# Several of these security groups will have customer IPs listed in them to allow
# POP systems to access our services.
#

locals {

  # Qualys known CIDRs for scanners to call back to home
  # (in lieu of using the proxy at least for now)
  qualys_mgmt_cidrs = [
    "64.39.96.0/24" 
  ]

}

module "aws_endpoints_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "aws_endpoints"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_ipv6_cidr_blocks = [ ]

  egress_rules = [ "all-all" ]
  ingress_rules = [ "all-all" ]
}

module "allow_all_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "allow-all"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ "0.0.0.0/0" ]
  egress_cidr_blocks = [ "0.0.0.0/0" ]
  ingress_rules = [ "all-all" ]
  egress_rules = [ "all-all" ]
}

module "allow_all_outbound_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "allow-all-outbound"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_rules = [ "all-all" ]
}

module "qualys_scanner_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "~> 3"
  name        = "qualys-scanner"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_with_cidr_blocks = [
    {
      from_port   = 443
      to_port     = 443
      protocol    = "TCP"
      description = "Qualys Management Plane"
      cidr_blocks = join(",",local.qualys_mgmt_cidrs)
    },
    {
      from_port   = -1
      to_port     = -1
      protocol    = "ALL"
      description = "Outbound for scanning things"
      cidr_blocks = "10.0.0.0/8"
    },
    {
      from_port   = 443
      to_port     = 443
      protocol    = "TCP"
      description = "Temp allow all outbound ; remove when proxy in place"
      cidr_blocks = "0.0.0.0/0"
    }
  ]

  ingress_with_cidr_blocks = [
    {
      from_port   = -1
      to_port     = -1
      protocol    = "ICMP"
      description = "Permit all ICMP"
      cidr_blocks = "10.0.0.0/8"
    }
  ]
}