#----------------------------------------------------------------
# SG for the external ELB
#----------------------------------------------------------------
resource "aws_security_group" "ghe_elb_external" {
  name_prefix = "ghe_elb_external"
  tags = merge( var.standard_tags, var.tags, { Name = "github-external-lb" } )
  vpc_id      = var.vpc_id
  description = "External ELB for GitHub Enterprise Server"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_https_22_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound git"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_http_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Inbound http to ELB"
}

resource "aws_security_group_rule" "ghe_elb_external_inbound_https_cidr" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 443
  to_port                  = 444
  protocol                 = "tcp"
  description              = "Inbound https to ELB"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_external_outbound_ssh" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 23
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Outbound ssh (PROXY) from ELB to GH servers"
}

resource "aws_security_group_rule" "ghe_elb_external_outbound_http" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 80
  to_port                  = 80
  protocol                 = "tcp"
  description              = "Outbound HTTP from ELB to GH servers for LetsEncrypt on GHE"
}

resource "aws_security_group_rule" "ghe_elb_external_outbound_https" {
  security_group_id        = aws_security_group.ghe_elb_external.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH servers"
}

#----------------------------------------------------------------
# SG for the internal ELB
#----------------------------------------------------------------
resource "aws_security_group" "ghe_elb_internal" {
  name_prefix = "ghe_elb_internal"
  tags = merge( var.standard_tags, var.tags, { Name = "github-internal-lb" } )
  vpc_id      = var.vpc_id
  description = "Internal ELB for GitHub Enterprise Server"
}

resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Inbound https"
}

resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_8443_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 8443
  to_port                  = 8443
  protocol                 = "tcp"
  description              = "Inbound https"
}
resource "aws_security_group_rule" "ghe_elb_internal_inbound_https_22_cidr" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound git"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}

# Let the ELB talk to the github server(s)
resource "aws_security_group_rule" "ghe_elb_internal_outbound_8444_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 8443
  to_port                  = 8444
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}
resource "aws_security_group_rule" "ghe_elb_internal_outbound_23_https" {
  security_group_id        = aws_security_group.ghe_elb_internal.id
  type                     = "egress"
  source_security_group_id = aws_security_group.ghe_server.id
  from_port                = 23 
  to_port                  = 23
  protocol                 = "tcp"
  description              = "Outbound https from ELB to GH Servers"
}