resource "aws_key_pair" "xpk-kp1" {
  public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiM5WTFNTa31Cm5CmOcw493T9vQ3GxeHP1AjfcomhHK kn@ism"
  tags       = local.default-tags
}

module "headdesk-ec2" {
  source = "../../modules/compute/ec2"

  additional_tags = {}
  # Rocky9 ARM
  ami-id           = "ami-0f516dde04bd55b1a"
  asso-eip         = true
  # setting to false requires replacement during terraform apply
  asso-public-ip   = true
  default-tags     = local.default-tags
  ebs-encrypted    = true
  instance-name    = "${local.resource-prefix}-mailwww"
  instance-type    = "t4g.small"
  key-name         = aws_key_pair.xpk-kp1.key_name
  root-volume-size = 30
  security-groups  = module.headdesk-sg.sg-ids
  subnet-id        = module.vpc-subnet.public-subnet-ids[1]
}

module "headdesk-sg" {
  source = "../../modules/compute/security-groups"

  security-groups = [
    {
      name        = "WebAccess"
      description = "Public web access"
      rules = [
        [1, "tcp", "0.0.0.0/0", "80", "80", "ingress", "web"],
        [2, "tcp", "0.0.0.0/0", "443", "443", "ingress", "web"],
        [3, "tcp", "0.0.0.0/0", "25", "25", "ingress", "mail"],
        [4, "tcp", "0.0.0.0/0", "587", "587", "ingress", "mail"],
        [5, "tcp", "0.0.0.0/0", "11993", "11993", "ingress", "mail"],
        [6, "-1", "0.0.0.0/0", "0", "0", "egress", "Allow outbound traffic"],
        [7, "tcp", "0.0.0.0/0", "2201", "2201", "ingress", "ssh"]
      ]
    },
    {
      name        = "MgmtAccess"
      description = "Allow management access"
      rules = [
        [1, "tcp", "223.18.148.85/32", "22", "22", "ingress", "xpk"]
      ]
    }
  ]
  tags   = local.default-tags
  vpc-id = module.vpc-subnet.vpc_id
}