# Access policies for Achilles network
resource "netbird_policy" "pilot_to_gs" {
  name        = "pilot-to-ground-station"
  description = "Allow pilots to connect to ground stations"
  enabled     = true

  rule {
    name          = "pilot-gs-access"
    enabled       = true
    sources       = [netbird_group.pilots.id]
    destinations  = [netbird_group.ground_stations.id]
    bidirectional = true
    protocol      = "all"
    action        = "accept"
  }
}

resource "netbird_policy" "operator_full_access" {
  name        = "operator-full-access"
  description = "Operators can access all network resources"
  enabled     = true

  rule {
    name    = "operator-all"
    enabled = true
    sources = [netbird_group.operators.id]
    destinations = [
      netbird_group.ground_stations.id,
      netbird_group.pilots.id,
      netbird_group.fusion_servers.id
    ]
    bidirectional = true
    protocol      = "all"
    action        = "accept"
  }
}

resource "netbird_policy" "fusion_to_gs" {
  name        = "fusion-to-ground-station"
  description = "Fusion servers coordinate with ground stations"
  enabled     = true

  rule {
    name          = "fusion-gs"
    enabled       = true
    sources       = [netbird_group.fusion_servers.id]
    destinations  = [netbird_group.ground_stations.id]
    bidirectional = true
    protocol      = "all"
    action        = "accept"
  }
}