AWSTemplateFormatVersion: '2010-09-09'
Description: 'DemoGo-ECS200 Prerequisite - Network CloudFormation Template'
Mappings:
  CidrMappings:
    private-subnet-1: {CIDR: 10.0.3.0/24}
    private-subnet-2: {CIDR: 10.0.4.0/24}
    public-subnet-1: {CIDR: 10.0.1.0/24}
    public-subnet-2: {CIDR: 10.0.2.0/24}
    vpc: {CIDR: 10.0.0.0/16}
  DomainNameMappings:
    eu-west-1: {Domain: eu-west-1.compute.internal}
    us-east-1: {Domain: ec2.internal}
    us-east-2: {Domain: us-east-2.compute.internal}
    us-west-2: {Domain: us-west-2.compute.internal}
    ap-northeast-2: {Domain: ap-northeast-2.compute.internal}
Outputs:
  PrivateSubnet1:
    Description: The first private subnet.
    Value: {Ref: PrivateSubnet1}
  PrivateSubnet2:
    Description: The second private subnet.
    Value: {Ref: PrivateSubnet2}
  PublicSubnet1:
    Description: The first public subnet.
    Value: {Ref: PublicSubnet1}
  PublicSubnet2:
    Description: The second public subnet.
    Value: {Ref: PublicSubnet2}
  VPC:
    Description: The VPC Id.
    Value: {Ref: VPC}
  VpcCidr:
    Description: The CIDR block of the VPC.
    Value:
      Fn::FindInMap: [CidrMappings, vpc, CIDR]
Parameters: 
  myKeyPair: 
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Type: "AWS::EC2::KeyPair::KeyName"
Resources:
  AttachGateway:
    DependsOn: [VPC, InternetGateway]
    Properties:
      InternetGatewayId: {Ref: InternetGateway}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::VPCGatewayAttachment
  DHCPOptions:
    Properties:
      DomainName:
        Fn::FindInMap:
        - DomainNameMappings
        - {Ref: 'AWS::Region'}
        - Domain
      DomainNameServers: [AmazonProvidedDNS]
    Type: AWS::EC2::DHCPOptions
  EIP:
    Properties: {Domain: vpc}
    Type: AWS::EC2::EIP
  InternetGateway: {DependsOn: VPC, Type: 'AWS::EC2::InternetGateway'}
  NAT:
    DependsOn: AttachGateway
    Properties:
      AllocationId:
        Fn::GetAtt: [EIP, AllocationId]
      SubnetId: {Ref: PublicSubnet1}
    Type: AWS::EC2::NatGateway
  PrivateRoute:
    DependsOn: [PrivateRouteTable, NAT]
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: {Ref: NAT}
      RouteTableId: {Ref: PrivateRouteTable}
    Type: AWS::EC2::Route
  PrivateRouteTable:
    DependsOn: [VPC, AttachGateway]
    Properties:
      Tags:
      - {Key: Name, Value: PrivateRouteTable}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::RouteTable
  PrivateSubnet1:
    DependsOn: AttachGateway
    Properties:
      AvailabilityZone:
        Fn::Select:
        - '0'
        - {'Fn::GetAZs': ''}
      CidrBlock:
        Fn::FindInMap: [CidrMappings, private-subnet-1, CIDR]
      Tags:
      - {Key: Name, Value: PrivateSubnet1}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::Subnet
  PrivateSubnet1RouteTableAssociation:
    DependsOn: [PrivateRouteTable, PrivateSubnet1]
    Properties:
      RouteTableId: {Ref: PrivateRouteTable}
      SubnetId: {Ref: PrivateSubnet1}
    Type: AWS::EC2::SubnetRouteTableAssociation
  PrivateSubnet2:
    DependsOn: AttachGateway
    Properties:
      AvailabilityZone:
        Fn::Select:
        - '1'
        - {'Fn::GetAZs': ''}
      CidrBlock:
        Fn::FindInMap: [CidrMappings, private-subnet-2, CIDR]
      Tags:
      - {Key: Name, Value: PrivateSubnet2}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::Subnet
  PrivateSubnet2RouteTableAssociation:
    DependsOn: [PrivateRouteTable, PrivateSubnet2]
    Properties:
      RouteTableId: {Ref: PrivateRouteTable}
      SubnetId: {Ref: PrivateSubnet2}
    Type: AWS::EC2::SubnetRouteTableAssociation
  PublicRoute:
    DependsOn: [PublicRouteTable, AttachGateway]
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: {Ref: InternetGateway}
      RouteTableId: {Ref: PublicRouteTable}
    Type: AWS::EC2::Route
  PublicRouteTable:
    DependsOn: [VPC, AttachGateway]
    Properties:
      Tags:
      - {Key: Name, Value: PublicRouteTable}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::RouteTable
  PublicSubnet1:
    DependsOn: AttachGateway
    Properties:
      AvailabilityZone:
        Fn::Select:
        - '0'
        - {'Fn::GetAZs': ''}
      CidrBlock:
        Fn::FindInMap: [CidrMappings, public-subnet-1, CIDR]
      Tags:
      - {Key: Name, Value: PublicSubnet1}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::Subnet
  PublicSubnet1RouteTableAssociation:
    DependsOn: [PublicRouteTable, PublicSubnet1, AttachGateway]
    Properties:
      RouteTableId: {Ref: PublicRouteTable}
      SubnetId: {Ref: PublicSubnet1}
    Type: AWS::EC2::SubnetRouteTableAssociation
  PublicSubnet2:
    DependsOn: AttachGateway
    Properties:
      AvailabilityZone:
        Fn::Select:
        - '1'
        - {'Fn::GetAZs': ''}
      CidrBlock:
        Fn::FindInMap: [CidrMappings, public-subnet-2, CIDR]
      Tags:
      - {Key: Name, Value: PublicSubnet2}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::Subnet
  PublicSubnet2RouteTableAssociation:
    DependsOn: [PublicRouteTable, PublicSubnet2, AttachGateway]
    Properties:
      RouteTableId: {Ref: PublicRouteTable}
      SubnetId: {Ref: PublicSubnet2}
    Type: AWS::EC2::SubnetRouteTableAssociation
  VPC:
    Properties:
      CidrBlock:
        Fn::FindInMap: [CidrMappings, vpc, CIDR]
      EnableDnsHostnames: 'true'
      EnableDnsSupport: 'true'
      Tags:
      - {Key: Name, Value: DemoGoECSVPC}
    Type: AWS::EC2::VPC
  VPCDHCPOptionsAssociation:
    Properties:
      DhcpOptionsId: {Ref: DHCPOptions}
      VpcId: {Ref: VPC}
    Type: AWS::EC2::VPCDHCPOptionsAssociation
  
  WorkstationSG:  
    Type: "AWS::EC2::SecurityGroup"
    Properties:
        GroupName: Workstation to Push images
        GroupDescription: EC2 SecurityGroup
        VpcId: {Ref: VPC}
        SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: '22'
            ToPort: '22'
            CidrIp: '0.0.0.0/0'
  ALBSG:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: Enable HTTP to the load balancer
      VpcId: {Ref: VPC}
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: '0.0.0.0/0'

  ECSInstanceSG:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: Enable access to container instances, from the load balancer only
      VpcId: {Ref: VPC}
      SecurityGroupIngress:
      - SourceSecurityGroupId: {Ref: ALBSG} 
        IpProtocol: tcp
        FromPort: '0'
        ToPort: '65535'

  WorkstationRole:
    Type: AWS::IAM::Role
    Properties:
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
        - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
            - sts:AssumeRole

  WorkstationProfile: 
         Type: AWS::IAM::InstanceProfile
         Properties: 
            Path: "/"
            Roles: 
            - Ref: "WorkstationRole"
            
  Workstation:
    Type: AWS::EC2::Instance
    Properties:
      DisableApiTermination: 'false'
      InstanceInitiatedShutdownBehavior: stop
      ImageId: ami-0bfec29e923df9531
      InstanceType: t2.micro
      Monitoring: 'false'
      KeyName: {Ref: myKeyPair}
      IamInstanceProfile: {Ref: "WorkstationProfile"}
      Tags:
        - Key: Name
          Value: Workstation
      NetworkInterfaces:
        - AssociatePublicIpAddress: 'true'
          DeleteOnTermination: 'true'
          Description: 'Primary network interface'
          DeviceIndex: 0
          SubnetId: {Ref: PublicSubnet1}  
          GroupSet: 
            - Ref: "WorkstationSG"