# Security groups dco
resource "openstack_networking_secgroup_v2" "microk8s-dco" {
  name        = "microk8s"
  description = "Traffic to allow between microk8s hosts"
  provider=openstack.dco
}

resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-dco" {
  name        = "ssh-from-jumphosts"
  description = "Allow ssh traffic from sunet jumphosts."
  provider=openstack.dco
}

#
# Security group rules for microk8s
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_dco" {
  count             =  length(var.k8sports)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
  port_range_min    = keys(var.k8sports[count.index])[0]
  port_range_max    = keys(var.k8sports[count.index])[0]
  provider          = openstack.dco
  remote_group_id   = openstack_networking_secgroup_v2.microk8s-dco.id
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_dco" {
  count             =  length(var.k8sports)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
  port_range_min    = keys(var.k8sports[count.index])[0]
  port_range_max    = keys(var.k8sports[count.index])[0]
  provider          = openstack.dco
  remote_group_id   = openstack_networking_secgroup_v2.microk8s-dco.id
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

#
# From STO3 to DCO
#

# Control nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

# Worker nodes
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

#
# From STO4 to DCO
#

#Controllers
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

# Workers
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_dco" {
  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
  provider          = openstack.dco
  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
  security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id
}

#
# Security group rules for ssh-from-jump-hosts
#


resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-dco" {
  count             =  length(var.jumphostv4-ips)
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = "22"
  port_range_max    = "22"
  provider          = openstack.dco
  remote_ip_prefix  = "${var.jumphostv4-ips[count.index]}/32"
  security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
}

resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-dco" {
  count             =  length(var.jumphostv6-ips)
  direction         = "ingress"
  ethertype         = "IPv6"
  protocol          = "tcp"
  port_range_min    = "22"
  port_range_max    = "22"
  provider          = openstack.dco
  remote_ip_prefix  = "${var.jumphostv6-ips[count.index]}/128"
  security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id
}