API Gateway HTTP API calling Keycloak ECS

If I understood your question well, in order to create a route for ECS you must create a listener with a rule that should include the conditions for the path-based routing (i.e., /idp).

Make sure your ECS is registered with a Target Group through the above listener and get your ECS Task to have the necessary mappings in order to work.

Currently, we have like this:

Creating ALB

const applicationLoadBalancer = new elbv2.ApplicationLoadBalancer(
      this,
      'alb',
      {
        vpc,
        vpcSubnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PUBLIC }),
        internetFacing: true,
      }
    );

Adding listener, with certificate:

const listener = applicationLoadBalancer.addListener(
      'http-listener',
      {
        protocol: elbv2.ApplicationProtocol.HTTPS,
        certificates: [
          {
            certificateArn: platformCertificate.certificateArn,
          },
        ],
      }
    );

And addTargets

    listener.addTargets('ecs-targets', {
      targets: [fargateService],
      healthCheck: {
        path: "/health",
        enabled: true,
        protocol: elbv2.Protocol.HTTP,
        timeout: cdk.Duration.seconds(30),
        interval: cdk.Duration.seconds(45),
        healthyThresholdCount: 3,
        unhealthyThresholdCount: 3,
      },
      slowStart: cdk.Duration.seconds(60),
      stickinessCookieDuration: cdk.Duration.days(1),
      port: 8080,
      protocol: elbv2.ApplicationProtocol.HTTP,
    });

In the end we create CNAME

new route53.CnameRecord(this, 'cname', {
      domainName: applicationLoadBalancer.loadBalancerDnsName,
      recordName: `idp.${platformUrl}`,
      zone: hostedZone,
    });

And this is working in idp.example.com as expected.

Now I tried to add conditions conditions: [elbv2.ListenerCondition.pathPatterns(["/idp"])] and create new route like we are doing in the AppRunner

    new apigateway.HttpRoute(this, 'add-route-idp', {
      httpApi,
      routeKey: apigateway.HttpRouteKey.with("/idp", apigateway.HttpMethod.ANY),
      integration: new integrations.HttpUrlIntegration(
        'idp-integration',
        `http://idp.${platformUrl}`
      ),
    });

I know I am missing some knowledge here about ALB especially. In perfect scenario I would also like to avoid creating CNAME record and just map loadbalancerDNS to my route with /idp.

You're on the right track, Anyway these are the 3 steps that I would suggest:

1. Add a new listener rule to your ALB that forwards requests from dev.example.com/idp to the appropriate target group associated with your Keycloak ECS service.
2. Create a new route in API Gateway with the path /idp. The integration URL should point to your ALB’s DNS name.
3. Instead of creating a CNAME record for idp.${platformUrl}, create an A record for dev.example.com that aliases to your ALB.