AWSTemplateFormatVersion: '2010-09-09'
Description: |-
  Sample LDAPS NLB Stack

  **WARNING**

  This template creates a NLB. You will be billed for the AWS resources used if you create a stack from this template.

  **LICENSE**

  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

  SPDX-License-Identifier: MIT-0
Parameters:
  LDAPSCertificateARN:
    Description: ARN of SSL Certificate
    AllowedPattern: "arn:aws:acm:.*"
    Type: String
  VPCId:
    Description: Please provide a VPC to deploy the solution into.
    Type: AWS::EC2::VPC::Id
  SubnetId1:
    Description: Please provide the first Simple AD private subnet id with outbound connectivity within the VPC you selected above.
    Type: AWS::EC2::Subnet::Id
  SubnetId2:
    Description: Please provide the second Simple AD private subnet id with outbound connectivity within the VPC you selected above.
    Type: AWS::EC2::Subnet::Id
  SimpleADPriIP:
    Description: IP Address of primary Simple AD instance
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})"
    Type: String
  SimpleADSecIP:
    Description: IP Address of secondary Simple AD instance
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})"
    Type: String
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Network Configuration
      Parameters:
      - VPCId
      - SubnetId1
      - SubnetId2
      - SimpleADPriIP
      - SimpleADSecIP
      - LDAPSCertificateARN
    ParameterLabels:
      VPCId:
        default: Target VPC for solution
      SubnetId1:
        default: Simple AD Primary Subnet
      SubnetId2:
        default: Simple AD Secondary Subnet
      SimpleADPriIP:
        default: Primary Simple AD Server IP
      SimpleADSecIP:
        default: Secondary Simple AD Server IP
      LDAPSCertificateARN:
        default: ARN for SSL Certificate
Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Join ["-" , [!Ref 'AWS::StackName', NLB]]
      Scheme: internal
      Subnets:
        - !Ref SubnetId1
        - !Ref SubnetId2
      Type: network
  NetworkLoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Join ["-" , [!Ref 'AWS::StackName', Target]]
      Port: 389
      Protocol: TCP
      VpcId: !Ref VPCId
      HealthCheckEnabled: True
      HealthCheckIntervalSeconds: 10
      HealthCheckPort: 389
      HealthCheckProtocol: TCP
      HealthCheckTimeoutSeconds: 10
      HealthyThresholdCount: 3
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 60
      Targets:
        - Id: !Ref SimpleADPriIP
          Port: 389
        - Id: !Ref SimpleADSecIP
          Port: 389
      TargetType: ip
  NetworkLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
      LoadBalancerArn: !Ref NetworkLoadBalancer
      Port: '636'
      Protocol: TLS
      SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
      Certificates:
        - CertificateArn: !Ref LDAPSCertificateARN
Outputs:
  LDAPSURL:
    Description: LDAPS Route53 Alias Target
    Value: !GetAtt NetworkLoadBalancer.DNSName