variable "vpc_id" {}
variable "environment" {}
variable "my_ip" {}

resource "aws_security_group" "ec2" {
  name        = "sacc4-ec2-sg-${var.environment}"
  description = "Security group para instancia EC2 SACC4"
  vpc_id      = var.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [var.my_ip]
    description = "SSH desde IP autorizada"
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "HTTP"
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    description = "HTTPS"
  }

  ingress {
    from_port   = 8080
    to_port     = 8085
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block]
    description = "APIs internas"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = { Name = "sacc4-ec2-sg-${var.environment}" }
}

resource "aws_security_group" "rds" {
  name        = "sacc4-rds-sg-${var.environment}"
  description = "Security group para RDS MariaDB"
  vpc_id      = var.vpc_id

  ingress {
    from_port       = 3306
    to_port         = 3306
    protocol        = "tcp"
    security_groups = [aws_security_group.ec2.id]
    description     = "MariaDB desde EC2"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = { Name = "sacc4-rds-sg-${var.environment}" }
}

resource "aws_vpc" "main" {
  cidr_block = "10.3.0.0/16"
}

output "ec2_sg_id" { value = aws_security_group.ec2.id }
output "rds_sg_id" { value = aws_security_group.rds.id }