpenTofu files..." @tofu fmt -recursive . @echo "Formatting Terragrunt files..." @terragrunt hcl fmt pre-commit: @uvx pre-commit run --all-files