data "aws_availability_zones" "available" {
  state = "available"
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"
  version = "~> v2.0"
  name = "${var.name}"
  cidr = "${var.cidr}"

  azs = slice(data.aws_availability_zones.available.names,0,3)

  private_subnets = [
      "${cidrsubnet(var.cidr,3,0)}",
      "${cidrsubnet(var.cidr,3,1)}",
      "${cidrsubnet(var.cidr,3,2)}",
  ]

  # Potentially, we could route all accounts through the transit gateway to
  # save costs and provide one point of exit to the Internet. But at this time,
  # I'm keeping it consistent with our legacy accounts.
  #
  # If we decide to do that, we should consider either dropping to a /23 per customer,
  # or a /24 for each subnet (seems wasteful).
  #public_subnets = [ ]
  public_subnets = [ 
      "${cidrsubnet(var.cidr,3,4)}",
      "${cidrsubnet(var.cidr,3,5)}",
      "${cidrsubnet(var.cidr,3,6)}",
  ]

  enable_nat_gateway = true
  enable_vpn_gateway = false
  enable_dns_hostnames = true
  enable_s3_endpoint = true
  enable_dynamodb_endpoint = true
  enable_sts_endpoint = true
  enable_kms_endpoint = true
  enable_dhcp_options = true

  enable_ec2_endpoint              = true
  ec2_endpoint_private_dns_enabled = true
  kms_endpoint_private_dns_enabled = true
  sts_endpoint_private_dns_enabled = true
  ec2_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
  kms_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
  sts_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]

  dhcp_options_domain_name = var.inside_domain

  tags = merge(var.standard_tags, var.tags)

  nat_eip_tags = {
    "eip_type" = "natgw"
    Name = var.name
  }
}

resource "aws_flow_log" "flowlogs" {
  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"

  traffic_type    = "REJECT" # ALL is very noisy, and CIS only requires rejects.
  vpc_id          = module.vpc.vpc_id
  tags            = merge(var.standard_tags, var.tags)
}


resource "aws_vpc_endpoint" "ec2messages" {
  vpc_id            = module.vpc.vpc_id
  service_name      = "com.amazonaws.${var.aws_region}.ec2messages"
  vpc_endpoint_type = "Interface"

  subnet_ids = slice(module.vpc.public_subnets,0,3)
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}

resource "aws_vpc_endpoint" "ssm" {
  vpc_id            = module.vpc.vpc_id
  service_name      = "com.amazonaws.${var.aws_region}.ssm"
  vpc_endpoint_type = "Interface"

  subnet_ids = slice(module.vpc.public_subnets,0,3)
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}
data "aws_vpc_endpoint_service" "ecr_api_endpoint" {
  service = "ecr.api"
}

data "aws_vpc_endpoint_service" "ecr_dkr_endpoint" {
  service = "ecr.dkr"
}

resource "aws_vpc_endpoint" "ecr_api" {
  vpc_id             = module.vpc.vpc_id
  service_name       = data.aws_vpc_endpoint_service.ecr_api_endpoint.service_name
  vpc_endpoint_type  = "Interface"

  subnet_ids         = module.vpc.private_subnets
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}

resource "aws_vpc_endpoint" "ecr_dkr" {
  vpc_id             = module.vpc.vpc_id
  service_name       = data.aws_vpc_endpoint_service.ecr_dkr_endpoint.service_name
  vpc_endpoint_type  = "Interface"

  subnet_ids         = module.vpc.private_subnets
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}

data "aws_vpc_endpoint_service" "logs_endpoint" {
  service = "logs"
}

resource "aws_vpc_endpoint" "logs" {
  vpc_id             = module.vpc.vpc_id
  service_name       = data.aws_vpc_endpoint_service.logs_endpoint.service_name
  vpc_endpoint_type  = "Interface"

  subnet_ids         = module.vpc.private_subnets
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}

data "aws_vpc_endpoint_service" "monitoring_endpoint" {
  service = "monitoring"
}

resource "aws_vpc_endpoint" "monitoring" {
  vpc_id             = module.vpc.vpc_id
  service_name       = data.aws_vpc_endpoint_service.monitoring_endpoint.service_name
  vpc_endpoint_type  = "Interface"

  subnet_ids         = module.vpc.private_subnets
  security_group_ids = [
    module.aws_endpoints_sg.this_security_group_id
  ]
  private_dns_enabled = true
}