# Several of these security groups will have customer IPs listed in them to allow
# POP systems to access our services.
#

locals {
}

module "aws_endpoints_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "aws_endpoints"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_ipv6_cidr_blocks = [ ]

  egress_rules = [ "all-all" ]
  ingress_rules = [ "all-all" ]
}


#TODO: Probably want this one available everywhere
#module "vpc_default_security_groups" {
#  source = "../modules/vpc_security_groups"
#  version = "~> 2.17"
#  name                   = "toolsvpc"
#  tags                   = merge(var.standard_tags, var.tags)
#  this_vpc               = "${module.vpc.vpc_id}"
#
#  ec2_prefix_list_count  = 1
#  ec2_prefix_lists       = [ "${module.vpc.vpc_endpoint_s3_pl_id}" ]
#  salt_masters_sg        = "${module.salt_masters_sg.this_security_group_id}"
#  bastion_ssh_sg         = "${module.bastion_servers_sg.this_security_group_id}"
#  proxy_servers_sg       = "${module.proxy_servers_sg.this_security_group_id}"
#  sensu_servers_sg       = "${module.sensu_servers_sg.this_security_group_id}"
#  repo_servers_sg        = "${module.repo_servers_sg.this_security_group_id}"
#  idm_inbound_sg         = "${module.idm_inbound_sg.this_security_group_id}"
#  openvpn_servers_sg     = "${module.openvpn_servers_sg.this_security_group_id}"
#  phantom_servers_sg     = "${module.phantom_servers_sg.this_security_group_id}"
#  mailrelay_sg           = "${module.mailrelay_sg.this_security_group_id}"
#  moose_sg               = "${module.moose_inbound_sg.this_security_group_id}"
#  vuln_scanner_sg_count = 1
#  vuln_scanner_sgs      = [ "${module.vuln_scanners_sg.this_security_group_id}" ]
#}


module "allow_all_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "allow-all"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ "0.0.0.0/0" ]
  egress_cidr_blocks = [ "0.0.0.0/0" ]
  ingress_rules = [ "all-all" ]
  egress_rules = [ "all-all" ]
}

module "allow_all_outbound_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "allow-all-outbound"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_rules = [ "all-all" ]
}

# TODO: Do we still want direct ssh as a standard SG? I think we want
# to avoid this, so I'd say create it only with resources that need it.
#module "ssh_all_sg" {
#  use_name_prefix = false
#  source = "terraform-aws-modules/security-group/aws"
#  version = "~> 2.17"
#  name        = "ssh-any"
#  tags        = merge(var.standard_tags, var.tags)
#  vpc_id      = "${module.vpc.vpc_id}"
#
#  ingress_cidr_blocks = "${local.ssh_jump_whitelist}"
#
#  egress_cidr_blocks = [ "0.0.0.0/0" ]
#  ingress_rules = [ "ssh-tcp", "all-icmp" ]
#}