# From vmray admin installation guide, page 24
# Clients to server on 443
# Server to workers on 5900-5999 (VNC)
# Workers to server on 80 and 443

# Server
resource "aws_security_group" "vmray_server_sg" {
  name        = "vmray_server_sg"
  description = "Security Rules Specific to VMRay"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmray_server_http_in_from_workers" {
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in_from_workers" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_in" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  #cidr_blocks       = var.cidr_map["vpc-access"]
  source_security_group_id = aws_security_group.vmray_alb_internal.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

## VMRay Requires Direct Internet Access
resource "aws_security_group_rule" "vmray_server_http_out" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_https_out" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_server_sg.id
}

resource "aws_security_group_rule" "vmray_server_vnc_to_workers" {
  type              = "egress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_worker_sg.id
  security_group_id = aws_security_group.vmray_server_sg.id
}

# Workers
resource "aws_security_group" "vmray_worker_sg" {
  name        = "vmray_worker_sg"
  description = "Security Rules for the VMRay Worker Nodes"
  vpc_id      = var.vpc_id
  tags        = merge(var.standard_tags, var.tags)
}

resource "aws_security_group_rule" "vmwary_worker_vnc_from_server" {
  type              = "ingress"
  from_port         = 5900
  to_port           = 5999
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_http_out" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_https_out" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_http_to_server" {
  type              = "egress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}

resource "aws_security_group_rule" "vmray_worker_https_to_server" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  source_security_group_id = aws_security_group.vmray_server_sg.id
  security_group_id = aws_security_group.vmray_worker_sg.id
}