## security group for http from internet to ALB resource :SgAlb, 'AWS::EC2::SecurityGroup' do

group_description 'HTTP access to ALB from internet'
vpc_id Fn::import_value(Fn::sub('${<%= vpc %>}-<%= vpcid %>'))
security_group_ingress [
  { CidrIp: '0.0.0.0/0', IpProtocol: :tcp, FromPort: 80,  ToPort: 80 },
  { CidrIp: '0.0.0.0/0', IpProtocol: :tcp, FromPort: 443, ToPort: 443 },
]
security_group_egress [
  { CidrIp: '0.0.0.0/0', IpProtocol: '-1', FromPort: 0, ToPort: 0 }
]
tag :Name, Fn::ref('AWS::StackName')

end

## security group for http from ALB to containers resource :SgWeb, 'AWS::EC2::SecurityGroup' do

group_description 'HTTP access from ALB to containers'
vpc_id Fn::import_value(Fn::sub('${<%= vpc %>}-<%= vpcid %>'))
security_group_egress [
  { CidrIp: '0.0.0.0/0', IpProtocol: '-1', FromPort: 0, ToPort: 0 }
]
tag :Name, Fn::ref('AWS::StackName')

end

## separate resource so we can point sg to itself resource :SgWebIngress, 'AWS::EC2::SecurityGroupIngress', DependsOn: :SgWeb do

group_id Fn::ref(:SgWeb)
ip_protocol :tcp
from_port 0
to_port 65535
source_security_group_id Fn::ref(:SgWeb)

end