resource "aws_security_group" "vpn_access" {
  name_prefix = "${var.dns_name}${var.suffix}_vpn_access"
  description = "Security Group for the AWS VPN"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vpn-in-443-tcp" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.vpn_access.id
}

resource "aws_security_group_rule" "vpn-in-443-udp" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "udp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.vpn_access.id
}

resource "aws_security_group_rule" "vpn-in-1194-tcp" {
  type              = "ingress"
  from_port         = 1194
  to_port           = 1194
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.vpn_access.id
}

resource "aws_security_group_rule" "vpn-in-1194-udp" {
  type              = "ingress"
  from_port         = 1194
  to_port           = 1194
  protocol          = "udp"
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
  security_group_id = aws_security_group.vpn_access.id
}

resource "aws_security_group_rule" "vpn-out" {
  type              = "egress"
  from_port         = -1
  to_port           = -1
  protocol          = -1
  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
  security_group_id = aws_security_group.vpn_access.id
}