resource "aws_network_interface" "FWManagementNetworkInterface" {
  count = var.palo_alto_count
  subnet_id       = var.subnet_id_map["management"][count.index % 2]
  security_groups = var.management_security_group_ids
  source_dest_check = false
  private_ips_count = 0
  private_ips = [ cidrhost(var.subnet_cidr_map["management"][count.index % 2], 10 + (count.index % 2)) ]
  description = "Palo Alto XDR Interconnect ${count.index} management interface"
  tags = {
    Name = "xdr-interconnect-${count.index}_management_interface"
  }
}

resource "aws_network_interface" "FWPublicNetworkInterface" {
  count = var.palo_alto_count
  subnet_id       = var.subnet_id_map["untrusted"][count.index % 2]
  security_groups = var.untrusted_security_group_ids
  source_dest_check = false
  private_ips_count = 0
  private_ips = [ cidrhost(var.subnet_cidr_map["untrusted"][count.index % 2], 10 + (count.index % 2)) ]
  description = "Palo Alto XDR Interconnect ${count.index} untrusted interface"
  tags = {
    Name = "xdr-interconnect-${count.index}_untrusted_interface"
  }
}

resource "aws_network_interface" "FWPrivateNetworkInterface" {
  count = var.palo_alto_count
  subnet_id       = var.subnet_id_map["private"][count.index % 2]
  security_groups = var.untrusted_security_group_ids
  source_dest_check = false
  private_ips_count = 0
  private_ips = [ cidrhost(var.subnet_cidr_map["private"][count.index % 2], 10 + (count.index % 2)) ]
  description = "Palo Alto XDR Interconnect ${count.index} private interface"
  tags = {
    Name = "xdr-interconnect-${count.index}_private_interface"
  }
}

resource "aws_network_interface" "FWTGWNetworkInterface" {
  count = var.palo_alto_count
  subnet_id       = var.subnet_id_map["tgw_standalone"][count.index % 2]
  security_groups = var.untrusted_security_group_ids
  source_dest_check = false
  private_ips_count = 0
  private_ips = [ cidrhost(var.subnet_cidr_map["tgw_standalone"][count.index % 2], 10 + (count.index % 2)) ]
  description = "Palo Alto XDR Interconnect ${count.index} tgw interface"
  tags = {
    Name = "xdr-interconnect-${count.index}_tgw_interface"
  }
}

resource "aws_eip" "untrusted_eip" {
  count = var.palo_alto_count
  vpc = true
}

resource "aws_eip" "management_eip" {
  count = var.palo_alto_count
  vpc = true
}

resource "aws_eip_association" "FWEIPManagementAssociation" {
  count = var.palo_alto_count
  network_interface_id = aws_network_interface.FWManagementNetworkInterface[count.index].id
  allocation_id = aws_eip.management_eip[count.index].id
}

resource "aws_eip_association" "FWEIPPublicAssociation" {
  count = var.palo_alto_count
  network_interface_id   = aws_network_interface.FWPublicNetworkInterface[count.index].id
  allocation_id = aws_eip.untrusted_eip[count.index].id
}

resource "aws_placement_group" "palo_group" {
  name = "Palo Alto Placement Group"
  strategy = "spread"
}

resource "aws_instance" "palo" {
  count = var.palo_alto_count
  ami = lookup(var.pavm_byol_ami_id, var.aws_region)
  availability_zone = var.azs[count.index % 2]
  placement_group = aws_placement_group.palo_group.id
  tenancy = "default"
  ebs_optimized = true
  disable_api_termination = var.instance_termination_protection
  instance_initiated_shutdown_behavior = "stop"
  instance_type = var.palo_alto_instance_type
  key_name = var.palo_alto_key_name
  monitoring = false
  #subnet_id = var.subnet_id_map["untrusted"][count.index % 2]
  #associate_public_ip_address = true # causes a recreate on apply if you set this!
  #private_ip = cidrhost(var.subnet_cidr_map["untrusted"][count.index % 2], 10 + (count.index % 2))
  #source_dest_check = false

  tags = merge(
    var.standard_tags,
    var.tags,
    { Name = "xdr-interconnect-${count.index}" }
  )

  root_block_device {
      volume_type = "gp2"
      volume_size = "60"
      delete_on_termination = true
  }

  network_interface {
    device_index = 0
    network_interface_id = aws_network_interface.FWPublicNetworkInterface[count.index].id
  }

  network_interface {
    device_index = 1
    network_interface_id = aws_network_interface.FWManagementNetworkInterface[count.index].id
  }

  network_interface {
    device_index = 2
    network_interface_id = aws_network_interface.FWPrivateNetworkInterface[count.index].id
  }

  network_interface {
    device_index = 3
    network_interface_id = aws_network_interface.FWTGWNetworkInterface[count.index].id
  }

  user_data = base64encode("vmseries-bootstrap-aws-s3bucket=${var.bucket_ids[count.index]}")

  iam_instance_profile = var.instance_profile_names[count.index]
}