locals {
  # Redundancy count determines how many redundant paths we have in different AZ's.
  #  1 is good for testing
  #  2 is probably good enough for all other cases
  #  length(var.public_subnets) is the max
  redundancy_count = 1
  #redundancy_count = length(var.public_subnets)
}

resource "aws_ec2_client_vpn_endpoint" "vpn" {
  description            = "VPN for XDR Employee Access"
  client_cidr_block      = "172.16.0.0/22"
  split_tunnel           = var.split_tunnel
  server_certificate_arn = aws_acm_certificate.cert.arn
  self_service_portal    = "enabled" # requires a self_service_saml_provider in authentication_options

  security_group_ids = [aws_security_group.vpn_access.id]

  dns_servers = local.dns_servers

  # Certificate based authenticaiton requires the certificate be in the same account
  #authentication_options {
  #  type = "certificate-authentication"
  #  root_certificate_chain_arn = "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889"
  #}

  authentication_options {
    type                           = "federated-authentication"
    saml_provider_arn              = aws_iam_saml_provider.okta.arn
    self_service_saml_provider_arn = aws_iam_saml_provider.okta-self-service.arn
  }

  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
    cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
  }

  # Could not get UDP working on OSX
  transport_protocol = var.protocol
  #transport_protocol = "tcp"

  vpn_port              = 443
  session_timeout_hours = 12

  client_login_banner_options {
    banner_text = "--- NOTICE TO USERS ---\n\nAccenture Federal Services AUTHORIZED USE ONLY\n\nThis system is the property of Accenture Federal Services.  You are accessing a U.S. Government certified information system.  By using this system you consent to monitoring for unauthorized access or activity where legally permitted and agree to use the system in accordance to Accenture Federal Services policies, local laws and regulations.\n\nUnauthorized use of this system is prohibited and subject to reprimand, dismissal, financial penalties, criminal penalties, and civil penalties. By signing in, you are agreeing to these terms."
    enabled     = true
  }

  client_connect_options {
    enabled             = true
    lambda_function_arn = aws_lambda_function.lambda_connection_authorization.arn
  }
}

resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
  count = local.redundancy_count

  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  subnet_id              = var.private_subnets[count.index]

  #  lifecycle {
  #    // The issue why we are ignoring changes is that on every change
  #    // terraform screws up most of the vpn assosciations
  #    // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
  #    ignore_changes = [subnet_id]
  #  }
}

resource "aws_ec2_client_vpn_route" "default" {
  count                  = local.redundancy_count
  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
  #destination_cidr_block = "10.0.0.0/8"
  destination_cidr_block = "0.0.0.0/0"
  target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.vpn_subnets[count.index].subnet_id
}