#********************************************************************************************
# Variables

# Region
variable "aws_region" {
  default = "eu-north-1"
}

# Environment
variable "environment" {
  default = "Production"
}

# Plan d'adresse
variable "vpc_cidr" {
  default     = "10.0.0.0/16"
  description = "Bloc CIDR du VPC"
}

# Réseau public
variable "public_subnets_cidr" {
  type        = list(any)
  default     = ["10.0.0.0/20", "10.0.32.0/20", "10.0.64.0/20"]
  description = "Bloc CIDR pour sous-réseau Public"
}

# Réseau privée
variable "private_subnets_cidr" {
  type        = list(any)
  default     = ["10.0.16.0/20", "10.0.48.0/20", "10.0.80.0/20"]
  description = "Bloc CIDR pour sous-réseau Privée"
}

#********************************************************************************************
# Data

#
locals {
  availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
}

#********************************************************************************************
# resource

# VPC
resource "aws_vpc" "default" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
  instance_tenancy     = "default"

  tags = {
    Name        = "${var.environment}-vpc"
    Environment = var.environment
  }
}

# Sous-Réseau Public
resource "aws_subnet" "public_subnet" {
  vpc_id                  = aws_vpc.default.id

  count                   = length(var.public_subnets_cidr)
  cidr_block              = element(var.public_subnets_cidr, count.index)
  availability_zone       = element(local.availability_zones, count.index)
  map_public_ip_on_launch = true

  tags = {
    Name        = "${var.environment}-${element(local.availability_zones, count.index)}-public-subnet"
    Environment = "${var.environment}"
  }
}

# Sous-Réseau Privée
resource "aws_subnet" "private_subnet" {
  vpc_id                  = aws_vpc.default.id

  count                   = length(var.private_subnets_cidr)
  cidr_block              = element(var.private_subnets_cidr, count.index)
  availability_zone       = element(local.availability_zones, count.index)
  map_public_ip_on_launch = false

  tags = {
    Name        = "${var.environment}-${element(local.availability_zones, count.index)}-private-subnet"
    Environment = "${var.environment}"
  }
}

#Internet Gateway
resource "aws_internet_gateway" "default-internet-gw" {
  vpc_id = aws_vpc.default.id

  tags = {
    "Name"        = "${var.environment}-default-internet-gw"
    "Environment" = var.environment
  }
}

# Elastic-IP (eip) for NAT
resource "aws_eip" "nat_eip" {
  domain = "vpc"
  
  depends_on = [aws_internet_gateway.default-internet-gw]
}

# NAT Gateway
resource "aws_nat_gateway" "nat-gw" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = element(aws_subnet.public_subnet.*.id, 0)

  tags = {
    Name        = "nat-gateway-${var.environment}"
    Environment = "${var.environment}"
  }
}

# Tables de routage pour acheminer le trafic vers le sous-réseau Public
resource "aws_route_table" "public" {
  vpc_id = aws_vpc.default.id

  tags = {
    Name        = "${var.environment}-public-route-table"
    Environment = "${var.environment}"
  }
}

# Tables de routage pour acheminer le trafic vers le sous-réseau Privé
resource "aws_route_table" "private" {
  vpc_id = aws_vpc.default.id

  tags = {
    Name        = "${var.environment}-private-route-table"
    Environment = "${var.environment}"
  }
}

# Route pour la passerelle Internet
resource "aws_route" "public_internet_gateway" {
  route_table_id         = aws_route_table.public.id

  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.default-internet-gw.id
}

# Route pour la passerelle NAT
resource "aws_route" "private_internet_gateway" {
  route_table_id         = aws_route_table.private.id

  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_nat_gateway.nat-gw.id
}

# Associations de tables de routage pour les deux sous-réseaux Publics
resource "aws_route_table_association" "public" {
  count          = length(var.public_subnets_cidr)
  subnet_id      = element(aws_subnet.public_subnet.*.id, count.index)
  route_table_id = aws_route_table.public.id
}

# Associations de tables de routage pour les deux sous-réseaux Privée
resource "aws_route_table_association" "private" {
  count          = length(var.private_subnets_cidr)
  subnet_id      = element(aws_subnet.private_subnet.*.id, count.index)
  route_table_id = aws_route_table.private.id
}

#********************************************************************************************
# resource de securité

#
resource "aws_flow_log" "vpc_flow_logs" {
  vpc_id = aws_vpc.default.id

  iam_role_arn = aws_iam_role.flow_logs_role.arn
  log_destination = aws_cloudwatch_log_group.vpc_log_group.arn
  log_destination_type = "cloud-watch-logs"
  traffic_type = "ALL"
}

#
resource "aws_cloudwatch_log_group" "vpc_log_group" {
#  name = var.log_group_name
  name = "vpc_flow_logs"

  tags = {
    Environment = "${var.environment}"
  }
}

#
resource "aws_iam_role" "flow_logs_role" {
  name = "flow-logs-role"

  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = {
      Action    = "sts:AssumeRole",
      Principal = {
        Service = "vpc-flow-logs.amazonaws.com"
      },
      Effect = "Allow",
      Sid    = ""
    }
  })
}

#
resource "aws_iam_role_policy" "create_log_group_policy" {
  name        = "allow-log-group-policy"
  role        = aws_iam_role.flow_logs_role.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid= "VPCFlowLogsAccess",
        Effect = "Allow",
        Action = [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:DescribeLogGroups",
          "logs:DescribeLogStreams",
          "logs:PutLogEvents"
        ],
        Resource = ["*"]
      }
    ]
  })
}