# Rather than pass in the aws security group, we just look it up. This will
# probably be useful other places, as well.
data "aws_security_group" "typical-host" {
  name   = "typical-host"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "instance" {
  # use name_prefix instead of name and create-before-destroy on security groups and alb target groups to make future changes easier,
  # otherwise, you get stuck in `destroying` during routine changes.
  name_prefix = "instance-${var.instance_name}"
  description = "Instances of type ${var.instance_name}"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags)
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_security_group_rule" "instance-http-in-external" {
  description = "Web Interface from External ALB"
  type = "ingress"
  from_port = "3080"
  to_port = "3080"
  protocol = "tcp"
  source_security_group_id = aws_security_group.alb_server_external.id
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-http-in-internal" {
  description = "Web Interface from Internal ALB"
  type = "ingress"
  from_port = "3080"
  to_port = "3080"
  protocol = "tcp"
  source_security_group_id = aws_security_group.alb_server_internal.id
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
  description = "Teleport Proprietary Ports via NLB"
  type = "ingress"
  from_port = "3023"
  to_port = "3026"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

#resource "aws_security_group_rule" "instance-teleport-in-3026" {
#  description = "Teleport Proprietary Ports via NLB"
#  type = "ingress"
#  from_port = "3026"
#  to_port = "3026"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}

#resource "aws_security_group_rule" "instance-teleport-proxy-in" {
#  description = "Teleport - Proxy web server"
#  type = "ingress"
#  from_port = "3080"
#  to_port = "3080"
#  protocol = "tcp"
#  cidr_blocks = [ "0.0.0.0/0" ]
#  security_group_id = aws_security_group.instance.id
#}

resource "aws_security_group_rule" "instance-teleport-out-ssh" {
  description = "Outbound SSH"
  type = "egress"
  from_port = "22"
  to_port = "22"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-teleport-out-teleport" {
  description = "Outbound teleport"
  type = "egress"
  from_port = "3022"
  to_port = "3026"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}

resource "aws_security_group_rule" "instance-teleport-out-https" {
  description = "Outbound HTTPS, required for dynamodb Streams (no vpc endpoint available)"
  type = "egress"
  from_port = "443"
  to_port = "443"
  protocol = "tcp"
  cidr_blocks = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.instance.id
}