---
AWSTemplateFormatVersion: 2010-09-09


Parameters:
  LaunchType:
    Type: String
    Default: Fargate
    AllowedValues:
      - Fargate
      - EC2

  CreateHTTPSListener:
    Type: String
    Default: false
    AllowedValues:
      - true
      - false

  CertificateARN:
    Type: String
    Description: >
      Specify the ARN of the SSL certificate to be used on HTTPS listener (if CreateHTTPSListener=true)

  Subnets:
    Type: List<AWS::EC2::Subnet::Id>

  VpcId:
    Type: String


Conditions:
  EC2: !Equals [ !Ref LaunchType, "EC2" ]
  HTTP: !Equals [ !Ref CreateHTTPSListener, "false" ]
  HTTPS: !Equals [ !Ref CreateHTTPSListener, "true" ]

Resources:
  SecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: !Sub ${AWS::StackName}-alb
      SecurityGroupIngress:
        - CidrIp: "0.0.0.0/0"
          IpProtocol: "TCP"
          FromPort: 443
          ToPort: 443
      VpcId: !Ref VpcId

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Subnets: !Ref Subnets
      SecurityGroups:
        - !Ref SecurityGroup

  LoadBalancerListenerSSL:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Condition: HTTPS
    Properties:
      LoadBalancerArn: !Ref LoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates: 
        - CertificateArn: !Ref CertificateARN
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref TargetGroup

  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    DependsOn: LoadBalancer
    Properties:
      VpcId: !Ref VpcId
      Port: 443
      Protocol: HTTPS
      Matcher:
        HttpCode: 200-299
      HealthCheckIntervalSeconds: 10
      HealthCheckPath: /idp/
      HealthCheckProtocol: HTTPS
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      TargetType: !If [ EC2, "instance", "ip" ]
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 30
        - Key: stickiness.enabled
          Value: true
        - Key: stickiness.type
          Value: lb_cookie
        - Key: stickiness.lb_cookie.duration_seconds
          Value: 86400

  ListenerRuleSSL:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Condition: HTTPS
    Properties:
      ListenerArn: !Ref LoadBalancerListenerSSL
      Priority: 1
      Conditions:
        - Field: path-pattern
          Values:
            - /
      Actions:
        - TargetGroupArn: !Ref TargetGroup
          Type: forward


Outputs:
  TargetGroup:
    Value: !Ref TargetGroup

  CanonicalHostedZoneID:
    Value: !GetAtt LoadBalancer.CanonicalHostedZoneID

  DNSName:
    Value: !GetAtt LoadBalancer.DNSName

  ServiceUrl:
    Description: URL of the load balancer for the idp service.
    Value: !Sub https://${LoadBalancer.DNSName}/idp/

  SecurityGroup:
    Value: !Ref SecurityGroup