/**
* # nacl module
*
* Code reviewed and improved with Qoder
*/

resource "aws_network_acl" "this" {
  vpc_id     = var.vpc_id
  subnet_ids = var.subnet_ids
  tags = {
    Name = var.acl_name
  }
}

resource "aws_network_acl_rule" "ingress" {
  for_each       = { for k, v in var.ingress_rules : k => v }
  network_acl_id = aws_network_acl.this.id
  rule_number    = 100 + tonumber(each.key)
  egress         = false
  protocol       = split(",", each.value)[0]
  rule_action    = split(",", each.value)[4]
  # Support both IPv4 and IPv6 CIDR blocks
  cidr_block      = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3]
  ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null
  from_port       = tonumber(split(",", each.value)[1])
  to_port         = tonumber(split(",", each.value)[2])

}

resource "aws_network_acl_rule" "egress" {
  for_each       = { for k, v in var.egress_rules : k => v }
  network_acl_id = aws_network_acl.this.id
  rule_number    = 100 + tonumber(each.key)
  egress         = true
  protocol       = split(",", each.value)[0]
  rule_action    = split(",", each.value)[4]
  # Support both IPv4 and IPv6 CIDR blocks
  cidr_block      = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3]
  ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null
  from_port       = tonumber(split(",", each.value)[1])
  to_port         = tonumber(split(",", each.value)[2])
}