terraform {
  required_providers {
    proxmox = {
      source = "bpg/proxmox"
    }
  }
}

resource "proxmox_virtual_environment_vm" "vm" {
  name      = var.name
  node_name = var.node_name
  vm_id     = var.vmid

  clone {
    vm_id = var.clone_vmid
  }

  cpu {
    cores = var.cores
  }

  memory {
    dedicated = var.memory
    floating  = var.memory_floating
  }

  disk {
    datastore_id = var.datastore_id
    interface    = "scsi0"
    iothread     = true
    discard      = "on"
    size         = var.disk_size
  }

  network_device {
    bridge = var.network_bridge
  }

  initialization {
    datastore_id = var.datastore_id
    ip_config {
      ipv4 {
        address = "${var.bridge_ip}/24"
        gateway = var.gateway
      }
    }
    user_account {
      username = var.username
      password = var.password
      keys     = [trimspace(file(var.ssh_key_path))]
    }
  }
}

# Firewall configuration - always manage options to explicitly enable/disable
resource "proxmox_virtual_environment_firewall_options" "vm" {
  node_name = var.node_name
  vm_id     = proxmox_virtual_environment_vm.vm.vm_id

  enabled       = var.firewall_enabled
  input_policy  = var.firewall_enabled ? var.firewall_input_policy : "ACCEPT"
  output_policy = var.firewall_enabled ? var.firewall_output_policy : "ACCEPT"
}

resource "proxmox_virtual_environment_firewall_rules" "vm" {
  count = var.firewall_enabled ? 1 : 0

  node_name = var.node_name
  vm_id     = proxmox_virtual_environment_vm.vm.vm_id

  rule {
    security_group = var.firewall_security_group
  }

  depends_on = [proxmox_virtual_environment_firewall_options.vm]
}