# Several of these security groups will have customer IPs listed in them to allow
# POP systems to access our services.
#

locals {
}

module "aws_endpoints_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "= 4.0.0"
  name        = "aws_endpoints"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
  egress_ipv6_cidr_blocks = [ ]

  egress_rules = [ "all-all" ]
  ingress_rules = [ "all-all" ]
}

module "allow_all_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "= 4.0.0"
  name        = "allow-all"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = [ "0.0.0.0/0" ]
  egress_cidr_blocks = [ "0.0.0.0/0" ]
  ingress_rules = [ "all-all" ]
  egress_rules = [ "all-all" ]
}

module "allow_all_outbound_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "= 4.0.0"
  name        = "allow-all-outbound"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_rules = [ "all-all" ]
}

module "allow_trusted_sg" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "= 4.0.0"
  name        = "allow_trusted"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_rules = [ "all-all" ]
  ingress_rules = [ "http-80-tcp", "https-443-tcp", "ssh-tcp", "all-icmp" ]
  ingress_cidr_blocks = concat(var.trusted_ips, [ module.vpc.vpc_cidr_block ])
}

module "allow_all_intravpc" {
  use_name_prefix = false
  source = "terraform-aws-modules/security-group/aws"
  version = "= 4.0.0"
  name        = "allow_all_intravpc"
  tags        = merge(var.standard_tags, var.tags)
  vpc_id      = module.vpc.vpc_id

  egress_rules = [ "all-all" ]
  ingress_rules = [ "all-all" ]
  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
}

# CIS 4.3 - Default security group should restrict all traffic
#
# This resource is special, and clears out existing rules. See:
# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
resource "aws_default_security_group" "default" {
  vpc_id = module.vpc.vpc_id
  tags = merge(var.standard_tags, var.tags)
}