#------------------------------------------------------------------------------
# An internal ALB without ACKs for moose only
#------------------------------------------------------------------------------

#########################
# DNS Entry
#resource "aws_route53_record" "hec_internal" {
#  count = local.is_moose ? 1 : 0
#  name = "iratemoses"
#  type = "CNAME"
#  zone_id = var.dns_info["legacy_private"]["zone_id"]
#  ttl = "600"
#  records = [ aws_lb.hec_internal[count.index].dns_name ]
#
#  provider = aws.legacy
#}

resource "aws_route53_record" "hec_internal_accenturefederalcyber" {
  count   = local.is_moose ? 1 : 0
  name    = "iratemoses"
  type    = "CNAME"
  zone_id = var.dns_info["private"]["zone_id"]
  ttl     = "600"
  records = [aws_lb.hec_internal[count.index].dns_name]

  provider = aws.c2
}

#output hec-without-acks-internal-fqdn {
#  value = local.is_moose ? aws_route53_record.hec_internal[0].fqdn : "<not created for non-moose>"
#}

output "hec-without-acks-internal-records" {
  value = local.is_moose ? aws_lb.hec_internal[0].dns_name : "<not created for non-moose>"
}

#########################
# Certificate

# We use the public one

#########################
# ELB
resource "aws_lb" "hec_internal" {
  count              = local.is_moose ? 1 : 0
  tags               = merge(local.standard_tags, var.tags)
  name               = "iratemoses"
  load_balancer_type = "application"
  security_groups            = [data.aws_security_group.hec_internal_elb_security_group[0].id]
  subnets                    = var.private_subnets
  internal                   = true
  drop_invalid_header_fields = true
}

resource "aws_lb_listener" "hec_internal_443" {
  count             = local.is_moose ? 1 : 0
  load_balancer_arn = aws_lb.hec_internal[count.index].arn
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_internal_8088[count.index].arn
  }
}

resource "aws_lb_listener" "hec_internal_8088" {
  count             = local.is_moose ? 1 : 0
  load_balancer_arn = aws_lb.hec_internal[count.index].arn
  port              = 8088
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.hec_cert.arn # Intentionally using the external cert
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hec_internal_8088[count.index].arn
  }
}

resource "aws_lb_target_group" "hec_internal_8088" {
  count       = local.is_moose ? 1 : 0
  name        = "${var.prefix}-legacy-hec-int-tgts"
  port        = 8088
  protocol    = "HTTPS"
  target_type = "instance"
  vpc_id      = var.vpc_id

  health_check {
    path     = "/services/collector/health/1.0"
    protocol = "HTTPS"
  }
}

# Attach the instances to the ELB
resource "aws_autoscaling_attachment" "hec_internal_asg_attachments" {
  for_each               = local.is_moose ? toset(var.elb_attachments) : []
  lb_target_group_arn    = aws_lb_target_group.hec_internal_8088[0].arn
  autoscaling_group_name = each.key
}