data "aws_region" "this" {}
data "aws_default_tags" "this" {
  lifecycle {
    postcondition {
      condition     = length(self.tags) >= 1
      error_message = "Validation failed: Provider default_tags not set."
    }
  }
}

resource "aws_vpc_endpoint" "vpc-interface-ep" {
  for_each          = toset(var.interface-ep-services)
  vpc_id            = data.aws_vpc.this-vpc.id
  service_name      = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
  vpc_endpoint_type = "Interface"

  security_group_ids = [
    aws_security_group.vpc-ep-sg.id,
  ]

  # deploy to all subnets
  subnet_ids = local.one_subnet_in_each_az

  private_dns_enabled = true
  tags                = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }

  lifecycle {
    precondition {
      condition     = data.aws_vpc.this-vpc.enable_dns_support
      error_message = "enableDnsSupport needs to be turned on."
    }
  }
}

resource "aws_vpc_endpoint" "vpc-gateway-ep" {
  for_each          = toset(var.gateway-ep-services)
  vpc_id            = data.aws_vpc.this-vpc.id
  service_name      = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = data.aws_route_tables.this.ids
  tags              = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
}

resource "random_id" "rid" {
  byte_length = 2
}

resource "aws_security_group" "vpc-ep-sg" {
  name        = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
  description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
  vpc_id      = data.aws_vpc.this-vpc.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    # cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
    cidr_blocks = data.aws_vpc.this-vpc.cidr_block_associations.*.cidr_block
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = { "Name" : "VpcEpAccess" }
}

data "aws_vpc" "this-vpc" {
  id = var.vpc-id
}

data "aws_availability_zones" "this" {
  state = "available"
}

# find all subnets for this vpc in all availability zones
data "aws_subnets" "subnets_and_az" {
  for_each = toset(data.aws_availability_zones.this.zone_ids)

  filter {
    name   = "vpc-id"
    values = [var.vpc-id]
  }

  filter {
    name   = "availability-zone-id"
    values = [each.value]
  }
}

data "aws_route_tables" "this" {
  vpc_id = var.vpc-id
}

locals {
  # pick first subnet in each AZ
  one_subnet_in_each_az = compact([for k, v in data.aws_subnets.subnets_and_az : try(element(v.ids, length(v.ids) - 1), "")])
}