data "aws_caller_identity" "this" {
  provider = aws.NetworkDeployer
}

data "aws_availability_zones" "available-az" {
  provider = aws.NetworkDeployer
  state    = "available"
}

data "aws_default_tags" "this" {
  lifecycle {
    postcondition {
      condition     = length(self.tags) >= 1
      error_message = "Validation failed: Provider default_tags not set."
    }
  }
}

locals {
  no-az    = 2 # hard-coding to 2AZ
  vpc-cidr = var.vpc-cidr
}

resource "aws_subnet" "private-subnets" {
  provider = aws.NetworkDeployer

  count             = length(var.private-subnet-cidrs)
  vpc_id            = aws_vpc.vpc.id
  availability_zone = element(data.aws_availability_zones.available-az.names, count.index % 2)
  cidr_block        = var.private-subnet-cidrs[count.index]
  tags = merge(data.aws_default_tags.this.tags, {
    Name = "${var.resource-prefix}-private-${split("-", element(data.aws_availability_zones.available-az.names, count.index))[2]}-${count.index + 1}"
  })
}

resource "aws_subnet" "public-subnets" {
  provider = aws.NetworkDeployer

  count             = length(var.public-subnet-cidrs)
  vpc_id            = aws_vpc.vpc.id
  availability_zone = element(data.aws_availability_zones.available-az.names, count.index % 2)
  cidr_block        = var.public-subnet-cidrs[count.index]
  tags = merge(data.aws_default_tags.this.tags, {
    Name = "${var.resource-prefix}-public-${split("-", element(data.aws_availability_zones.available-az.names, count.index))[2]}-${count.index + 1}"
  })
}

resource "aws_vpc" "vpc" {
  provider = aws.NetworkDeployer

  cidr_block           = var.vpc-cidr
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = {
    Name = "${var.resource-prefix}-vpc"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_vpc_ipv4_cidr_block_association" "additional_cidr" {
  provider = aws.NetworkDeployer

  for_each   = toset(var.secondary_cidr_blocks)
  vpc_id     = aws_vpc.vpc.id
  cidr_block = each.value
}

resource "aws_internet_gateway" "igw" {
  provider = aws.NetworkDeployer

  count  = length(var.public-subnet-cidrs) > 0 ? 1 : 0
  vpc_id = aws_vpc.vpc.id

  tags = {
    Name = "${var.resource-prefix}-igw"
  }
}

resource "aws_eip" "ngw-eip" {
  provider = aws.NetworkDeployer

  count = var.create-nat-gateway ? 1 : 0
  # deprecated # vpc = true
  domain     = "vpc"
  depends_on = [aws_internet_gateway.igw]
}

resource "aws_nat_gateway" "ngw" {
  provider = aws.NetworkDeployer

  count         = var.create-nat-gateway ? 1 : 0
  allocation_id = aws_eip.ngw-eip[0].id
  subnet_id     = aws_subnet.public-subnets[0].id

  tags = {
    Name = "${var.resource-prefix}-ngw"
  }
  depends_on = [aws_internet_gateway.igw]
}

resource "aws_route_table" "public-route-table" {
  provider = aws.NetworkDeployer

  count  = length(var.public-subnet-cidrs) > 0 ? 1 : 0
  vpc_id = aws_vpc.vpc.id
  tags = {
    Name = "${var.resource-prefix}-publicroutetable"
  }
}

resource "aws_route_table" "private-route-table" {
  provider = aws.NetworkDeployer

  count  = length(var.private-subnet-cidrs) > 0 ? 1 : 0
  vpc_id = aws_vpc.vpc.id
  tags = {
    Name = "${var.resource-prefix}-privateroutetable"
  }
}

resource "aws_route" "public-routes" {
  provider = aws.NetworkDeployer

  count = length(var.public-subnet-cidrs) > 0 ? 1 : 0

  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.igw[0].id
  route_table_id         = aws_route_table.public-route-table[0].id
}

resource "aws_route" "private-routes" {
  provider = aws.NetworkDeployer

  count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0

  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.ngw[0].id
  route_table_id         = aws_route_table.private-route-table[0].id
}

resource "aws_route_table_association" "public_route_association" {
  provider = aws.NetworkDeployer

  count          = length(aws_subnet.public-subnets)
  route_table_id = aws_route_table.public-route-table[0].id
  subnet_id      = aws_subnet.public-subnets[count.index].id
}

resource "aws_route_table_association" "private_route_association" {
  provider = aws.NetworkDeployer

  count          = length(aws_subnet.private-subnets)
  route_table_id = aws_route_table.private-route-table[0].id
  subnet_id      = aws_subnet.private-subnets[count.index].id
}

/*
harden default security group. the default sg created by aws allows all egress.
this resource limits ingress and egress from and to itself
*/

resource "aws_default_security_group" "default-sg" {
  provider = aws.NetworkDeployer

  vpc_id = aws_vpc.vpc.id
  ingress {
    protocol    = -1
    self        = true
    from_port   = 0
    to_port     = 0
    description = "Allow traffic coming from this SG"
  }
  egress {
    from_port   = 0
    protocol    = -1
    to_port     = 0
    self        = true
    description = "Allow traffic going to this SG"
  }
  tags = {
    Name = "${var.resource-prefix}-defaultsg"
  }
}

# Enable gateway endpoints which are free

module "vpc-ep" {
  providers = {
    aws = aws.NetworkDeployer
  }

  count  = var.create-free-vpc-endpoints ? 1 : 0
  source = "../vpc-endpoints"

  gateway-ep-services   = ["s3", "dynamodb"]
  interface-ep-services = []
  resource-prefix       = var.resource-prefix
  vpc-id                = aws_vpc.vpc.id
}