# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

module "vpc" {
  source     = "terraform-aws-modules/vpc/aws"
  version    = "~> 4.0"
  create_vpc = true

  name = "bastion-host-vpc"

  cidr            = var.vpc_cidr
  azs             = var.vpc_azs
  private_subnets = var.vpc_private_subnets

  enable_nat_gateway   = var.vpc_enable_nat_gateway
  enable_vpn_gateway   = var.vpc_enable_vpn_gateway
  enable_dns_support   = var.vpc_enable_dns_support
  enable_dns_hostnames = var.vpc_enable_dns_hostnames

  flow_log_file_format = "parquet"
  tags = {
    Name = "${var.tag_application}-${var.target_environment}-bastion-host"
  }
}

###################################################################
# SSM Messages VPC endpoint
###################################################################
resource "aws_security_group" "vpc_bastion_host_security_group" {
  #checkov:skip=CKV2_AWS_5:SG is used in VPC Endpoint and will be used by EC2 but not in this module
  name        = "vpc-bastion-host-security-group"
  description = "Security group for bastion host"
  vpc_id      = module.vpc.vpc_id
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
    description      = "Allow traffic on all ports and ip ranges"
  }
}


resource "aws_vpc_endpoint" "vpc_ssmmessages_vpce" {
  vpc_id              = module.vpc.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ssmmessages"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = module.vpc.private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ssmmessages_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ssmmessages-vpce"
  }
}

resource "aws_security_group" "vpc_ssmmessages_vpce_security_group" {
  name        = "vpc-ssmmessages-security-group"
  description = "Security group for SSM Messages VPC endpoint"
  vpc_id      = module.vpc.vpc_id
}

resource "aws_security_group_rule" "vpc_ssmmessages_vpce_security_group_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ssmmessages_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ssm messages vpce security group ingress rule"
}

###################################################################
# EC2 Messages VPC endpoint
###################################################################

resource "aws_vpc_endpoint" "vpc_ec2messages_vpce" {
  vpc_id              = module.vpc.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ec2messages"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = module.vpc.private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ec2messages_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ec2messages-vpce"
  }
}

resource "aws_security_group" "vpc_ec2messages_vpce_security_group" {
  name        = "vpc-ec2messages-security-group"
  description = "Security group for EC2 Messages VPC endpoint"
  vpc_id      = module.vpc.vpc_id
}

resource "aws_security_group_rule" "vpc_ec2messages_vpce_security_group_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ec2messages_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ec2 messages vpce security group ingress rule"
}

###################################################################
# SSM VPC endpoint
###################################################################
#
resource "aws_vpc_endpoint" "vpc_ssm_vpce" {
  vpc_id              = module.vpc.vpc_id
  service_name        = "com.amazonaws.${var.aws_region}.ssm"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = module.vpc.private_subnets
  private_dns_enabled = true
  security_group_ids  = [aws_security_group.vpc_ssm_vpce_security_group.id]

  tags = {
    Name = "${var.tag_application}-${var.target_environment}-vpc-ssm-vpce"
  }
}

resource "aws_security_group" "vpc_ssm_vpce_security_group" {
  name        = "vpc-ssm-security-group"
  description = "Security group for SSM VPC endpoint"
  vpc_id      = module.vpc.vpc_id
}

resource "aws_security_group_rule" "vpc_ssm_vpce_security_group_bastion_host_ingress_rule" {
  security_group_id        = aws_security_group.vpc_ssm_vpce_security_group.id
  type                     = "ingress"
  protocol                 = "tcp"
  from_port                = 443
  to_port                  = 443
  source_security_group_id = aws_security_group.vpc_bastion_host_security_group.id
  description              = "vpc ssm vpce security group ingress rule for bastion host"
}