data "aws_vpc" "main" {
  tags = { Name = "Main" }
}

data "aws_subnet" "public" {
  tags = { SubnetOf = "Main", SubnetType = "Public" }
}

# An instance profile for access via AWS SSM.
data "aws_iam_instance_profile" "ssm" {
  name = "SSMInstanceProfile"
}

data "aws_security_group" "public" {
  tags = { GroupOf = "Main", GroupType = "Public" }
}

data "aws_route_table" "public" {
  tags = { TableOf = "Main", TableType = "Public" }
}

# Give the private subnet full access to the internet, too.
module "fck-nat" {
  source = "RaJiska/fck-nat/aws"

  name          = "NatInstance"
  vpc_id        = data.aws_vpc.main.id
  subnet_id     = data.aws_subnet.public.id
  instance_type = "t4g.nano"

  update_route_table = true
  route_table_id     = data.aws_route_table.public.id

  tags = {
    Name = "Codebase: Nat"
  }
}

# An elastic IP, so if the reverse proxy is modified, the route tables won't.
resource "aws_eip" "public" {
  instance = aws_instance.proxy.id
  domain   = "vpc"
}

# The reverse proxy.
resource "aws_instance" "proxy" {
  ami                    = "ami-0adec96dc0cdc7bca"
  instance_type          = "t4g.nano"
  subnet_id              = data.aws_subnet.public.id
  vpc_security_group_ids = [data.aws_security_group.public.id]

  user_data                   = file("install.sh")
  user_data_replace_on_change = true

  iam_instance_profile = data.aws_iam_instance_profile.ssm.name

  root_block_device {
    volume_type = "gp3"
    volume_size = 8
  }

  tags = {
    Name = "Codebase: Reverse Proxy"
  }
}