# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  VPC:
    Type: "AWS::EC2::VPC::Id"
    Description: "VPC ID for creating the application"
  ProjectTag:
    Type: String
    Description: Tag to apply to created resources for visibility
    Default: ProxySQLDemo
  AllowedCidrIngress:
    Type: String
    MinLength: 9
    MaxLength: 18
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid CIDR range in the form x.x.x.x/YY
    Default: 0.0.0.0/0
  AppPublicCIDRA:
    Type: String
  AppPublicCIDRB:
    Type: String
Resources:
  DBFirewall:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: !Join ["", ["Stack ", !Ref "AWS::StackId", " RDS"]]
      VpcId: !Ref VPC
      SecurityGroupIngress:
        -
          SourceSecurityGroupId: 
            Fn::GetAtt:
            - ProxySQLFirewall
            - GroupId
          IpProtocol: tcp
          ToPort: "3306"
          FromPort: "3306"
      SecurityGroupEgress:
        -
          CidrIp: 0.0.0.0/0
          ToPort: "-1"
          IpProtocol: "-1"
      Tags:
        - Key: Project
          Value: !Ref ProjectTag
  ProxySQLFirewall:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: !Join ["", ["Stack ", !Ref "AWS::StackId", " ProxySQL"]]
      VpcId: !Ref VPC
      SecurityGroupIngress:
        -
          CidrIp: !Ref AllowedCidrIngress
          IpProtocol: tcp
          ToPort: "6033"
          FromPort: "3306"
        -
          CidrIp: !Ref AppPublicCIDRA
          IpProtocol: tcp
          ToPort: "6033"
          FromPort: "3306"
        -
          CidrIp: !Ref AppPublicCIDRB
          IpProtocol: tcp
          ToPort: "6033"
          FromPort: "3306"
        -
          CidrIp: !Ref AppPublicCIDRA
          IpProtocol: tcp
          ToPort: "80"
          FromPort: "80"
        -
          CidrIp: !Ref AppPublicCIDRB
          IpProtocol: tcp
          ToPort: "80"
          FromPort: "80"
      SecurityGroupEgress:
        -
          CidrIp: 0.0.0.0/0
          ToPort: "-1"
          IpProtocol: "-1"
  SshFirewall:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: !Join ["", ["Stack ", !Ref "AWS::StackId", " SSH"]]
      VpcId: !Ref VPC
      SecurityGroupIngress:
        -
          CidrIp: !Ref AllowedCidrIngress
          IpProtocol: tcp
          ToPort: "22"
          FromPort: "22"
        -
          CidrIp: !Ref AppPublicCIDRA
          IpProtocol: tcp
          ToPort: "22"
          FromPort: "22"
        -
          CidrIp: !Ref AppPublicCIDRB
          IpProtocol: tcp
          ToPort: "22"
          FromPort: "22"
      SecurityGroupEgress:
        -
          CidrIp: 0.0.0.0/0
          ToPort: "-1"
          IpProtocol: "-1"
Outputs:
  ProxySQLFirewallId:
    Description: ID of proxysql security group
    Value: !Ref ProxySQLFirewall
  SshFirewallId:
    Description: ID of SSH security group
    Value: !Ref SshFirewall
  DBFirewallId:
    Description: ID of database security group
    Value: !Ref DBFirewall