# SG Summary - Server
#     Ingress: 
#       22 - sync from other security centers
#       443 - User access
#     Egress:  
#       25 - smtp
#       443 - updates
#       tcp/1243 - "Communicating with Log Correlation Engine" (unneeded in xdr)
#       tcp/8834-8835 - Communicating With Nessus - to vpc-receivers
resource "aws_security_group" "nessus_receiver" {
  name_prefix = "nessus_receiver"
  tags = merge( var.standard_tags, var.tags, { Name = "nessus_receiver" } )
  vpc_id      = var.vpc_id
  description = "Nessus Security Scanner"
}

#-----------------------------------------------------------------
# Inbound access
#-----------------------------------------------------------------
resource "aws_security_group_rule" "nessus_receiver_inbound_icmp" {
  security_group_id        = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  cidr_blocks              = [ "10.0.0.0/8" ]
  from_port                = -1
  to_port                  = -1
  protocol                 = "ICMP"
  description              = "Inbound pings"
}

resource "aws_security_group_rule" "nessus_receiver_inbound_22" {
  security_group_id        = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  cidr_blocks              = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  description              = "Inbound SSH (from access)"
}

resource "aws_security_group_rule" "nessus_receiver_inbound_3022" {
  security_group_id        = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  cidr_blocks              = var.cidr_map["vpc-access"]
  from_port                = 3022
  to_port                  = 3022
  protocol                 = "tcp"
  description              = "Inbound Teleport (from access)"
}

resource "aws_security_group_rule" "nessus_receiver_inbound_443" {
  security_group_id        = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  cidr_blocks              = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  description              = "Inbound 443 (from access)"
}

resource "aws_security_group_rule" "nessus_receiver_inbound_nessus" {
  security_group_id        = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  cidr_blocks              = [ "0.0.0.0/0" ]
  from_port                = 8834
  to_port                  = 8834 # no 8835 according to https://docs.tenable.com/nessusagent/Content/RequirementsDataflow.htm
  protocol                 = "tcp"
  description              = "Inbound Nessus"
}

resource "aws_security_group_rule" "nessus_receiver_inbound_scan_ourselves" {
  security_group_id        = aws_security_group.nessus_receiver.id
  source_security_group_id = aws_security_group.nessus_receiver.id
  type                     = "ingress"
  from_port                = -1
  to_port                  = -1
  protocol                 = "all"
  description              = "Inbound Scanning of Ourselves"
}

#-----------------------------------------------------------------
# Outbound access
#-----------------------------------------------------------------
#resource "aws_security_group_rule" "nessus_receiver_outbound_all_ports" {
#  security_group_id        = aws_security_group.nessus_receiver.id
#  type                     = "egress"
#  cidr_blocks              = [ "10.0.0.0/8" ]
#  from_port                = -1
#  to_port                  = -1
#  protocol                 = "all"
#  description              = "Outbound to All Ports"
#}