data "digitalocean_ssh_key" "test" {
  name = "nptest.pub"
}

resource "digitalocean_droplet" "test" {
  name     = var.droplet_name
  region   = var.region
  size     = var.size
  image    = var.image
  ssh_keys = [data.digitalocean_ssh_key.test.id]

  user_data = file("${path.module}/cloud-init.yaml")

  connection {
    type        = "ssh"
    host        = self.ipv4_address
    user        = "root"
    private_key = file(var.ssh_private_key_path)
    port        = 22
  }

  # Wait for cloud-init to finish before considering the droplet ready
  provisioner "remote-exec" {
    inline = ["cloud-init status --wait"]
  }
}

# --- Reserved IP (created outside Terraform, passed in as variable) ---

resource "digitalocean_reserved_ip_assignment" "test" {
  ip_address = var.reserved_ip
  droplet_id = digitalocean_droplet.test.id
}

# --- Firewall ---

resource "digitalocean_firewall" "test" {
  name        = "${var.droplet_name}-fw"
  droplet_ids = [digitalocean_droplet.test.id]

  # Allow all inbound
  inbound_rule {
    protocol         = "tcp"
    port_range       = "1-65535"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  inbound_rule {
    protocol         = "udp"
    port_range       = "1-65535"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }
  inbound_rule {
    protocol         = "icmp"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  # Allow all outbound
  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }
}