# ---------------------------------------------------------------------------------------------------------------------
# LOAD BALANCER FOR PORTAL
# ---------------------------------------------------------------------------------------------------------------------
resource "aws_alb" "portal" {
  # checkov:skip=CKV_AWS_150: We don't want 'protection enabled'
  # checkov:skip=CKV2_AWS_28: Portal is protected by WAF
  name                       = "portal-alb-${var.environment}"
  security_groups            = [aws_security_group.customer_portal_alb.id, ]
  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
  subnets                    = var.public_subnets
  load_balancer_type         = "application"
  drop_invalid_header_fields = true

  tags = merge(local.standard_tags, var.tags, { Name = "portal-alb-${var.environment}" })

  access_logs {
    bucket  = "xdr-elb-${var.environment}"
    prefix  = ""
    enabled = true
  }
}

# Create a new target group
resource "aws_alb_target_group" "portal" {
  name     = "portal-alb-targets-${var.environment}"
  port     = 443
  protocol = "HTTPS"
  vpc_id   = var.vpc_id

  health_check {
    protocol            = "HTTPS"
    path                = "/api/health/"
    matcher             = "200-400"
    timeout             = "4"
    interval            = "15"
    unhealthy_threshold = 2
    healthy_threshold   = 2
  }

  stickiness {
    type    = "lb_cookie"
    enabled = false
  }

  tags = merge(local.standard_tags, var.tags, )
}

# Create a new alb listener ( certificate_arn wait for DNS cut over )
resource "aws_alb_listener" "portal_https" {
  load_balancer_arn = aws_alb.portal.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10" # PFS, TLS1.2, and GCM; most "restrictive" policy
  certificate_arn   = aws_acm_certificate.cert.arn

  default_action {
    target_group_arn = aws_alb_target_group.portal.arn
    type             = "forward"
  }
}

# HTTPs Redirect
resource "aws_lb_listener" "portal_https_redirect" {
  load_balancer_arn = aws_alb.portal.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

# Attach the instances to the ELB
resource "aws_autoscaling_attachment" "customer_portal_asg_attachment" {
  lb_target_group_arn    = aws_alb_target_group.portal.arn
  autoscaling_group_name = aws_autoscaling_group.customer_portal.name
}

#----------
# DNS Entry
#----------
module "public_dns_record" {
  source = "../../submodules/dns/public_ALIAS_record"

  name            = "portal"
  target_dns_name = aws_alb.portal.dns_name
  target_zone_id  = aws_alb.portal.zone_id
  dns_info        = var.dns_info

  providers = {
    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
  }
}

#----------------------------------------------------------------------------
# ALB Security Group
#----------------------------------------------------------------------------
resource "aws_security_group" "customer_portal_alb" {
  name        = "customer_portal_alb_inbound_sg"
  description = "Allow Customer Portal ALB HTTP Traffic Inbound"
  vpc_id      = var.vpc_id
}

#----------------------------------------------------------------------------
# INGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "customer_portal_alb_https" {
  protocol          = "tcp"
  description       = "Portal - Allow 443 from any"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  security_group_id = aws_security_group.customer_portal_alb.id
  cidr_blocks       = [var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
}

#Allow viewing of test portal from home. We don't want world to view test portal.
resource "aws_security_group_rule" "customer_portal_alb_https_test" {
  protocol          = "tcp"
  description       = "Portal - Allow 443 from strictly XDR Engineers staticly assigned address"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  security_group_id = aws_security_group.customer_portal_alb.id
  cidr_blocks       = flatten(distinct(concat(local.portal_test_whitelist, formatlist("%s/32", var.nat_public_ips), local.admin_ips)))
}

## Needed for HTTPs redirect
resource "aws_security_group_rule" "customer_portal_alb_http" {
  protocol          = "tcp"
  description       = "Portal - 80 redirect to 443"
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  security_group_id = aws_security_group.customer_portal_alb.id
  cidr_blocks       = [var.environment == "test" ? "10.0.0.0/8" : "0.0.0.0/0", ]
}

# Needed for Sensu Check from the proxy in test
resource "aws_security_group_rule" "customer_portal_sensu_check" {
  count             = var.environment == "test" ? 1 : 0
  protocol          = "tcp"
  description       = "Portal - Allow Sensu Check from proxy in test on 443"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  security_group_id = aws_security_group.customer_portal_alb.id
  cidr_blocks       = ["${var.proxy_public_ip}/32", ]
}

#----------------------------------------------------------------------------
# EGRESS
#----------------------------------------------------------------------------
resource "aws_security_group_rule" "customer_portal_alb" {
  protocol                 = "tcp"
  description              = "Portal - Allow 443 to any"
  type                     = "egress"
  from_port                = 443
  to_port                  = 443
  security_group_id        = aws_security_group.customer_portal_alb.id
  source_security_group_id = aws_security_group.customer_portal.id
}