main.go

package main

import (
	"fmt"
	"os"

	// AWS Pulumi SDK packages for various services:

	// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acm" // uncomment this after establishing domain ownership. them same goes for acm and https listener blocks of code further down the code.
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2" // security groups, elastic ip
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecs" // ECS for clusters, services, task definitions
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam" // IAM for roles and policies
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lb"  // Load Balancer for distributing traffic across instances
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/rds" // database
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"  // S3 for object storage
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"      // core Pulumi SDK
)

func main() {

	pulumi.Run(func(ctx *pulumi.Context) error {

		// // create ACM certificate
		// certificate, err := acm.NewCertificate(ctx, "nextcloud-certificate", &acm.CertificateArgs{
		// 	DomainName:       pulumi.String("jnube.joeb.dpdns.org"), // replace with your domain
		// 	ValidationMethod: pulumi.String("DNS"),                  // use DNS validation
		// 	Tags: pulumi.StringMap{
		// 		"Name": pulumi.String("nextcloud-certificate"), // tag certificate
		// 	},
		// })
		// if err != nil {
		// 	return err
		// }

		pgPassword := os.Getenv("POSTGRES_PASSWORD") // retrieve from gitlab ci/cd variables

		// Create a VPC for Nextcloud resources with a single CIDR block.
		vpc, err := ec2.NewVpc(ctx, "nextcloud-vpc", &ec2.VpcArgs{
			CidrBlock:          pulumi.String("10.0.0.0/16"), // defines the full IP range for the VPC
			EnableDnsHostnames: pulumi.Bool(true),            // enables DNS hostnames within the VPC
			EnableDnsSupport:   pulumi.Bool(true),            // enables DNS resolution support
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-vpc"),
			},
		})
		if err != nil {
			return err
		}

		//  Internet Gateway for public connectivity.
		igw, err := ec2.NewInternetGateway(ctx, "nextcloud-igw", &ec2.InternetGatewayArgs{
			VpcId: vpc.ID(), // attach IGW to the created VPC
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-igw"),
			},
		})
		if err != nil {
			return err
		}

		//  Public Subnet in availability zone "ap-east-1a".
		publicSubnet1, err := ec2.NewSubnet(ctx, "nextcloud-public-subnet-1", &ec2.SubnetArgs{
			VpcId:               vpc.ID(),                     // associate with  VPC
			CidrBlock:           pulumi.String("10.0.1.0/24"), // define IP range for this subnet
			AvailabilityZone:    pulumi.String("ap-east-1a"),  // specify the availability zone
			MapPublicIpOnLaunch: pulumi.Bool(true),            // automatically assign public IP to instances
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-public-subnet-1"), // subnet identification
			},
		})
		if err != nil {
			return err
		}

		// Add public subnet in ap-east-1b
		publicSubnet2, err := ec2.NewSubnet(ctx, "nextcloud-public-subnet-2", &ec2.SubnetArgs{
			VpcId:               vpc.ID(),
			CidrBlock:           pulumi.String("10.0.2.0/24"), // new CIDR block
			AvailabilityZone:    pulumi.String("ap-east-1b"),
			MapPublicIpOnLaunch: pulumi.Bool(true),
			Tags:                pulumi.StringMap{"Name": pulumi.String("nextcloud-public-subnet-2")},
		})
		if err != nil {
			return err
		}

		// Create a Private Subnet in "ap-east-1a"
		privateSubnet1, err := ec2.NewSubnet(ctx, "nextcloud-private-subnet-1", &ec2.SubnetArgs{
			VpcId:            vpc.ID(),                     // associate with  VPC
			CidrBlock:        pulumi.String("10.0.3.0/24"), // define IP range for private resources
			AvailabilityZone: pulumi.String("ap-east-1a"),  // using the same AZ for simplicity
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-private-subnet-1"), // subnet identification
			},
		})
		if err != nil {
			return err
		}

		// Create a Private Subnet in "ap-east-1b"
		privateSubnet2, err := ec2.NewSubnet(ctx, "nextcloud-private-subnet-2", &ec2.SubnetArgs{
			VpcId:            vpc.ID(),
			CidrBlock:        pulumi.String("10.0.4.0/24"),
			AvailabilityZone: pulumi.String("ap-east-1b"),
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-private-subnet-2"),
			},
		})
		if err != nil {
			return err
		}

		// Allocate an Elastic IP for the NAT Gateway.
		natEip, err := ec2.NewEip(ctx, "nextcloud-nat-eip", &ec2.EipArgs{
			Domain: pulumi.String("vpc"), // ensures the EIP is for VPC usage
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-nat-eip"),
			},
		})
		if err != nil {
			return err
		}

		// Create the NAT Gateway in the Public Subnet using the allocated EIP.
		natGateway, err := ec2.NewNatGateway(ctx, "nextcloud-nat-gw", &ec2.NatGatewayArgs{
			AllocationId: natEip.ID(),        // reference to the allocated EIP
			SubnetId:     publicSubnet1.ID(), // placing NAT GW in the public subnet
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-nat-gw"),
			},
		})
		if err != nil {
			return err
		}

		// Create a route table for public subnet traffic.
		publicRouteTable, err := ec2.NewRouteTable(ctx, "nextcloud-public-rt", &ec2.RouteTableArgs{
			VpcId: vpc.ID(), // associate with  VPC
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-public-rt"),
			},
		})
		if err != nil {
			return err
		}

		// Create a route for all outgoing traffic to the Internet via the IGW.
		_, err = ec2.NewRoute(ctx, "nextcloud-public-route", &ec2.RouteArgs{
			RouteTableId:         publicRouteTable.ID(),      // use public route table
			DestinationCidrBlock: pulumi.String("0.0.0.0/0"), // directs all traffic
			GatewayId:            igw.ID(),                   // route traffic through the Internet Gateway
		})
		if err != nil {
			return err
		}

		// Create a route table for private subnet traffic.
		privateRouteTable, err := ec2.NewRouteTable(ctx, "nextcloud-private-rt", &ec2.RouteTableArgs{
			VpcId: vpc.ID(), // associate with  VPC
			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-private-rt"),
			},
		})
		if err != nil {
			return err
		}

		// Create a route for private subnet: direct outgoing traffic via NAT Gateway.
		_, err = ec2.NewRoute(ctx, "nextcloud-private-route", &ec2.RouteArgs{
			RouteTableId:         privateRouteTable.ID(),     // use private route table
			DestinationCidrBlock: pulumi.String("0.0.0.0/0"), // all traffic
			NatGatewayId:         natGateway.ID(),            // route traffic via NAT Gateway
		})
		if err != nil {
			return err
		}

		// Associate publicSubnet1 with its route table.
		_, err = ec2.NewRouteTableAssociation(ctx, "nextcloud-public-rt-assoc-1", &ec2.RouteTableAssociationArgs{
			SubnetId:     publicSubnet1.ID(),    // associate public subnet
			RouteTableId: publicRouteTable.ID(), // with public route table
		})
		if err != nil {
			return err
		}

		// Associate publicSubnet2 with public route table
		_, err = ec2.NewRouteTableAssociation(ctx, "nextcloud-public-rt-assoc-2", &ec2.RouteTableAssociationArgs{
			SubnetId:     publicSubnet2.ID(),
			RouteTableId: publicRouteTable.ID(),
		})
		if err != nil {
			return err
		}

		// Associate privateSubnet1 with private route table
		_, err = ec2.NewRouteTableAssociation(ctx, "nextcloud-private-rt-assoc-1", &ec2.RouteTableAssociationArgs{
			SubnetId:     privateSubnet1.ID(),    // associate privateSubnet1
			RouteTableId: privateRouteTable.ID(), // with private route table
		})
		if err != nil {
			return err
		}

		// Associate privateSubnet2 with its route table.
		_, err = ec2.NewRouteTableAssociation(ctx, "nextcloud-private-rt-assoc-2", &ec2.RouteTableAssociationArgs{
			SubnetId:     privateSubnet2.ID(),    // associate private subnet
			RouteTableId: privateRouteTable.ID(), // with private route table
		})
		if err != nil {
			return err
		}

		// Create ALB security group
		albSecurityGroup, err := ec2.NewSecurityGroup(ctx, "nextcloud-alb-sg", &ec2.SecurityGroupArgs{
			VpcId:       vpc.ID(), // associate with VPC
			Description: pulumi.String("Security group for Nextcloud ALB"),
			Ingress: ec2.SecurityGroupIngressArray{
				&ec2.SecurityGroupIngressArgs{
					Protocol:   pulumi.String("tcp"), // allow HTTP
					FromPort:   pulumi.Int(80),
					ToPort:     pulumi.Int(80),
					CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, // public access
				},
				&ec2.SecurityGroupIngressArgs{
					Protocol:   pulumi.String("tcp"), // allow HTTPS
					FromPort:   pulumi.Int(443),
					ToPort:     pulumi.Int(443),
					CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
			Egress: ec2.SecurityGroupEgressArray{
				&ec2.SecurityGroupEgressArgs{
					Protocol:   pulumi.String("-1"), // allow all outbound
					FromPort:   pulumi.Int(0),
					ToPort:     pulumi.Int(0),
					CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")},
				},
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-alb-sg")},
		})
		if err != nil {
			return err
		}

		// Create Fargate security group, restricting ingress to ALB
		fargateSecurityGroup, err := ec2.NewSecurityGroup(ctx, "nextcloud-fargate-sg", &ec2.SecurityGroupArgs{
			VpcId:       vpc.ID(), // associate with VPC
			Description: pulumi.String("Security group for Nextcloud Fargate tasks"),
			Ingress: ec2.SecurityGroupIngressArray{
				&ec2.SecurityGroupIngressArgs{
					Protocol:       pulumi.String("tcp"), // allow HTTP from ALB
					FromPort:       pulumi.Int(80),
					ToPort:         pulumi.Int(80),
					SecurityGroups: pulumi.StringArray{albSecurityGroup.ID()}, // restrict to ALB
				},
				&ec2.SecurityGroupIngressArgs{
					Protocol:       pulumi.String("tcp"), // allow HTTPs from ALB
					FromPort:       pulumi.Int(443),
					ToPort:         pulumi.Int(443),
					SecurityGroups: pulumi.StringArray{albSecurityGroup.ID()}, // restrict to ALB
				},
			},
			Egress: ec2.SecurityGroupEgressArray{
				&ec2.SecurityGroupEgressArgs{
					Protocol:   pulumi.String("-1"), // allow all outbound
					FromPort:   pulumi.Int(0),
					ToPort:     pulumi.Int(0),
					CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, // allow outbound to anywhere
				},
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-fargate-sg")},
		})
		if err != nil {
			return err
		}

		// Create Aurora Serverless security group, allowing PostgreSQL from Fargate tasks
		dbSecurityGroup, err := ec2.NewSecurityGroup(ctx, "nextcloud-db-sg", &ec2.SecurityGroupArgs{
			VpcId:       vpc.ID(), // associate with VPC
			Description: pulumi.String("Security group for Nextcloud Aurora Serverless PostgreSQL database"),
			Ingress: ec2.SecurityGroupIngressArray{
				&ec2.SecurityGroupIngressArgs{
					Protocol:       pulumi.String("tcp"), // allow PostgreSQL
					FromPort:       pulumi.Int(5432),
					ToPort:         pulumi.Int(5432),
					SecurityGroups: pulumi.StringArray{fargateSecurityGroup.ID()}, // restrict to Fargate tasks
				},
			},
			Egress: ec2.SecurityGroupEgressArray{
				&ec2.SecurityGroupEgressArgs{
					Protocol:       pulumi.String("-1"), // allow all outbound
					FromPort:       pulumi.Int(0),
					ToPort:         pulumi.Int(0),
					SecurityGroups: pulumi.StringArray{fargateSecurityGroup.ID()}, // restrict to Fargate tasks
				},
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-db-sg")},
		})
		if err != nil {
			return err
		}

		// Create an Aurora subnet group using the Private Subnets
		dbSubnetGroup, err := rds.NewSubnetGroup(ctx, "nextcloud-db-subnet-group", &rds.SubnetGroupArgs{
			SubnetIds: pulumi.StringArray{
				privateSubnet1.ID(), // use private subnet 1
				privateSubnet2.ID(), // use private subnet 2
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-db-subnet-group")},
		})
		if err != nil {
			return err
		}

		// aurora serverless database v2 cluster
		database, err := rds.NewCluster(ctx, "nextcloud-db", &rds.ClusterArgs{
			ClusterIdentifier: pulumi.String("nextcloud-aurora-cluster"),
			Engine:            pulumi.String(rds.EngineTypeAuroraPostgresql),
			EngineMode:        pulumi.String(rds.EngineModeProvisioned),
			EngineVersion:     pulumi.String("16.6"),
			DatabaseName:      pulumi.String("nextcloud"),
			MasterUsername:    pulumi.String("nextclouduser"),
			MasterPassword:    pulumi.String(os.Getenv("POSTGRES_PASSWORD")), // retrieve the postgres password from gitlab cicd
			StorageEncrypted:  pulumi.Bool(true),
			Serverlessv2ScalingConfiguration: &rds.ClusterServerlessv2ScalingConfigurationArgs{
				MaxCapacity:           pulumi.Float64(2),
				MinCapacity:           pulumi.Float64(0),
				SecondsUntilAutoPause: pulumi.Int(3600),
			},
			SkipFinalSnapshot:   pulumi.Bool(true),
			VpcSecurityGroupIds: pulumi.StringArray{dbSecurityGroup.ID()}, // associate with vpc security groups
			DbSubnetGroupName:   dbSubnetGroup.Name,                       // associate to the db subnet group
		},
		)
		if err != nil {
			return err
		}

		//additionally specify the engine_mode and serverlessv2_scaling_configuration attributes.
		_, err = rds.NewClusterInstance(ctx, "database", &rds.ClusterInstanceArgs{
			ClusterIdentifier: database.ID(),
			InstanceClass:     pulumi.String("db.serverless"),
			Engine:            database.Engine.ApplyT(func(pulumi.String) rds.EngineType { return rds.EngineType(rds.EngineTypeAuroraPostgresql) }).(rds.EngineTypeOutput),
			EngineVersion:     database.EngineVersion,
		})
		if err != nil {
			return err
		}

		// Create S3 bucket for persistent Nextcloud data storage
		s3Bucket, err := s3.NewBucket(ctx, "nextcloud-s3-bucket", &s3.BucketArgs{
			Bucket:       pulumi.String("nextcloud-data-bucket-joe-123"), // unique bucket name
			Acl:          pulumi.String("private"),                       // private bucket access
			ForceDestroy: pulumi.Bool(true),                              // all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error.

			Tags: pulumi.StringMap{
				"Name": pulumi.String("nextcloud-data-bucket"),
			},
		})
		if err != nil {
			return err
		}

		// Block public access to the S3 bucket for security
		_, err = s3.NewBucketPublicAccessBlock(ctx, "nextcloud-bucket-pab", &s3.BucketPublicAccessBlockArgs{
			Bucket:                s3Bucket.ID(), // reference the S3 bucket
			BlockPublicAcls:       pulumi.Bool(true),
			BlockPublicPolicy:     pulumi.Bool(true),
			IgnorePublicAcls:      pulumi.Bool(true),
			RestrictPublicBuckets: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}

		// Create IAM role for ECS task execution (needed to pull images and write logs)
		taskExecutionRole1, err := iam.NewRole(ctx, "nextcloud-task-execution-role", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(`{
		  "Version": "2012-10-17",
		  "Statement": [
		    {
		      "Action": "sts:AssumeRole",
		      "Effect": "Allow",
		      "Principal": { "Service": "ecs-tasks.amazonaws.com" }
		    }
		  ]
		}`), // Trust policy allowing ECS tasks to assume the role.
		})
		if err != nil {
			return err
		}

		// Create IAM role for ECS task to enable access to secrets and S3
		taskRole, err := iam.NewRole(ctx, "nextcloud-task-role", &iam.RoleArgs{
			AssumeRolePolicy: pulumi.String(`{
		  "Version": "2012-10-17",
		  "Statement": [
		    { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" } }
		  ]
		}`), // Identical trust policy as the execution role.
		})
		if err != nil {
			return err
		}

		// Attach AWS managed ECS task execution policy to the execution role.
		_, err = iam.NewRolePolicyAttachment(ctx, "nextcloud-task-execution-policy", &iam.RolePolicyAttachmentArgs{
			Role:      taskExecutionRole1.Name,                                                                // Role to attach policy.
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"), // Managed policy for ECS.
		})
		if err != nil {
			return err
		}

		// Attach AWS managed policy for Secrets Manager access to execution role
		_, err = iam.NewRolePolicyAttachment(ctx, "nextcloud-secrets-execution-managed-policy", &iam.RolePolicyAttachmentArgs{
			Role:      taskExecutionRole1.Name,                                          // attach to execution role
			PolicyArn: pulumi.String("arn:aws:iam::aws:policy/SecretsManagerReadWrite"), // AWS managed policy
		})
		if err != nil {
			return err
		}

		// Create a custom IAM policy for S3 access
		s3Policy, err := iam.NewPolicy(ctx, "nextcloud-s3-policy", &iam.PolicyArgs{
			Description: pulumi.String("Policy for accessing Nextcloud S3 bucket"),
			Policy: s3Bucket.Arn.ApplyT(func(bucketArn string) (string, error) {
				return fmt.Sprintf(`{
		  "Version": "2012-10-17",
		  "Statement": [
		    {
		      "Effect": "Allow",
		      "Action": [
		        "s3:GetObject",
		        "s3:PutObject",
		        "s3:DeleteObject",
		        "s3:ListBucket"
		      ],
		      "Resource": [
		        "%s",
		        "%s/*"
		      ]
		    }
		  ]
		}`, bucketArn, bucketArn), nil // grant access to bucket and its objects
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}

		// Attach the S3 policy to the ECS task role
		_, err = iam.NewRolePolicyAttachment(ctx, "nextcloud-s3-policy-attachment", &iam.RolePolicyAttachmentArgs{
			Role:      taskRole.Name, // attach to task role
			PolicyArn: s3Policy.Arn,  // reference the S3 policy
		})
		if err != nil {
			return err
		}

		cloudwatchPolicy, err := iam.NewPolicy(ctx, "nextcloud-cloudwatch-policy", &iam.PolicyArgs{
			Description: pulumi.String("Policy for CloudWatch Logs access for Nextcloud"),
			Policy: pulumi.String(`{
				"Version": "2012-10-17",
				"Statement": [
					{
						"Effect": "Allow",
						"Action": [
							"logs:CreateLogGroup",
							"logs:CreateLogStream",
							"logs:PutLogEvents"
						],
						"Resource": "arn:aws:logs:ap-east-1:861276113880:log-group:/ecs/nextcloud:*"
					}
				]
			}`), // Policy granting CloudWatch Logs permissions
		})
		if err != nil {
			return err
		}

		// Attach the CloudWatch Logs policy to the ECS task execution role
		_, err = iam.NewRolePolicyAttachment(ctx, "nextcloud-cloudwatch-policy-attachment", &iam.RolePolicyAttachmentArgs{
			Role:      taskExecutionRole1.Name, // Attach to task execution role
			PolicyArn: cloudwatchPolicy.Arn,    // Reference the CloudWatch Logs policy
		})
		if err != nil {
			return err
		}

		// Create an ECS cluster to run tasks.
		cluster, err := ecs.NewCluster(ctx, "nextcloud-cluster", &ecs.ClusterArgs{
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-cluster")},
		})
		if err != nil {
			return err
		}

		// Update ALB to use albSecurityGroup
		alb, err := lb.NewLoadBalancer(ctx, "nextcloud-alb", &lb.LoadBalancerArgs{
			Subnets:          pulumi.StringArray{publicSubnet1.ID(), publicSubnet2.ID()},
			SecurityGroups:   pulumi.StringArray{albSecurityGroup.ID()}, // use ALB security group
			LoadBalancerType: pulumi.String("application"),
			Tags:             pulumi.StringMap{"Name": pulumi.String("nextcloud-alb")},
		})
		if err != nil {
			return err
		}

		// Create Target Group with proper health check configuration
		targetGroup, err := lb.NewTargetGroup(ctx, "nextcloud-tg", &lb.TargetGroupArgs{
			Port:       pulumi.Int(80),        // target port for health checks
			Protocol:   pulumi.String("HTTP"), // protocol for health checks
			TargetType: pulumi.String("ip"),   // target type for Fargate
			VpcId:      vpc.ID(),              // VPC where targets reside
			HealthCheck: &lb.TargetGroupHealthCheckArgs{
				Path:               pulumi.String("/status.php"), // better health check path for Nextcloud
				Protocol:           pulumi.String("HTTP"),        // health check protocol
				Port:               pulumi.String("80"),          // health check port
				HealthyThreshold:   pulumi.Int(2),                // reduced threshold for faster recovery
				UnhealthyThreshold: pulumi.Int(3),                // allow 3 failures before marking unhealthy
				Timeout:            pulumi.Int(10),               // increased timeout for Nextcloud startup
				Interval:           pulumi.Int(30),               // check every 30 seconds
				Matcher:            pulumi.String("200,302"),     // accept both 200 and 302 responses
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-tg")},
		})
		if err != nil {
			return err
		}

		// Create Listener
		_, err = lb.NewListener(ctx, "nextcloud-listener", &lb.ListenerArgs{
			LoadBalancerArn: alb.Arn,
			Port:            pulumi.Int(80),
			Protocol:        pulumi.String("HTTP"),
			DefaultActions: lb.ListenerDefaultActionArray{
				&lb.ListenerDefaultActionArgs{
					Type:           pulumi.String("forward"),
					TargetGroupArn: targetGroup.Arn,
				},
			},
		})
		if err != nil {
			return err
		}

		// // Add HTTPS listener
		// _, err = lb.NewListener(ctx, "nextcloud-listener-https", &lb.ListenerArgs{
		// 	LoadBalancerArn: alb.Arn,                // reference ALB
		// 	Port:            pulumi.Int(443),        // HTTPS port
		// 	Protocol:        pulumi.String("HTTPS"), // HTTPS protocol
		// 	CertificateArn:  certificate.Arn,        // use Pulumi-created certificate
		// 	DefaultActions: lb.ListenerDefaultActionArray{
		// 		&lb.ListenerDefaultActionArgs{
		// 			Type:           pulumi.String("forward"), // forward to target group
		// 			TargetGroupArn: targetGroup.Arn,          // reference target group
		// 		},
		// 	},
		// })
		// if err != nil {
		// 	return err
		// }

		// Create an ECS task definition for Nextcloud with S3 storage integration
		taskDefinition, err := ecs.NewTaskDefinition(ctx, "nextcloud-task", &ecs.TaskDefinitionArgs{
			Family:                  pulumi.String("nextcloud"),                   // task family name
			NetworkMode:             pulumi.String("awsvpc"),                      // required network mode for Fargate
			RequiresCompatibilities: pulumi.StringArray{pulumi.String("FARGATE")}, // specify Fargate compatibility
			Cpu:                     pulumi.String("512"),                         // reduced CPU allocation (512 CPU units i.e. 0.5 vCPU)
			Memory:                  pulumi.String("1024"),                        // reduced memory allocation (1024 MB)
			ExecutionRoleArn:        taskExecutionRole1.Arn,                       // role for task execution
			TaskRoleArn:             taskRole.Arn,                                 // role for tasks to access secrets and S3
			// No volumes needed since we're using S3 instead of EFS

			// Container definitions provided as a JSON string with S3 integration
			ContainerDefinitions: pulumi.All(database.Endpoint, alb.DnsName, pgPassword, s3Bucket.Bucket).ApplyT(func(args []any) (string, error) {
				databaseEndpoint := args[0].(string) // Aurora cluster endpoint
				albDnsName := args[1].(string)       // ALB DNS name
				postgresPassword := args[2].(string) // database secret ARN
				// adminSecretArn := args[3].(string)    // admin secret ARN
				bucketName := args[3].(string) // S3 bucket name
				return fmt.Sprintf(`[
{
  "name": "nextcloud",
  "image": "nextcloud:latest",
  "portMappings": [
    { "containerPort": 80, "protocol": "tcp" }
  ],
  "environment": [
      { "name": "POSTGRES_HOST", "value": "%s" },
      { "name": "POSTGRES_DB", "value": "nextcloud" },
      { "name": "POSTGRES_USER", "value": "nextclouduser" },
      { "name": "POSTGRES_PORT", "value": "5432" },
      { "name": "NEXTCLOUD_ADMIN_USER", "value": "admin" },
      { "name": "NEXTCLOUD_TRUSTED_DOMAINS", "value": "%s localhost 127.0.0.1 192.168.1.9" },
      { "name": "APACHE_DISABLE_REWRITE_IP", "value": "1" },
      { "name": "TRUSTED_PROXIES", "value": "10.0.0.0/16" },
      { "name": "OVERWRITEPROTOCOL", "value": "http" },
      { "name": "OVERWRITEHOST", "value": "%s" },
      { "name": "PHP_MEMORY_LIMIT", "value": "512M" },
      { "name": "PHP_UPLOAD_LIMIT", "value": "1024M" },
      { "name": "NEXTCLOUD_DATA_DIR", "value": "/var/www/html/data" },
      { "name": "AWS_DEFAULT_REGION", "value": "ap-east-1" },
      { "name": "S3_BUCKET", "value": "%s" },
      { "name": "OBJECTSTORE_S3_BUCKET", "value": "%s" },
      { "name": "OBJECTSTORE_S3_REGION", "value": "ap-east-1" },
      { "name": "OBJECTSTORE_S3_HOST", "value": "s3.ap-east-1.amazonaws.com" },
      { "name": "OBJECTSTORE_S3_PORT", "value": "443" },
      { "name": "OBJECTSTORE_S3_SSL", "value": "true" },
      { "name": "OBJECTSTORE_S3_USEPATH_STYLE", "value": "false" },
      { "name": "NEXTCLOUD_UPDATE", "value": "1" },
      { "name": "POSTGRES_PASSWORD", "value": "%s" }
  ],

  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
      "awslogs-group": "/ecs/nextcloud",
      "awslogs-region": "ap-east-1",
      "awslogs-stream-prefix": "ecs",
      "awslogs-create-group": "true"
    }
  },
  "essential": true
}

]`, databaseEndpoint, albDnsName, albDnsName, bucketName, bucketName, postgresPassword), nil // format and return JSON container definitions
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}

		service, err := ecs.NewService(ctx, "nextcloud-service", &ecs.ServiceArgs{
			Cluster:        cluster.Arn,
			TaskDefinition: taskDefinition.Arn,
			LaunchType:     pulumi.String("FARGATE"),
			DesiredCount:   pulumi.Int(2), // nextcloud instances
			NetworkConfiguration: &ecs.ServiceNetworkConfigurationArgs{
				Subnets: pulumi.StringArray{
					publicSubnet1.ID(),
					publicSubnet2.ID(),
				},
				SecurityGroups: pulumi.StringArray{fargateSecurityGroup.ID()},
				AssignPublicIp: pulumi.Bool(true), // no public IP needed in private subnet
			},
			LoadBalancers: ecs.ServiceLoadBalancerArray{
				&ecs.ServiceLoadBalancerArgs{
					TargetGroupArn: targetGroup.Arn,
					ContainerName:  pulumi.String("nextcloud"),
					ContainerPort:  pulumi.Int(80),
				},
			},
			Tags: pulumi.StringMap{"Name": pulumi.String("nextcloud-service")},
		})
		if err != nil {
			return err
		}

		ctx.Export("serviceArn", service.ID()) // export ECS service ARN

		return nil // return nil error to signal success
	}) // end of pulumi.Run
} // end of main function