# Several of these security groups will have customer IPs listed in them to allow
# POP systems to access our services.
#

locals {
  endpoint_cidr_blocks = var.allow_any_to_endpoints ? ["10.0.0.0/8"] : [module.vpc.vpc_cidr_block]
}

module "aws_endpoints_sg" {
  use_name_prefix = false
  source          = "terraform-aws-modules/security-group/aws"
  version         = "= 4.0.0"
  name            = "aws_endpoints"
  tags            = merge(local.standard_tags, var.tags)
  vpc_id          = module.vpc.vpc_id

  ingress_cidr_blocks     = local.endpoint_cidr_blocks
  egress_cidr_blocks      = local.endpoint_cidr_blocks
  egress_ipv6_cidr_blocks = []

  egress_rules  = ["all-all"]
  ingress_rules = ["all-all"]
}

# "Allow
module "allow_all_from_trusted_sg" {
  use_name_prefix = false
  source          = "terraform-aws-modules/security-group/aws"
  version         = "= 4.0.0"
  name            = "allow-all-from-trusted"
  tags            = merge(local.standard_tags, var.tags)
  vpc_id          = module.vpc.vpc_id

  ingress_cidr_blocks = local.trusted_ips
  egress_cidr_blocks  = ["0.0.0.0/0"]
  ingress_rules       = ["all-all"]
  egress_rules        = ["all-all"]
}

module "allow_all_outbound_sg" {
  use_name_prefix = false
  source          = "terraform-aws-modules/security-group/aws"
  version         = "= 4.0.0"
  name            = "allow-all-outbound"
  tags            = merge(local.standard_tags, var.tags)
  vpc_id          = module.vpc.vpc_id

  egress_rules = ["all-all"]
}