terraform {
  required_providers {
    proxmox = {
      source = "bpg/proxmox"
    }
  }
}

resource "proxmox_virtual_environment_vm" "vm" {
  name      = var.name
  node_name = var.node_name
  vm_id     = var.vmid

  machine = var.os_type == "windows" ? "q35" : null
  bios    = var.os_type == "windows" ? "ovmf" : null

  clone {
    vm_id = var.clone_vmid
  }

  # Hardware configuration — Linux only.
  # Windows clones inherit CPU, memory, and disk from the template unchanged.
  # These dynamic blocks use for_each as a conditional: [1] = include, [] = skip.
  dynamic "cpu" {
    for_each = var.os_type == "linux" ? [1] : []
    content {
      cores = var.cores
    }
  }

  dynamic "memory" {
    for_each = var.os_type == "linux" ? [1] : []
    content {
      dedicated = var.memory
      floating  = var.memory_floating
    }
  }

  dynamic "disk" {
    for_each = var.os_type == "linux" ? [1] : []
    content {
      datastore_id = var.datastore_id
      interface    = "scsi0"
      iothread     = true
      discard      = "on"
      size         = var.disk_size
    }
  }

  network_device {
    bridge = var.network_bridge
  }

  # Windows template (10000) includes EFI disk + TPM that clones inherit.
  lifecycle {
    ignore_changes = [efi_disk, tpm_state, disk, cpu, memory]
  }

  dynamic "initialization" {
    for_each = var.os_type == "linux" ? [1] : []
    content {
      datastore_id = var.datastore_id
      ip_config {
        ipv4 {
          address = "${var.bridge_ip}/24"
          gateway = var.gateway
        }
      }
      user_account {
        username = var.username
        password = var.password
        keys     = [trimspace(file(var.ssh_key_path))]
      }
    }
  }
}

# Firewall configuration - always manage options to explicitly enable/disable
resource "proxmox_virtual_environment_firewall_options" "vm" {
  node_name = var.node_name
  vm_id     = proxmox_virtual_environment_vm.vm.vm_id

  enabled       = var.firewall_enabled
  input_policy  = var.firewall_enabled ? var.firewall_input_policy : "ACCEPT"
  output_policy = var.firewall_enabled ? var.firewall_output_policy : "ACCEPT"
}

resource "proxmox_virtual_environment_firewall_rules" "vm" {
  count = var.firewall_enabled ? 1 : 0

  node_name = var.node_name
  vm_id     = proxmox_virtual_environment_vm.vm.vm_id

  rule {
    security_group = var.firewall_security_group
  }

  depends_on = [proxmox_virtual_environment_firewall_options.vm]
}