module "BastionRole" {
  source                  = "../modules/security_identity_compliance/iam-role-v2"
  description             = "EKS bastion instance profile"
  role-name               = "BastionInstanceProfile"
  trusted-entity          = "ec2.amazonaws.com"
  create-instance-profile = true
  policies = {
    EksAdmin = {
      description = "Eks read permissions required for kubectl"
      policy = jsonencode(
        {
          "Statement" : [
            {
              "Sid" : "EksRead",
              "Action" : [
                "eks:Describe*",
                "eks:List*"
              ],
              "Effect" : "Allow",
              "Resource" : "*"
            }
          ],
          "Version" : "2012-10-17"
        }
      )
    }
  }
}

resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
  role       = module.BastionRole.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

module "eks-bastion" {
  depends_on = [module.eks] # essential for initializing kubectl in userdata
  source     = "../modules/compute/ec2"

  additional-tags  = {}
  ami-id           = data.aws_ami.this.id
  asso-eip         = false
  asso-public-ip   = true
  use-ipv6         = true
  data-volumes     = {}
  ebs-encrypted    = true
  instance-name    = "${var.environment}-eks-bastion-${random_pet.pet.id}"
  instance-type    = "t4g.micro"
  key-name         = aws_key_pair.kp.key_name
  kms-key-id       = module.KmsKeys.cmks.storage.arn
  root-volume-size = "8"
  # security-groups  = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
  security-groups  = [module.bastion-sg.id]
  subnet-id        = module.vpc.public_subnets[0]
  instance-profile = module.BastionRole.profile-name[0]
  spot-max-price   = 0.0116 # t4g.micro
  user-data        = <<EOF
#!/bin/bash
# eks bastion setup
## Install git
dnf -y install git

## Install kubectl
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/arm64/kubectl
chmod +x kubectl
mv kubectl /usr/local/bin/

## Install helm
cd /tmp
wget -O/tmp/helm.tgz https://get.helm.sh/helm-v4.1.1-linux-arm64.tar.gz
tar zxf /tmp/helm.tgz
mv /tmp/linux-arm64/helm /usr/local/bin/helm
chmod +x /usr/local/bin/helm

## Install eksctl
cd /tmp
ARCH=arm64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
tar zxf eksctl_Linux_arm64.tar.gz
mv eksctl /usr/local/bin
chmod +x /usr/local/bin/eksctl

## Create kube config
echo Create kube config...
/usr/bin/aws eks update-kubeconfig --name ${var.eks_cluster_name}-${random_pet.pet.id}
# echo Sleep for 5 minutes and wait for fargate profile to come up
# /usr/bin/sleep 300
#
# ## Grant EKS console access to IAM role: must be executed with cluster creator's identity. cluster role as instance profile won't do it
# echo Patching configmap/aws-auth...
# ROLE="    - rolearn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/rackLE\n      username: build\n      groups:\n        - system:masters"
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml
EOF
}

data "aws_ami" "this" {
  most_recent = true
  name_regex  = "^al2023-ami-2023.*-kernel-6.1-arm64"
  owners      = ["amazon"]

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  filter {
    name   = "architecture"
    values = ["arm64"]
  }
}

resource "tls_private_key" "sshkey" {
  algorithm = "ED25519"
}

resource "aws_key_pair" "kp" {
  key_name   = "${var.environment}-eks-bastion-${random_pet.pet.id}-key"
  public_key = tls_private_key.sshkey.public_key_openssh
}

module "bastion-sg" {
  source = "../modules/compute/security_group"

  description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
  egress = {
    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
    r2 = "-1,-1,-1,::/0,Allow egress ipv6"
  }
  ingress = {
    r1 = "tcp,22,22,0.0.0.0/0,ssh"
  }
  name   = "eks-bastion-${random_pet.pet.id}-sg"
  vpc-id = module.vpc.vpc_id
}