# Security Module for Azure
# Configures Azure Security Center, Key Vault, and security policies

# Azure Security Center (Defender for Cloud)
resource "azurerm_security_center_subscription_pricing" "main" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
}

resource "azurerm_security_center_subscription_pricing" "storage" {
  tier          = "Standard"
  resource_type = "StorageAccounts"
}

resource "azurerm_security_center_subscription_pricing" "sql" {
  tier          = "Standard"
  resource_type = "SqlServers"
}

resource "azurerm_security_center_subscription_pricing" "app_services" {
  tier          = "Standard"
  resource_type = "AppServices"
}

# Security Center Auto Provisioning
resource "azurerm_security_center_auto_provisioning" "main" {
  auto_provision = "On"
}

# Security Center Contact
resource "azurerm_security_center_contact" "main" {
  email                = var.security_contact_email
  phone                = var.security_contact_phone
  alert_notifications  = true
  alerts_to_admins     = true
}

# Security Center Workspace
resource "azurerm_security_center_workspace" "main" {
  scope        = "/subscriptions/${var.subscription_id}"
  workspace_id = azurerm_log_analytics_workspace.security.id
}

# Log Analytics Workspace for Security Center
resource "azurerm_log_analytics_workspace" "security" {
  name                = "${var.cluster_name}-security-workspace"
  location            = var.location
  resource_group_name = var.resource_group_name
  sku                 = "PerGB2018"
  retention_in_days    = 90
  
  tags = merge(var.tags, {
    Purpose = "Security-Monitoring"
  })
}

# Security Center Assessment
resource "azurerm_security_center_assessment" "aks" {
  assessment_policy_id = azurerm_security_center_assessment_policy.aks.id
  target_resource_id   = var.aks_cluster_id
  status {
    code = "Healthy"
  }
}

# Security Center Assessment Policy
resource "azurerm_security_center_assessment_policy" "aks" {
  display_name                = "AKS Security Assessment"
  description                 = "Security assessment for AKS cluster"
  severity                    = "Medium"
  categories                  = ["Security"]
  implementation_effort       = "Low"
  remediation_description    = "Follow AKS security best practices"
  threats                    = ["DataExfiltration", "DataSpillage", "MaliciousInsider"]
  user_impact                = "Low"
}

# Variables
variable "security_contact_email" {
  description = "Email for security contact"
  type        = string
}

variable "security_contact_phone" {
  description = "Phone for security contact"
  type        = string
  default     = ""
}

variable "subscription_id" {
  description = "Azure subscription ID"
  type        = string
}

variable "aks_cluster_id" {
  description = "AKS cluster resource ID"
  type        = string
}

variable "cluster_name" {
  description = "Cluster name"
  type        = string
}

variable "location" {
  description = "Azure region"
  type        = string
}

variable "resource_group_name" {
  description = "Resource group name"
  type        = string
}

variable "tags" {
  description = "Tags to apply to resources"
  type        = map(string)
  default     = {}
}