# Atlantis repo-level config
# Defines how Atlantis should plan/apply for this repository
version: 3
projects:
  - name: production
    dir: environments/production
    workspace: default
    workflow: proxmox-secure
    autoplan:
      when_modified:
        - "**/*.tf"
        - "**/*.tfvars"
        - "../../modules/**/*.tf"
        - "../../modules/**/*.tftpl"
      enabled: true
    apply_requirements:
      - approved

workflows:
  proxmox-secure:
    plan:
      steps:
        - env:
            name: PROXMOX_VE_API_TOKEN
            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
        - init
        - plan
        - run: |
            echo "=== Checkov IaC Security Scan ==="
            tofu show -json $PLANFILE > /tmp/plan.json 2>/dev/null || true
            if [ -f /tmp/plan.json ]; then
              checkov -f /tmp/plan.json --framework terraform_plan --soft-fail --compact --quiet 2>&1 || true
              rm -f /tmp/plan.json
            else
              echo "No plan JSON available, skipping checkov scan"
            fi
    apply:
      steps:
        - env:
            name: PROXMOX_VE_API_TOKEN
            command: "source /secrets/openbao-approle && export BAO_TOKEN=$(bao write -field=token auth/approle/login role_id=$ROLE_ID secret_id=$SECRET_ID) && bao kv get -field=PROXMOX_VE_API_TOKEN secret/infrastructure/proxmox"
        - init
        - apply