data "aws_availability_zones" "available" {}

locals {
  subnet_start = cidrsubnets(var.vpc-cidr, 4, 4)
}

module "random" {
  source = "./m.random"
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "2.47.0"

  name                 = "demo-vpc-${module.random.number}"
  cidr                 = var.vpc-cidr
  azs                  = data.aws_availability_zones.available.names
  private_subnets      = cidrsubnets(local.subnet_start[0], 4, 4)
  public_subnets       = cidrsubnets(local.subnet_start[1], 4, 4)
  enable_nat_gateway   = false
  single_nat_gateway   = true
  enable_dns_hostnames = true

  # this is kinda slow
  #  enable_ssm_endpoint              = true
  #  ssm_endpoint_private_dns_enabled = true
  #  ssm_endpoint_security_group_ids  = [aws_security_group.endpoint-sg.id]
  #  ssm_endpoint_subnet_ids          = module.vpc.public_subnets

  tags = local.default-tags

}

resource "aws_security_group" "endpoint-sg" {
  name   = "endpoint-sg"
  vpc_id = module.vpc.vpc_id
  ingress {
    description = "Allow within VPC"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = [module.vpc.vpc_cidr_block]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = local.default-tags
}