resource "aws_eip" "vpn" {
	count = 1
	vpc = true
}

resource "aws_security_group" "vpn" {
	vpc_id = "${var.vpc_id}"
	name = "${var.name}-vpn"
	description = "Allow VPN traffic."
}

resource "aws_security_group_rule" "vpn-out-all" {
	security_group_id = "${aws_security_group.vpn.id}"
	type = "egress"
	from_port = 0
	to_port = 0
	protocol = "all"
	cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "vpn-in-user" {
	security_group_id = "${aws_security_group.vpn.id}"
	type = "ingress"
	from_port = 1195
	to_port = 1195
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "vpn-in-bridge" {
	security_group_id = "${aws_security_group.vpn.id}"
	type = "ingress"
	from_port = 1194
	to_port = 1194
	protocol = "udp"
	cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "vpn-in-bastion" {
	security_group_id = "${aws_security_group.vpn.id}"
	type = "ingress"
	from_port = 22
	to_port = 22
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_elb" "default" {
	count = "${var.vpcaccess_elb}"
	name = "${var.name}-int-elb"
	subnets = ["${var.subnet_ids}"]
	internal = true
	listener {
		lb_port = 22
		lb_protocol = "tcp"
		instance_port = 22
		instance_protocol = "tcp"
	}
	health_check {
		healthy_threshold = 3
		unhealthy_threshold = 2
		interval = 30
		timeout = 5
		target = "TCP:1195"
	}
	idle_timeout = 600
	tags {
		module = "${var.name}"
		phase = "${var.environment}"
	}
}

module "asg-stack" {
	source = "../modules/tf_aws_asg_stack"
	vpc_id = "${var.vpc_id}"
	acct_name = "${var.acct_name}"
	notification_arns = ["${var.notification_arns}"]
	module = "${var.name}"
	phase = "${var.environment}"
	instance_type = "${var.instance_type}"
	key_name = "${var.key_name}"
	public_ips = true
	subnet_ids = ["${var.subnet_ids}"]
	iam_policy_arns = ["${var.role_policy_arns}"]
	security_group_ids = ["${concat(var.security_group_ids, list(aws_security_group.vpn.id))}"]
	max_size = 1
	min_size = 0
	iam_allow_actions = [
        "ec2:AssociateAddress",
		"ec2:ModifyInstanceAttribute",
		"ec2:ModifyNetworkInterfaceAttribute"
	]
	elbs = ["${var.vpcaccess_elb ? aws_elb.default.id : ""}"]
}