# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

# Use the default EBS key
data "aws_kms_key" "ebs-key" {
  key_id = "alias/ebs_root_encrypt_decrypt"
}

resource "aws_instance" "instance" {
  count = var.enabled ? 1 : 0

  # availability_zone = var.azs[count.index % 2]
  tenancy                              = "default"
  ebs_optimized                        = true
  disable_api_termination              = var.instance_termination_protection
  instance_initiated_shutdown_behavior = "stop"
  instance_type                        = "t3a.medium"
  key_name                             = "msoc-build"
  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
  iam_instance_profile                 = "msoc-default-instance-profile"
  subnet_id                            = var.subnets[0]
  associate_public_ip_address          = true

  vpc_security_group_ids = [data.aws_security_group.typical-host.id, aws_security_group.test_instance_security_group[count.index].id]

  metadata_options {
    http_endpoint = "enabled"
    # checkov:skip=CKV_AWS_79:see tfsec explanation
    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
    http_tokens = "optional"
  }

  ami = local.ami
  # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
  # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
  # that could be removed.
  lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }

  user_data   = data.template_cloudinit_config.cloud-init.rendered
  tags        = merge(local.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
  volume_tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
}

module "private_dns_record" {
  count = var.enabled ? 1 : 0

  source = "../../submodules/dns/private_A_record"

  name            = var.instance_name
  ip_addresses    = [aws_instance.instance[count.index].private_ip]
  dns_info        = var.dns_info
  reverse_enabled = var.reverse_enabled

  providers = {
    aws.c2 = aws.c2
  }
}

module "public_dns_record" {
  count = var.enabled ? 1 : 0

  source = "../../submodules/dns/public_A_record"

  name         = var.instance_name
  ip_addresses = [aws_instance.instance[count.index].public_ip]
  dns_info     = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

# Render a multi-part cloud-init config making use of the part
# above, and other source files
data "template_cloudinit_config" "cloud-init" {
  gzip          = true
  base64_encode = true

  # Main cloud-config configuration file.
  part {
    filename     = "init.cfg"
    content_type = "text/cloud-config"
    content = templatefile("${path.module}/cloud-init/cloud-init.tpl",
      {
        hostname            = var.instance_name
        fqdn                = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
        environment         = var.environment
        salt_master         = local.salt_master
        proxy               = local.proxy
        aws_partition       = var.aws_partition
        aws_partition_alias = var.aws_partition_alias
        aws_region          = var.aws_region
      }
    )
  }

  # Additional parts as needed
  #part {
  #  content_type = "text/x-shellscript"
  #  content      = "ffbaz"
  #}
}

#----------------------------------------------------------------------------
# Test Instance Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "test_instance_security_group" {
  count = var.enabled ? 1 : 0

  name        = "test_instance_security_group"
  description = "Security Group for Test Instance Server(s)"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "all-in" {
  count = var.enabled ? 1 : 0

  type              = "ingress"
  description       = "Allow all inbound to test instance"
  from_port         = -1
  to_port           = -1
  protocol          = -1
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.test_instance_security_group[count.index].id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
# Test Instance can access any port
resource "aws_security_group_rule" "test_instance-out-all-ports" {
  count = var.enabled ? 1 : 0

  type              = "egress"
  description       = "Test Instance can access any port internally - Outbound"
  protocol          = "all"
  from_port         = -1
  to_port           = -1
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.test_instance_security_group[count.index].id
}