locals {
  # Redundancy count determines how many redundant paths we have in different AZ's.
  #  1 is good for testing
  #  2 is probably good enough for all other cases
  #  length(var.public_subnets) is the max
  redundancy_count = 1
  #redundancy_count = length(var.public_subnets)
}

resource "aws_ec2_client_vpn_endpoint" "vpn" {
  description = "VPN for Employee Access"
  client_cidr_block = "172.16.0.0/22"
  split_tunnel = var.split_tunnel
  server_certificate_arn = aws_acm_certificate.cert.arn
  self_service_portal = "enabled" # requires a self_service_saml_provider in authentication_options

  # TODO: Specify DNS Servers
  dns_servers = var.dns_servers

  # Certificate based authenticaiton requires the certificate be in the same account
  #authentication_options {
  #  type = "certificate-authentication"
  #  root_certificate_chain_arn = "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889"
  #}

  authentication_options {
    type = "federated-authentication"
    saml_provider_arn = aws_iam_saml_provider.okta.arn
    self_service_saml_provider_arn = aws_iam_saml_provider.okta-self-service.arn
  }

  connection_log_options {
    enabled = true
    cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
    cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
  }

  # Possible required with zscalar?
  transport_protocol = "udp"


resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
  count = local.redundancy_count

  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  subnet_id = var.public_subnets[count.index]
  security_groups = [aws_security_group.vpn_access.id]

  lifecycle {
    // The issue why we are ignoring changes is that on every change
    // terraform screws up most of the vpn assosciations
    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
    ignore_changes = [subnet_id]
  }
}

resource "aws_ec2_client_vpn_route" "default" {
  count = local.redundancy_count
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  destination_cidr_block = "10.0.0.0/8"
  target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.vpn_subnets[count.index].subnet_id
}