resource "aws_lb" "alsi-alb-hec" {
  # checkov:skip=CKV2_AWS_28: TO DO - WAF
  # checkov:skip=CKV_AWS_150: Skip deletion protection - Test env
  count                      = local.alsi_hec_alb ? 1 : 0
  name                       = "${var.prefix}-alsi-alb-hec"
  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
  load_balancer_type         = "application"
  drop_invalid_header_fields = true
  # Not supported for NLB
  security_groups = [aws_security_group.alsi-alb-hec-sg.id]
  # Note, changing subnets results in recreation of the resource
  subnets                          = var.subnets
  enable_cross_zone_load_balancing = true

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags)
}

#########################
# Listeners
resource "aws_lb_listener" "alsi-alb-hec-listener-https" {
  count             = local.alsi_hec_alb ? 1 : 0
  load_balancer_arn = aws_lb.alsi-alb-hec[count.index].arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert_hec[count.index].arn

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.alsi-alb-hec-target-8088[count.index].arn
  }
}

# Only alb's can redirect
resource "aws_lb_listener" "alsi-alb-hec-listener-http" {
  count             = local.alsi_hec_alb ? 1 : 0
  load_balancer_arn = aws_lb.alsi-alb-hec[count.index].arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

#########################
# Targets
resource "aws_lb_target_group" "alsi-alb-hec-target-8088" {
  count       = local.alsi_hec_alb ? 1 : 0
  name        = "${var.prefix}-alsi-hec-8088"
  port        = 8088
  protocol    = "HTTPS"
  target_type = "instance"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)

  health_check {
    enabled  = true
    path     = "/api/v1/health"
    port     = 8088
    protocol = "HTTPS"
    matcher  = "200,405"
  }

  # sure would be nice to check the actual port
  #health_check {
  #  enabled = true
  #  path = "/"
  #  port = 9000
  #  protocol = "HTTPS"
  #}
}

resource "aws_lb_target_group_attachment" "alsi-alb-hec-target-8088-instance" {
  count            = local.alsi_workers * (local.alsi_hec_alb ? 1 : 0)
  target_group_arn = aws_lb_target_group.alsi-alb-hec-target-8088[0].arn
  target_id        = aws_instance.worker[count.index].id
  port             = 8088
}

#----------------------------------------------------------------------------
# Security Group for ALB
#----------------------------------------------------------------------------
resource "aws_security_group" "alsi-alb-hec-sg" {
  name_prefix = "${var.prefix}-alsi-alb-hec-sg"
  lifecycle { create_before_destroy = true } # handle updates gracefully
  description = "Security Group for the Cribl ALB for hec"
  vpc_id      = var.vpc_id
  tags        = merge(local.standard_tags, var.tags)
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "alsi-alb-hec-https-in" {
  type              = "ingress"
  description       = "HTTPS - Inbound"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.trusted_ips, local.splunk_data_sources))
  security_group_id = aws_security_group.alsi-alb-hec-sg.id
}

resource "aws_security_group_rule" "alsi-elastic-http-in" {
  # Port 80 is open as a redirect to 443
  type              = "ingress"
  description       = "HTTP redirect HTTPS - Inbound"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.trusted_ips, local.splunk_data_sources))
  security_group_id = aws_security_group.alsi-alb-hec-sg.id
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "alsi-alb-hec-8088-out" {
  type                     = "egress"
  description              = "8088 - Outbound"
  from_port                = 8088
  to_port                  = 8088
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.alsi_worker_security_group.id
  security_group_id        = aws_security_group.alsi-alb-hec-sg.id
}

#----------------------------------------------------------------------------
# DNS Entry
#----------------------------------------------------------------------------
resource "aws_route53_record" "alsi-alb-hec" {
  count    = local.alsi_hec_alb ? 1 : 0
  zone_id  = var.dns_info["public"]["zone_id"]
  name     = "${var.prefix}-alsi-hec"
  type     = "CNAME"
  records  = [aws_lb.alsi-alb-hec[count.index].dns_name]
  ttl      = "60"
  provider = aws.mdr-common-services-commercial
}