locals {
  azs = slice(data.aws_availability_zones.available.names,0,2)
  subnets = [
    cidrsubnet(var.vpc_info["cidr"],3,0),
    cidrsubnet(var.vpc_info["cidr"],3,1),
    cidrsubnet(var.vpc_info["cidr"],3,2),
    cidrsubnet(var.vpc_info["cidr"],3,3),
    cidrsubnet(var.vpc_info["cidr"],3,4),
    cidrsubnet(var.vpc_info["cidr"],3,5),
    cidrsubnet(var.vpc_info["cidr"],3,6),
    cidrsubnet(var.vpc_info["cidr"],3,7),
  ]
  vpc_name = "${ var.vpc_info["name"] }-${ var.account_name }"
}

data "aws_availability_zones" "available" {
  state = "available"
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "~> v2.70"
  name = local.vpc_name
  cidr = var.vpc_info["cidr"]

  azs = local.azs

  # 2 private and 2 public here, but 2 more of each will be created after in the same azs
  private_subnets = [
    local.subnets[0],
    local.subnets[1],
  ]
  private_subnet_tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })

  public_subnets = [ 
    local.subnets[4],
    local.subnets[5]
  ]
  public_subnet_tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })

  enable_nat_gateway = false
  enable_vpn_gateway = false
  enable_dns_hostnames = true
  enable_s3_endpoint = true
  enable_dynamodb_endpoint = false
  enable_sts_endpoint = false
  enable_kms_endpoint = false
  enable_dhcp_options = true

  enable_ec2_endpoint              = true # PA likes a local ec2 endpoint
  ec2_endpoint_security_group_ids  = [ module.aws_endpoints_sg.security_group_id ]

  dhcp_options_domain_name = var.dns_info["private"]["zone"]

  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
}

resource "aws_flow_log" "flowlogs" {
  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"

  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
  vpc_id          = module.vpc.vpc_id
  tags            = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
}

resource "aws_subnet" "mgmt" {
  count = 2
  depends_on = [ module.vpc ]
  vpc_id     = module.vpc.vpc_id
  cidr_block = local.subnets[6 + count.index]
  availability_zone = local.azs[count.index]

  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
}

resource "aws_route_table_association" "mgmt-to-internet" {
  count = 2
  depends_on = [ aws_subnet.mgmt, module.vpc ]
  subnet_id = aws_subnet.mgmt[count.index].id
  route_table_id = module.vpc.public_route_table_ids[0] # only 1 public route table
}

resource "aws_subnet" "standalone_tgw" {
  # A standalone private subnet that could be connected to the tgw
  count = 2
  depends_on = [ module.vpc ]
  vpc_id     = module.vpc.vpc_id
  cidr_block = local.subnets[2 + count.index]
  availability_zone = local.azs[count.index]

  tags = merge(var.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })
}