module "fw-ips" {
    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
}

resource "aws_security_group" "allow_tls" {
  name        = "${var.provision_id}-SG"
  description = "${var.provision_id}-SG"
  vpc_id      = local.vpc_id

  tags = local.tags
}

resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
  for_each = toset(module.fw-ips.cidr_blocks)
  
  security_group_id = aws_security_group.allow_tls.id

  cidr_ipv4         = each.key
  from_port         = local.port
  ip_protocol       = "tcp"
  to_port           = local.port
  description = "dbport"
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {

  for_each = toset(module.fw-ips.cidr_blocks)

  security_group_id = aws_security_group.allow_tls.id

  cidr_ipv4   = each.key
  from_port   = local.port
  ip_protocol = "tcp"
  to_port     = local.port
  description = "dbport"
}

resource "aws_security_group" "allow_tls_2" {
  name        = "${var.provision_id}-SG2"
  description = "${var.provision_id}-SG2"
  vpc_id      = local.vpc_id

  tags = local.tags
}

resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
  for_each = toset(module.fw-ips.cidr_blocks_others)
  
  security_group_id = aws_security_group.allow_tls_2.id

  cidr_ipv4         = each.key
  from_port         = local.port
  ip_protocol       = "tcp"
  to_port           = local.port
  description = "Others - dbport"
}

resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv_2" {

  for_each = toset(module.fw-ips.cidr_blocks_others)

  security_group_id = aws_security_group.allow_tls_2.id

  cidr_ipv4   = each.key
  from_port   = local.port
  ip_protocol = "tcp"
  to_port     = local.port
  description = "Others - dbport"
}