variable "project_id" {
  description = "STACKIT project ID"
  type        = string
}

variable "name" {
  description = "Security group name"
  type        = string
}

variable "description" {
  description = "Security group description"
  type        = string
  default     = ""
}

# rule schema
variable "rules" {
  description = "List of security group rules"
  type = list(object({
    direction   = string                          # ingress | egress
    description = optional(string)
    ether_type  = optional(string)                # IPv4 | IPv6
    icmp_parameters = optional(object({
      type = optional(number)
      code = optional(number)
    }))
    ip_range = optional(string)                   # CIDR
    port_range = optional(object({
      min = number
      max = number
    }))
    protocol = optional(object({
      name   = optional(string)                   # tcp | udp | icmp
      number = optional(number)                   # OR protocol number
    }))
    remote_security_group_id = optional(string)
  }))

  validation {
    condition = alltrue([
      for r in var.rules : contains(["ingress", "egress"], lower(r.direction))
    ])
    error_message = "Each rule.direction must be 'ingress' or 'egress'."
  }

  validation {
    condition = alltrue([
      for r in var.rules :
      r.ether_type == null ? true : contains(["IPv4", "IPv6"], r.ether_type)
    ])
    error_message = "Each rule.ether_type must be 'IPv4' or 'IPv6' when set."
  }

  # port_range min <= max when provided
  validation {
    condition = alltrue([
      for r in var.rules :
      (
        r.port_range == null ? true : (r.port_range.min <= r.port_range.max)
      )
    ])
    error_message = "Each rule.port_range.min must be <= rule.port_range.max."
  }
}