AWSTemplateFormatVersion: "2010-09-09"

Description: Provides VPC network configuration.

Parameters:
  AvailabilityZones:
    Type: List<AWS::EC2::AvailabilityZone::Name>

  VPCCidr:
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  PublicSubnet1Cidr:
    Description: CIDR block of Public Subnet 1
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  PublicSubnet2Cidr:
    Description: CIDR block of Public Subnet 2
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  PrivateSubnet1Cidr:
    Description: CIDR block of Private Subnet 1
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  PrivateSubnet2Cidr:
    Description: CIDR block of Private Subnet 2
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  ResourceTags:
    Type: String

  EnableFlowLogs:
    Type: String

Conditions:
  IsFlowLogs: !Equals [!Ref EnableFlowLogs, true]

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VPCCidr
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, VPC]]

  PublicSubnet1Subnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: !Ref PublicSubnet1Cidr
      VpcId: !Ref VPC
      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet1]]

  PublicSubnet1RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet1RouteTable]]

  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicSubnet1RouteTable
      SubnetId: !Ref PublicSubnet1Subnet

  PublicSubnet1DefaultRoute:
    Type: AWS::EC2::Route
    DependsOn:
      - GW
    Properties:
      RouteTableId: !Ref PublicSubnet1RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW

  PublicSubnet1EIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet1EIP]]

  PublicSubnet1NATGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt PublicSubnet1EIP.AllocationId
      SubnetId: !Ref PublicSubnet1Subnet
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet1NatGateway]]

  PublicSubnet2Subnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: !Ref PublicSubnet2Cidr
      VpcId: !Ref VPC
      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet2]]

  PublicSubnet2RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PublicSubnet2RouteTable]]

  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicSubnet2RouteTable
      SubnetId: !Ref PublicSubnet2Subnet

  PublicSubnet2DefaultRoute:
    Type: AWS::EC2::Route
    DependsOn:
      - GW
    Properties:
      RouteTableId: !Ref PublicSubnet2RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW

  PrivateSubnet1Subnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: !Ref PrivateSubnet1Cidr
      VpcId: !Ref VPC
      AvailabilityZone: !Select [0, !Ref AvailabilityZones]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PrivateSubnet1]]

  PrivateSubnet1RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PrivateSubnet1RouteTable]]

  PrivateSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateSubnet1RouteTable
      SubnetId: !Ref PrivateSubnet1Subnet

  PrivateSubnet1DefaultRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnet1RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref PublicSubnet1NATGateway

  PrivateSubnet2Subnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: !Ref PrivateSubnet2Cidr
      VpcId: !Ref VPC
      AvailabilityZone: !Select [1, !Ref AvailabilityZones]
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PrivateSubnet2]]

  PrivateSubnet2RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, PrivateSubnet2RouteTable]]

  PrivateSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateSubnet2RouteTable
      SubnetId: !Ref PrivateSubnet2Subnet

  PrivateSubnet2DefaultRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnet2RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref PublicSubnet1NATGateway

  IGW:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Join [/, [!Ref ResourceTags, IGW]]

  GW:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref IGW

  FlowLogsGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
    Condition: IsFlowLogs

  FlowLogsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowFlowLogs
            Effect: Allow
            Principal:
              Service: vpc-flow-logs.amazonaws.com
            Action: sts:AssumeRole
      Path: /
    Condition: IsFlowLogs

  FlowLogsPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: !Sub A Policy to create log groups and log streams, put log events, and describe log groups and log streams. Stack ${AWS::StackName}
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogGroups
              - logs:DescribeLogStreams
            Effect: Allow
            Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${FlowLogsGroup}:*
      Roles:
        - !Ref FlowLogsRole
    Condition: IsFlowLogs

  FlowLogs:
    Type: AWS::EC2::FlowLog
    DependsOn:
      - FlowLogsPolicy
    Properties:
      DeliverLogsPermissionArn: !GetAtt FlowLogsRole.Arn
      LogGroupName: !Ref FlowLogsGroup
      ResourceId: !Ref VPC
      ResourceType: VPC
      TrafficType: ALL
    Condition: IsFlowLogs

Outputs:
  VpcID:
    Value: !Ref VPC

  VpcCidrBlock:
    Value: !GetAtt VPC.CidrBlock

  PublicSubnet1:
    Value: !Ref PublicSubnet1Subnet

  PublicSubnet2:
    Value: !Ref PublicSubnet2Subnet

  PrivateSubnet1:
    Value: !Ref PrivateSubnet1Subnet

  PrivateSubnet2:
    Value: !Ref PrivateSubnet2Subnet