#----------------------------------------------------------------------------
# EXTERNAL LB
#----------------------------------------------------------------------------
resource "aws_lb" "external" {
  name_prefix        = substr("${var.name}-ext-lb", 0, 6)
  security_groups    = [ aws_security_group.lb_server_external.id ]
  internal           = false 
  subnets            = var.public_subnets
  load_balancer_type = "application"

  access_logs {
    bucket  = "xdr-elb-${ var.environment }"
    enabled = true
  }

  tags = merge(var.tags, { Name = "${var.name}-lb-external-${var.environment}" })
}

# Create a new target group
resource "aws_lb_target_group" "external" {
  name_prefix        = substr("${var.name}-ext-lb", 0, 6)
  port                 = var.target_port
  protocol             = var.target_protocol
  #deregistration_delay = "${local.lb_deregistration_delay}"
  vpc_id               = var.vpc_id

  health_check {
    protocol = local.healthcheck_protocol
    port     = local.healthcheck_port
    path     = var.healthcheck_path
    matcher  = var.healthcheck_matcher
    timeout  = "4"
    interval = "5"
  }

  stickiness {
    type    = "lb_cookie"
    enabled = var.stickiness
  }

  tags = merge(var.tags, { Name = "${var.name}-lb-external-${var.environment}" })
}

resource "aws_lb_target_group_attachment" "external" {
  for_each         = var.target_ids

  target_group_arn = aws_lb_target_group.external.arn
  target_id        = each.value
  port             = var.target_port
}

# Create a new alb listener
resource "aws_lb_listener" "https_external" {
  load_balancer_arn = aws_lb.external.arn
  port              = var.listener_port
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2019-08" # PFS, TLS1.2, most "restrictive" policy (took awhile to find that)
  certificate_arn   = aws_acm_certificate.cert_public.arn

  default_action {
    target_group_arn = aws_lb_target_group.external.arn
    type             = "forward"
  }
}