# Internal Certificate Authority VM

# Port in the main private network
resource "openstack_networking_port_v2" "internal_ca_port" {
  name               = "${local.internal_ca_data.name}-port"
  admin_state_up     = true
  network_id         = local.main_private_network_id
  security_group_ids = [openstack_networking_secgroup_v2.default.id]
  fixed_ip {
    subnet_id  = local.main_private_subnet_id
    ip_address = local.basic_services_ip.ca
  }
}

resource "openstack_compute_instance_v2" "internal_ca" {
  name                    = local.internal_ca_data.name
  availability_zone_hints = local.availability_zones_names.availability_zone_no_gpu
  flavor_name             = local.internal_ca_data.flavor
  key_pair                = module.ssh_settings.ssh_key_name

  block_device {
    uuid                  = local.ubuntu_2404.uuid
    source_type           = "image"
    volume_size           = 10
    boot_index            = 0
    destination_type      = "volume"
    delete_on_termination = false
  }

  network {
    port = openstack_networking_port_v2.internal_ca_port.id
  }

  user_data = file("${local.ubuntu2404_data_file}")
  # Do not replace the instance when the ssh key changes
  lifecycle {
    ignore_changes = [
      key_pair, user_data, network
    ]
  }
}