resource "aws_vpc_endpoint" "vpc-interface-ep" {
  for_each = toset(var.interface-ep-services)
  vpc_id            = data.aws_vpc.this-vpc.id
  service_name      = "com.amazonaws.${var.aws-region}.${each.value}"
  vpc_endpoint_type = "Interface"

  security_group_ids = [
    aws_security_group.generic-ep-sg.id,
  ]

  # deploy to all subnets
  subnet_ids = data.aws_subnets.this-subnets.ids

  private_dns_enabled = true
  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
}

resource "aws_security_group" "generic-ep-sg" {
  name        = "HttpsAccessToVpcEndpoints"
  description = "HttpsAccessToVpcEndpoints"
  vpc_id      = data.aws_vpc.this-vpc.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = merge({"Name": "VpcEpAccess"},var.default-tags)
}

resource "aws_vpc_endpoint" "vpc-gateway-ep" {
  for_each = toset(var.gateway-ep-services)
  vpc_id            = data.aws_vpc.this-vpc.id
  service_name      = "com.amazonaws.${var.aws-region}.${each.value}"
  vpc_endpoint_type = "Gateway"

  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
}

data aws_vpc this-vpc {
  id = var.vpc-id
  lifecycle {
    postcondition {
      condition     = self.enable_dns_support == true
      error_message = "The selected VPC must have DNS support enabled."
    }
  }
}

data aws_subnets this-subnets {
  filter {
    name = "vpc-id"
    values = [var.vpc-id]
  }
}