locals {
  vpc_name = "${var.vpc_info["name"]}-${var.account_name}"
}

data "aws_availability_zones" "available" {
  state = "available"
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> v2.70"
  name    = local.vpc_name
  cidr    = var.vpc_info["cidr"]

  azs = slice(data.aws_availability_zones.available.names, 0, 3)

  private_subnets = [
    cidrsubnet(var.vpc_info["cidr"], 3, 0),
    cidrsubnet(var.vpc_info["cidr"], 3, 1),
    cidrsubnet(var.vpc_info["cidr"], 3, 2),
  ]

  # Potentially, we could route all accounts through the transit gateway to
  # save costs and provide one point of exit to the Internet. But at this time,
  # I'm keeping it consistent with our legacy accounts.
  #
  # If we decide to do that, we should consider either dropping to a /23 per customer,
  # or a /24 for each subnet (seems wasteful).
  #public_subnets = [ ]
  public_subnets = [
    cidrsubnet(var.vpc_info["cidr"], 3, 4),
    cidrsubnet(var.vpc_info["cidr"], 3, 5),
    cidrsubnet(var.vpc_info["cidr"], 3, 6),
  ]

  enable_nat_gateway   = var.enable_nat_gateway
  enable_vpn_gateway   = false
  enable_dns_hostnames = true
  enable_dhcp_options  = true


  # Endpoints without a DNS setting
  enable_dynamodb_endpoint = true
  enable_s3_endpoint       = true

  # Endpoints with a dns setting
  enable_ec2_endpoint              = true
  ec2_endpoint_private_dns_enabled = true
  ec2_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ec2messages_endpoint              = true
  ec2messages_endpoint_private_dns_enabled = true
  ec2messages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ecr_api_endpoint              = true
  ecr_api_endpoint_private_dns_enabled = true
  ecr_api_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ecr_dkr_endpoint              = true
  ecr_dkr_endpoint_private_dns_enabled = true
  ecr_dkr_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_kms_endpoint              = true
  kms_endpoint_private_dns_enabled = true
  kms_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_logs_endpoint              = true
  logs_endpoint_private_dns_enabled = true
  logs_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ssm_endpoint              = true
  ssm_endpoint_private_dns_enabled = true
  ssm_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ssmmessages_endpoint              = true
  ssmmessages_endpoint_private_dns_enabled = true
  ssmmessages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_sts_endpoint              = true
  sts_endpoint_private_dns_enabled = true
  sts_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_monitoring_endpoint              = true
  monitoring_endpoint_private_dns_enabled = true
  monitoring_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  dhcp_options_domain_name = var.dns_info["private"]["zone"]

  # Special case: VMRay uses its own dns server
  dhcp_options_domain_name_servers = local.dns_servers
  dhcp_options_ntp_servers         = ["169.254.169.123"]
  dhcp_options_tags                = merge(local.standard_tags, var.tags)

  tags = merge(local.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })

  nat_eip_tags = {
    "eip_type" = "natgw"
    Name       = local.vpc_name
  }
}

resource "aws_flow_log" "flowlogs" {
  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"

  traffic_type = "REJECT" # ALL is very noisy, and CIS only requires rejects.
  vpc_id       = module.vpc.vpc_id
  tags         = merge(local.standard_tags, var.tags)
}