# The Magic Machine is dependent on this Security Group

data "aws_vpc" "this" {
  id = var.vpc_id
}

data "aws_subnet" "this" {
  id = var.public_subnets[0]
}

#----------------------------------------------------------------------------
# LCP Magic Machine Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "this" {
	# checkov:skip=CKV2_AWS_5: this SG is attached to Magic Machine 
  name        = "${var.name}_magic_machine_security_group"
  description = "Security Group for magic machine ${var.name}"
  tags        = merge(local.standard_tags, var.tags)
  vpc_id      = data.aws_vpc.this.id
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "this" {
  type              = "ingress"
  description       = "Allows Codebuild to access Magic Machine and for troubleshooting"
  cidr_blocks       = ["10.0.0.0/8"]
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  security_group_id = aws_security_group.this.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "allow_outbound_mm" {
  type              = "egress"
  description       = "HTTPS - Outbound - Allow Magic Machine"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = aws_security_group.this.id
}

#----------------------------------------------------------------------------
# Codebuild Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "codebuild" {
	# checkov:skip=CKV2_AWS_5: this SG is attached to Codebuild
  name        = "${var.name}_codebuild_security_group"
  description = "Security Group for codebuild ${var.name}"
  tags        = merge(local.standard_tags, var.tags)
  vpc_id      = data.aws_vpc.this.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "allow_outbound" {
  type              = "egress"
  description       = "HTTPS - Outbound - Allow Codebuild"
  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = aws_security_group.codebuild.id
}

resource "aws_security_group_rule" "allow_ssh_outbound" {
  type              = "egress"
  description       = "SSH - Outbound - Allow Codebuild"
  cidr_blocks       = ["10.0.0.0/8"]
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  security_group_id = aws_security_group.codebuild.id
}