AWSTemplateFormatVersion: "2010-09-09"

Description: Provides cross-reference for Security Groups in the ingress and egress rules.

Parameters:
  VpcID:
    Type: String

  WorkstationAccessCIDR:
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  WorkstationConnectionManager:
    Type: String

  Environment:
    Type: String

Conditions:
  IsTeradici: !Equals [!Ref WorkstationConnectionManager, teradici]

Resources:
  LicenseServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for DL License Server instance
      VpcId: !Ref VpcID
      Tags:
        - Key: Name
          Value: license-server-sg
        - Key: Environment
          Value: !Ref Environment

  RepositorySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for DL Repository instance
      VpcId: !Ref VpcID
      Tags:
        - Key: Name
          Value: deadline-repository-sg
        - Key: Environment
          Value: !Ref Environment

  RenderNodeSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for DL Render Node instance
      VpcId: !Ref VpcID
      Tags:
        - Key: Name
          Value: deadline-rendernode-sg
        - Key: Environment
          Value: !Ref Environment

  WorkstationSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Workstation instance
      VpcId: !Ref VpcID
      SecurityGroupIngress: !If
        - IsTeradici
        - - IpProtocol: tcp
            FromPort: 443
            ToPort: 443
            CidrIp: !Ref WorkstationAccessCIDR
          - IpProtocol: tcp
            FromPort: 4172
            ToPort: 4172
            CidrIp: !Ref WorkstationAccessCIDR
          - IpProtocol: udp
            FromPort: 4172
            ToPort: 4172
            CidrIp: !Ref WorkstationAccessCIDR
        - - IpProtocol: tcp
            FromPort: 8443
            ToPort: 8443
            CidrIp: !Ref WorkstationAccessCIDR
      Tags:
        - Key: Name
          Value: deadline-workstation-sg
        - Key: Environment
          Value: !Ref Environment

  # <-- Grant access for Deadline Repository -->

  RepositoryToLicenseServerIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref LicenseServerSecurityGroup
      Description: deadline-repository-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RepositorySecurityGroup

  RepositoryToRenderNodeIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref RenderNodeSecurityGroup
      Description: deadline-repository-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RepositorySecurityGroup

  RepositoryToWorkstationIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref WorkstationSecurityGroup
      Description: deadline-repository-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RepositorySecurityGroup

  # <-- Grant access for Deadline Render Node -->

  RenderNodeToRepositoryIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref RepositorySecurityGroup
      Description: deadline-rendernode-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RenderNodeSecurityGroup

  RenderNodeToWorkstationIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref WorkstationSecurityGroup
      Description: deadline-rendernode-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RenderNodeSecurityGroup

  RenderNodeToLicenseServerIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref LicenseServerSecurityGroup
      Description: deadline-rendernode-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref RenderNodeSecurityGroup

  # <-- Grant access for Deadline Workstation -->

  WorkstationToRenderNodeIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref RenderNodeSecurityGroup
      Description: deadline-workstation-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref WorkstationSecurityGroup

  WorkstationToRepositoryIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref RepositorySecurityGroup
      Description: deadline-workstation-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref WorkstationSecurityGroup

  WorkstationToLicenseServerIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref LicenseServerSecurityGroup
      Description: deadline-workstation-sg
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref WorkstationSecurityGroup

Outputs:
  LicenseServerSecurityGroup:
    Value: !Ref LicenseServerSecurityGroup

  RepositorySecurityGroup:
    Value: !Ref RepositorySecurityGroup

  RenderNodeSecurityGroup:
    Value: !Ref RenderNodeSecurityGroup

  WorkstationSecurityGroup:
    Value: !Ref WorkstationSecurityGroup