# Private target group only — service is internal, not exposed on the public ALB.
resource "aws_lb_target_group" "hu_agent_private" {
  name        = "hu-agent-private-tg"
  port        = var.container_port
  protocol    = "HTTP"
  vpc_id      = var.vpc_id
  target_type = "ip"

  health_check {
    enabled             = true
    path                = var.health_check_path
    port                = "traffic-port"
    protocol            = "HTTP"
    healthy_threshold   = 2
    unhealthy_threshold = 3
    timeout             = 10
    interval            = 30
    matcher             = "200"
  }
}

data "aws_lb_listener" "private_http" {
  load_balancer_arn = var.private_alb_arn
  port              = 80
}

resource "aws_lb_listener_rule" "hu_agent_private" {
  listener_arn = data.aws_lb_listener.private_http.arn
  priority     = 100 # if 100 is taken on the PRD :80 listener, set to a free priority (gated PRD-RO capture task)

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.hu_agent_private.arn
  }

  condition {
    path_pattern {
      values = ["/hu-agent", "/hu-agent/*"]
    }
  }
}