#----------------------------------------------------------------------------
# ALB Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "lb_server_external" {
  vpc_id      = var.vpc_id
  name_prefix = "${var.name}-alb-sg-external"
  description = "${var.name} LB SG"
  tags        = var.tags
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "allow_from_any" {
  count = var.allow_from_any ? 1 : 0

  description       = "${var.name} - Allow from Any"
  type              = "ingress"
  from_port         = var.listener_port
  to_port           = var.listener_port
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open
  security_group_id = aws_security_group.lb_server_external.id
}

resource "aws_security_group_rule" "allow_http_rediret" {
  count = var.redirect_80 ? 1 : 0

  description       = "${var.name} - Allow from Any"
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally Open
  security_group_id = aws_security_group.lb_server_external.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "alb_to_servers" {
  type                     = "egress"
  from_port                = var.target_port
  to_port                  = var.target_port
  protocol                 = "tcp"
  source_security_group_id = var.target_security_group
  description              = "${var.name} - Allows the ALB to talk to the servers"
  security_group_id        = aws_security_group.lb_server_external.id
}

resource "aws_security_group_rule" "alb_to_health" {
  count = var.target_port != var.healthcheck_port ? 1 : 0

  type                     = "egress"
  from_port                = var.healthcheck_port
  to_port                  = var.healthcheck_port
  protocol                 = "tcp"
  source_security_group_id = var.target_security_group
  description              = "${var.name} - Allows the ALB to talk to the Health check"
  security_group_id        = aws_security_group.lb_server_external.id
}