sanity-checking some cursed Nix

fix-broken-symlinks.nix

# pinned-release exposes a function that creates CI steps to release Terraform
# changes at a particular git commit.
#
# CI should react to the following events:
# - Changes to the Terraform source code.
#   - PR branch: terraform validate # @branch
# - Changes to the revision at which we're pinning our Terraform releases.
#   - PR branch: terraform plan # @rev
#   - origin/main: terraform apply # @rev
#
# To do this, we need a few derivations:
# - one to trigger CI steps for changes to the Terraform source code
# - another to trigger CI steps for changes to the pinned revisions
{ pkgs, repo, ... }:

# Warning: This was copy/pasted/edited from elsewhere, so it likely doesn't eval.
{ path, releases }:
let
  # A bit of cursed Nix to fix the broken symlinks that `gitignoreSource` copies
  # to our srcDrv.
  fixBrokenSymlinks = pkgs.lib.pipe path [
    builtins.readDir
    (attrs.filter ({k, v}: v == "symlink"))
    attrs.toList
    (list.map ({k, v}: "ln -sf ${./. + "/${k}"} $out/${baseNameOf k}"))
    (list.join "\n")
  ];

  srcDrv = (pkgs.runCommand "pinned-release" { } ''
    mkdir $out
    cp -r ${repo.third_party.gitignoreSource path}/* $out
    ${fixBrokenSymlinks}
  '').overrideAttrs (_: {
    meta.ci.extraSteps.validate = {
      label = "terraform validate";
      command = pkgs.writeShellScript "terraform-validate" ''
        set -euo pipefail
        PATH=PATH:${with pkgs; lib.makeBinPath [ terraform git ]}

        source /run/agenix/terraform.env

        if [ ! -d ${workdir}/.terraform ]; then
          terraform -chdir=${workdir} init -input=false
        fi

        terraform -chdir=${workdir} validate
      '';
    };
  });
in
{
  inherit srcDrv;
}

usage.nix

# Example usage of pinned-release
{ pkgs, repo, ... }:

let
  inherit (repo.ops.iac.aquaappia) terraform;
in
terraform.pinned-release {
  path = ./.;
  releases = {
    production = terraform.versions.production;
    development = terraform.versions.development;
  };
}