module "bastion" {
  source                      = "terraform-aws-modules/ec2-instance/aws"
  version                     = "5.5.0"
  name                        = "lab-ken2026-eks-bastion"
  instance_type               = "t3.micro"
  ami                         = data.aws_ami.this.id
  ignore_ami_changes          = true
  subnet_id                   = var.subnet_ids[0]
  vpc_security_group_ids      = [module.sg.id, module.eks.cluster_primary_security_group_id]
  create_iam_instance_profile = true
  iam_role_description        = "IAM role for EC2 instance"
  iam_role_policies = {
    SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
    CloudwatchAgent        = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
    Admin                  = "arn:aws:iam::aws:policy/AdministratorAccess"
  }
  key_name      = "kf-key"
  ebs_optimized = true
  root_block_device = [
    {
      encrypted   = true
      volume_type = "gp3"
      volume_size = 10
    },
  ]
  volume_tags = data.aws_default_tags.this.tags
  # IMDSv2 requirement
  metadata_options = {
    http_endpoint               = "enabled"
    http_tokens                 = "required"
    http_put_response_hop_limit = 2
  }
  user_data = <<EOF
#!/bin/bash
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod 755 kubectl
mv kubectl /usr/local/bin/
EOF
}

module "sg" {
  source      = "../../modules/compute/security_group"
  description = "Security group for web server"
  egress = {
    r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
    r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
    r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
  }
  ingress = {
    r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
  }
  name   = "lab-ken2026-eks-bastion-sg"
  vpc-id = var.vpc_id
}

data "aws_default_tags" "this" {}

data "aws_ami" "this" {
  most_recent = true
  name_regex  = "al2023-ami-202.*"

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }

  owners = ["910595266909"] # AWS
}