ServiceSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Metadata:
    'aws:copilot:description': 'A security group for your addons/ resources to allow ingress from your service'
  Properties:
    GroupDescription: !Join [ '', [ !Ref AppName, '-', !Ref EnvName, !Ref WorkloadName ] ]
    VpcId:
      Fn::ImportValue:
        !Sub '${AppName}-${EnvName}-VpcId'
    Tags:
      - Key: Name
        Value: !Sub 'copilot-${AppName}-${EnvName}-${WorkloadName}'

EnvironmentSecurityGroupIngressFromServiceSecurityGroup:
  Type: AWS::EC2::SecurityGroupIngress
  Metadata:
    'aws:copilot:description': 'Allow ingress from the app runner service to services in your environment'
  Properties:
    GroupId:
      Fn::ImportValue:
        !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
    IpProtocol: -1
    SourceSecurityGroupId: !Ref ServiceSecurityGroup

VpcConnector:
  Type: AWS::AppRunner::VpcConnector
{{- if gt (len (envControllerParams .)) 0}}
  DependsOn: EnvControllerAction # Ensure NAT gateways are created before connecting to a VPC.
{{- end}}
  Metadata:
    'aws:copilot:description': 'A VPC connector to link your service to subnets in your environment'
  Properties:
    Subnets:
    {{- if .Network.SubnetIDs}}
      {{- range $id := .Network.SubnetIDs}}
      - {{$id}}
      {{- end}}
    {{- else}}
      Fn::Split:
        - ","
        - Fn::ImportValue:
            !Sub '${AppName}-${EnvName}-{{.Network.SubnetsType}}'
    {{- end}}
    SecurityGroups:
      - !Ref ServiceSecurityGroup
      - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
    Tags:
      - Key: copilot-application
        Value: !Ref AppName
      - Key: copilot-environment
        Value: !Ref EnvName
      - Key: copilot-service
        Value: !Ref WorkloadName
      {{- if .Tags }}
      {{- range $name, $value := .Tags }}
      - Key: {{$name}}
        Value: {{$value}}
      {{- end }}
      {{- end }}