# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  CustomSubnetId:
    Type: String
    Default: ""
    Description: If you do not have a default VPC, or want to use a different VPC, specify the ID of a subnet in which to place the instance used to customize your EC2 AMI. If not specified, a subnet from your default VPC will be used.
  CustomSecurityGroupId:
    Type: CommaDelimitedList
    Default: ""
    Description: Required if you specified a custom subnet ID. Comma-delimted list of one or more IDs of security groups belonging to the VPC to associate with the instance used to customize your EC2 AMI.
  BuildInstanceType:
    Type: CommaDelimitedList
    Default: "t2.micro"
    Description: Comma-delimited list of one or more instance types to select from when building the image. Image Builder will select a type based on availability. The supplied default is compatible with the AWS Free Tier.

Conditions:
  UseCustomSubnetId: !Not [ !Equals [ !Ref CustomSubnetId, "" ] ]

Resources:
  # Create an S3 Bucket for logs.
  # When deleting the stack, make sure to empty the bucket first.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  ImageBuilderLogBucket:
    Type: AWS::S3::Bucket
    # If you want to delete the stack, but keep the bucket, set the DelectionPolicy to Retain.
    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html
    # DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled

  # By default, AWS Services do not have permission to perform actions on your instances. This grants
  # AWS Systems Manager (SSM) and EC2 Image Builder the necessary permissions to build an image.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
  # https://docs.aws.amazon.com/imagebuilder/latest/userguide/image-builder-setting-up.html
  InstanceRole:
    Type: AWS::IAM::Role
    Metadata:
      Comment: Role to be used by instance during image build.
    Properties:
      ManagedPolicyArns:
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
        - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilder
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - !Sub 'ec2.${AWS::URLSuffix}'
        Version: "2012-10-17"
      Path: /executionServiceEC2Role/

  # Policy to allow the instance to write to the S3 bucket (via instance role / instance profile).
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html
  InstanceRoleLoggingPolicy:
    Type: AWS::IAM::Policy
    Metadata:
      Comment: Allows the instance to save log files to an S3 bucket.
    Properties:
      PolicyName: ImageBuilderLogBucketPolicy
      Roles:
        - Ref: InstanceRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - s3:PutObject
            Effect: Allow
            Resource:
              - Fn::Sub:
                  - arn:${AWS::Partition}:s3:::${BUCKET}/*
                  - BUCKET:
                      Ref: ImageBuilderLogBucket

  # To pass the InstanceRole to an EC2 instance, we need an InstanceProfile.
  # This profile will be used during the image build process.
  # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /executionServiceEC2Role/
      Roles:
        - Ref: InstanceRole

  # Specifies the infrastructure within which to build and test your image.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-imagebuilder-infrastructureconfiguration.html
  UbuntuServer20ImageInfrastructureConfiguration:
    Type: AWS::ImageBuilder::InfrastructureConfiguration
    Properties:
      Name: UbuntuServer20-Image-Infrastructure-Configuration
      InstanceProfileName:
        Ref: InstanceProfile
      # Set of one or more instance types to use when building the instance. Image Builder will select a type
      # based on availability.
      InstanceTypes:
        Ref: BuildInstanceType
      # Specify an S3 bucket and EC2 Image Builder will save logs to the bucket.
      Logging:
        S3Logs:
          S3BucketName:
            Ref: ImageBuilderLogBucket
          S3KeyPrefix: !Join [ "-", [ 'imagebuilder', !Ref "AWS::StackName" ] ]
      # If you would like to keep the instance running after a failed build, set TerminateInstanceOnFailure to false.
      # TerminateInstanceOnFailure: false
      # If you do not have a default VPC or want to use a different VPC, you must specify the IDs of a subnet and one or more
      # security groups to be associated with the build instance.
      SubnetId: !If [ UseCustomSubnetId, !Ref CustomSubnetId , !Ref "AWS::NoValue" ]
      SecurityGroupIds:
        - !If [ UseCustomSubnetId, !Ref CustomSecurityGroupId , !Ref "AWS::NoValue" ]

  # Recipe which references the latest (x.x.x) version of Ubuntu Server 20 AMI.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-imagebuilder-imagerecipe.html
  UbuntuServer20NET6ImageRecipe:
    Type: AWS::ImageBuilder::ImageRecipe
    Properties:
      Name: UbuntuServer20NET6
      Version: 0.0.1
      # ${AWS::Partition} returns the partition where you are running the CloudFormation template. For standard AWS regions, the
      # partition is aws. For resources elsewhere, the partition is aws-partitionname. For example, China (Beijing and Ningxia)
      # regions use aws-cn and AWS GovCloud (US) regions are aws-us-gov.
      # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
      ParentImage:
        Fn::Sub: arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:image/ubuntu-server-20-lts-x86/x.x.x
      Components:
        - ComponentArn:
            Fn::Sub: arn:${AWS::Partition}:imagebuilder:${AWS::Region}:aws:component/dotnet-sdk-linux/6.x.x

  # The CloudWatch LogGroup for the image build logs is provided to ensure the LogGroup is cleaned up if the stack is deleted.
  UbuntuServer20Net6LogGroup:
    Type: AWS::Logs::LogGroup
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      LogGroupName: /aws/imagebuilder/UbuntuServer20NET6
      RetentionInDays: 3

  # The Image resource will show complete in CloudFormation once your image is done building. Use this resource later in your
  # stack to reference the image within other resources.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-imagebuilder-image.html
  UbuntuServer20WithNET6:
    Type: AWS::ImageBuilder::Image
    Properties:
      ImageRecipeArn:
        Ref: UbuntuServer20NET6ImageRecipe
      InfrastructureConfigurationArn:
        Ref: UbuntuServer20ImageInfrastructureConfiguration

  # Create an SSM Parameter Store entry with our resulting ImageId.
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-parameter.html
  UbuntuServer20WithNET6Parameter:
    Type: AWS::SSM::Parameter
    Properties:
      Description: Image Id for Ubuntu Server 20 With latest .NET 6
      Name: /Test/Images/UbuntuServer20WithNET6
      Type: String
      Value:
        Fn::GetAtt: [UbuntuServer20WithNET6, ImageId]