/* 
 ORIGINAL SOURCE: https://raw.githubusercontent.com/gravitational/teleport/master/examples/aws/terraform/starter-cluster/dynamo.tf
 
DynamoDB is used to store cluster state, event
metadata, and a simple locking mechanism for SSL 
cert generation and renewal.
*/

// DynamoDB table for storing cluster state
#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
resource "aws_dynamodb_table" "teleport" {
  name           = var.instance_name
  read_capacity  = 10
  write_capacity = 10
  hash_key       = "HashKey"
  range_key      = "FullPath"
  billing_mode   = "PROVISIONED"

  server_side_encryption {
    kms_key_arn = aws_kms_key.s3.arn
    enabled     = true
  }

  lifecycle {
    ignore_changes = [
      read_capacity,
      write_capacity,
    ]
  }

  attribute {
    name = "HashKey"
    type = "S"
  }

  attribute {
    name = "FullPath"
    type = "S"
  }

  point_in_time_recovery {
    enabled = true
  }

  stream_enabled   = "true"
  stream_view_type = "NEW_IMAGE"

  ttl {
    attribute_name = "Expires"
    enabled        = true
  }

  tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
}

// DynamoDB table for storing cluster events
#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
resource "aws_dynamodb_table" "teleport_events" {
  name           = "${var.instance_name}-events"
  read_capacity  = 10
  write_capacity = 10
  hash_key       = "SessionID"
  range_key      = "EventIndex"
  billing_mode   = "PROVISIONED"

  server_side_encryption {
    kms_key_arn = aws_kms_key.s3.arn
    enabled     = true
  }

  global_secondary_index {
    name            = "timesearchV2"
    hash_key        = "CreatedAtDate"
    range_key       = "CreatedAt"
    write_capacity  = 10
    read_capacity   = 10
    projection_type = "ALL"
  }

  lifecycle {
    ignore_changes = [
      read_capacity,
      write_capacity,
    ]
  }

  attribute {
    name = "SessionID"
    type = "S"
  }

  attribute {
    name = "EventIndex"
    type = "N"
  }

  attribute {
    name = "CreatedAtDate"
    type = "S"
  }

  attribute {
    name = "CreatedAt"
    type = "N"
  }

  point_in_time_recovery {
    enabled = true
  }

  ttl {
    attribute_name = "Expires"
    enabled        = true
  }

  tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
}

// DynamoDB table for simple locking mechanism
#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
resource "aws_dynamodb_table" "locks" {
  name           = "${var.instance_name}-locks"
  read_capacity  = 5
  write_capacity = 5
  hash_key       = "Lock"
  billing_mode   = "PROVISIONED"

  #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
  # tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
  # tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
  server_side_encryption {
    enabled = false
  }

  lifecycle {
    ignore_changes = [
      read_capacity,
      write_capacity,
    ]
  }

  attribute {
    name = "Lock"
    type = "S"
  }

  #checkov:skip=CKV_AWS_28:No need for PiTR here
  # tfsec:ignore:aws-dynamodb-enable-recovery
  point_in_time_recovery {
    enabled = false
  }

  ttl {
    attribute_name = "Expires"
    enabled        = true
  }

  tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
}