# -----------------------------------------------------------------------------
# Network
# -----------------------------------------------------------------------------

resource "stackit_network" "sophos_lan_net" {
  project_id       = var.project_id
  name             = "sophos_lan_net"
  ipv4_nameservers = var.sophos_default_nameservers
  ipv4_prefix      = var.sophos_lan_net_range
  routed           = var.sophos_nets_routed
}

resource "stackit_network" "sophos_wan_net" {
  project_id       = var.project_id
  name             = "sophos_wan_net"
  ipv4_prefix      = var.sophos_wan_net_range
  ipv4_nameservers = var.sophos_wan_nameservers
  routed           = var.sophos_nets_routed
}

resource "stackit_network" "sophos_mgmt_net" {
  project_id       = var.project_id
  name             = "sophos_mgmt_net"
  ipv4_prefix      = var.sophos_mgmt_net_range
  ipv4_nameservers = var.sophos_default_nameservers
  routed           = var.sophos_nets_routed
}

resource "stackit_network" "sophos_sync_net" {
  project_id       = var.project_id
  name             = "sophos_sync_net"
  ipv4_prefix      = var.sophos_sync_net_range
  ipv4_nameservers = var.sophos_default_nameservers
  routed           = var.sophos_nets_routed
}

# -----------------------------------------------------------------------------
# VIP Interface - others are located directly at the appliances
# -----------------------------------------------------------------------------

resource "stackit_network_interface" "vip" {
  project_id         = var.project_id
  network_id         = stackit_network.sophos_wan_net.network_id 
  security           = true
  name               = "VIP"
  ipv4               = var.sophos_wan_vip
  security_group_ids = [ stackit_security_group.sophos.security_group_id ]
}

resource "stackit_public_ip" "public-vip" {
  project_id = var.project_id
  network_interface_id = stackit_network_interface.vip.network_interface_id
}

output "public-vip" {
  value = {
    "public_ip_sophos" = stackit_public_ip.public-vip.ip
  }
}

# -----------------------------------------------------------------------------
# Security Groups / Rules
# -----------------------------------------------------------------------------

resource "stackit_security_group" "sophos" {
  project_id = var.project_id
  name = "Sophos"
}

resource "stackit_security_group_rule" "tcp-ingress" {
  project_id = var.project_id
  security_group_id = stackit_security_group.sophos.security_group_id
  direction = "ingress"
  protocol = {
    name = "tcp"
  }
}

resource "stackit_security_group_rule" "icmp-ingress" {
  project_id = var.project_id
  security_group_id = stackit_security_group.sophos.security_group_id
  direction = "ingress"
  protocol = {
    name = "icmp"
  }
  icmp_parameters = {
    code = 0
    type = 8
  }
}

resource "stackit_security_group_rule" "tcp-egress" {
  project_id = var.project_id
  security_group_id = stackit_security_group.sophos.security_group_id
  direction = "egress"
  protocol = {
    name = "tcp"
  }
}

resource "stackit_security_group_rule" "icmp-egress" {
  project_id = var.project_id
  security_group_id = stackit_security_group.sophos.security_group_id
  direction = "egress"
  protocol = {
    name = "icmp"
  }
  icmp_parameters = {
    code = 0
    type = 8
  }
}