resource "hcloud_firewall" "trading_system" {
  name = "${var.name}-firewall"

  dynamic "rule" {
    for_each = length(var.admin_cidr_blocks) > 0 ? [22] : []
    content {
      direction  = "in"
      protocol   = "tcp"
      port       = tostring(rule.value)
      source_ips = var.admin_cidr_blocks
    }
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = ["0.0.0.0/0", "::/0"]
  }

  dynamic "rule" {
    for_each = length(var.admin_cidr_blocks) > 0 ? [6443] : []
    content {
      direction  = "in"
      protocol   = "tcp"
      port       = tostring(rule.value)
      source_ips = var.admin_cidr_blocks
    }
  }

  rule {
    direction       = "in"
    protocol        = "icmp"
    source_ips      = ["0.0.0.0/0", "::/0"]
    destination_ips = []
  }
}