resource "aws_security_group" "ghe_backup_server" {
  name = "ghe-backup"

  tags = {
    "Name" = "ghe-backup"
  }

  vpc_id      = var.vpc_id
  description = "github backup server"
}

#----------------------------------------------------------------------------
# GHE Backup Security Group to GH
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "ghe_backup_server_122_to_github" {
  security_group_id        = aws_security_group.ghe_backup_server.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
  description              = "Outbound ssh to GH mgmt"
}

#----------------------------------------------------------------------------
# GHE Backup Security Group to Legacy
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "ghe_backup_server_122_to_legacy" {
  security_group_id        = aws_security_group.ghe_backup_server.id
  type                     = "egress"
  cidr_blocks              = local.cidr_map["vpc-public"]
  from_port                = 122
  to_port                  = 122
  protocol                 = "tcp"
  description              = "Outbound ssh to GH mgmt"
}

#----------------------------------------------------------------------------
# GHE Backup Security Group to NFS - EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "ghe_backup_server_egress_nfs" {
  security_group_id        = aws_security_group.ghe_backup_server.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_backup_server.id
  from_port                = 2049
  to_port                  = 2049
  protocol                 = "tcp"
  description              = "Outbound NFS"
}

#----------------------------------------------------------------------------
# GHE Backup Security Group to NFS - INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "ghe_backup_server_ingress_nfs" {
  security_group_id        = aws_security_group.ghe_backup_server.id
  type                     = "ingress"
  source_security_group_id = aws_security_group.ghe_backup_server.id
  from_port                = 2049
  to_port                  = 2049
  protocol                 = "tcp"
  description              = "Inbound NFS"
}