resource "aws_s3_bucket" "bucket" {
  count = var.palo_alto_count

  bucket = "xdr-palo-alto-bootstrap-${count.index}"
  acl    = "private"
}

locals {
  # Bootstrap process requires that folders exist, so we must create them in each bucket. This looks complicated,
  # but it's just doing a foreach bucket: foreach directory: ...
  bucket_folder_map = { for p in setproduct(range(var.palo_alto_count), local.bootstrap_dirs): "${p[0]}/${p[1]}" => {
        num = p[0]
        folder = p[1]
    }
  }
}

resource "aws_s3_bucket_object" "bootstrap_dirs" {
  for_each = local.bucket_folder_map

  bucket  = aws_s3_bucket.bucket[each.value["num"]].id
  key     = each.value["folder"]
  content = "/dev/null"
}

resource "aws_s3_bucket_object" "init_cfg" {
  count = var.palo_alto_count
  bucket = aws_s3_bucket.bucket[count.index].id
  key    = "config/init-cfg.txt"
  content = templatefile("${path.module}/init-cfg.txt.tmpl",
    {
      "hostname"         = "xdr_palo_${var.aws_partition_alias}_${var.environment}_${count.index}" 
      "authkey"          = var.palo_alto_auth_keys[count.index]
      "tplname"          = "XDR-Interconnect-Stack-${count.index}"
      "dgname"           = "XDR-Interconnects"
      "op-command-modes" = "jumbo-frame, mgmt-interface-swap"
      "panorama_primary"   = var.panorama_servers[0]
      "panorama_secondary" = var.panorama_servers[1]
    }
  )
}

# No bootstrap configuration, as we're registered to panorama
#resource "aws_s3_bucket_object" "bootstrap_xml" {
#  count = var.palo_alto_count
#  bucket = aws_s3_bucket.bucket[count.index].id
#  key    = "config/bootstrap.xml"
#  content = templatefile("${path.module}/bootstrap.xml.tmpl",
#    {
#      index = count.index
#    }
#  )
#}

resource "aws_s3_bucket_object" "authcodes" {
  count = var.palo_alto_count
  bucket = aws_s3_bucket.bucket[count.index].id
  key    = "license/authcodes"
  content = <<EOF
${var.palo_alto_license_keys[count.index]}
EOF
}

resource "aws_iam_role" "bootstrap_role" {
  count = var.palo_alto_count
  name = "palo_alto_bootstrap_${count.index}"
  path = "/instance/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
      "Service": "ec2.amazonaws.com"
    },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "bootstrap_policy" {
  count = var.palo_alto_count
  name = "palo_alto_bootstrap_${count.index}"
  role = aws_iam_role.bootstrap_role[count.index].id

  policy = <<EOF
{
  "Version" : "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}"
    },
    {
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}/*"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "bootstrap" {
  count = var.palo_alto_count
  name = "palo_alto_bootstrap_${count.index}"
  role = aws_iam_role.bootstrap_role[count.index].name
  path = "/instance/"
}