AWSTemplateFormatVersion: '2010-09-09'

Metadata: 
  AWS::CloudFormation::Interface: 
    ParameterGroups: 
      - 
        Label: 
          default: "Network Configuration"
        Parameters: 
          - VPCID
          - VPCCidr
          - SubnetID
      - 
        Label: 
          default: "Amazon MSK Cluster Detail"
        Parameters: 
          - MSKClusterName
      -
        Label: 
          default: "Prometheus and Cloud9 Configuration"
        Parameters: 
          - KeyName
          - LatestAmiId
          - Cloud9InstanceType
    ParameterLabels: 
      VPCID: 
        default: "Specify the VPC ID where your existing Amazon MSK Cluster is deployed"

Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Type: AWS::EC2::KeyPair::KeyName
    Default: DemoMSKKeyPair
    ConstraintDescription: Can contain only ASCII characters.
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
  VPCID:
    Description: VPC ID for Prometheus and Kafka Client. (Provide VPC ID of your current Amazon MSK Cluster)
    Type: String
  SubnetID:
    Description: Subnet ID for Prometheus and Kafka Client. (Provide any one of the subnet ID of your current Amazon MSK Cluster)
    Type: String
  VPCCidr:
    Description: VPC CIDR for the Prometheus Sec Group Ingress rule of SSH. (Provide VPC CIDR of your current Amazon MSK Cluster)
    Type: String
  Cloud9InstanceType:
    Description: Instance Type for cloud9 Env
    Type: String
    Default:     t2.micro
    AllowedValues:
      - t2.nano
      - t2.micro
      - t2.small
      - t2.medium
      - t2.large
      - t2.xlarge
      - t2.2xlarge
      - m3.medium
      - m3.large
      - m3.xlarge
      - m3.2xlarge
      - m4.large
      - m4.xlarge
      - m4.2xlarge
      - m4.4xlarge
      - m4.10xlarge
      - m4.16xlarge
      - c3.large
      - c3.xlarge
      - c3.2xlarge
      - c3.4xlarge
      - c3.8xlarge
      - c4.large
      - c4.xlarge
      - c4.2xlarge
      - c4.4xlarge
      - c4.8xlarge
      - m5.large
  MSKClusterName:
    Description: Name of the Amazon MSK Cluster
    Type: String
    Default: "DemoMSK"  



Resources:

  PrometheusServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22 from BastionHostSecurityGroup
      VpcId: !Ref VPCID
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: !Ref VPCCidr
      - IpProtocol: tcp
        FromPort: 9090
        ToPort: 9090
        CidrIp: 0.0.0.0/0



  PrometheusEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t3.medium
      KeyName: !Ref 'KeyName'
      IamInstanceProfile: !Ref PrometheusProfile
      SubnetId: !Ref SubnetID
      SecurityGroupIds: [!GetAtt PrometheusServerSecurityGroup.GroupId]
      ImageId: !Ref LatestAmiId
      Tags:
        - Key: 'Name'
          Value: 'Prometheus_Server'
      UserData: 
        Fn::Base64: 
          !Sub |
            #!/bin/bash
            yum update -y
            yum install python3.7 -y
            yum install java-1.8.0-openjdk-devel -y
            yum install nmap-ncat -y
            yum install git -y
            yum erase awscli -y
            yum install jq -y
            amazon-linux-extras install docker -y
            service docker start
            usermod -a -G docker ec2-user


  PrometheusRole: 
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      RoleName: PrometheusAMPRole
      Description: Role to access AMP Workspace

  PrometheusProfile:
    Type: AWS::IAM::InstanceProfile
    Properties: 
      InstanceProfileName: !Join
                            - '-'
                            - - 'PrometheusProfile'
                              - !Ref 'AWS::StackName'
      Roles:
        - !Ref PrometheusRole

#====
# Managed Policy for Prometheus Server
#====
  PrometheusManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    DependsOn:  PrometheusRole
    Properties: 
      Description: Managed Policy to access prometheus Workspace
      ManagedPolicyName: PrometheusAccessToAMP
      Path: /
      PolicyDocument: 
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - aps:GetLabels
          - aps:GetMetricMetadata
          - aps:GetSeries
          - aps:QueryMetrics
          - aps:RemoteWrite
          Resource: "*" 
      Roles: 
        - "PrometheusAMPRole"
#====

  Cloud9EC2Bastion:
    Type: AWS::Cloud9::EnvironmentEC2
    Properties: 
      AutomaticStopTimeMinutes: 600
      Description: "Cloud9 EC2 environment"
      InstanceType: !Ref Cloud9InstanceType # t3.medium
      Name: !Sub "${AWS::StackName}-Cloud9EC2Bastion"
      SubnetId: !Ref SubnetID
      Tags: 
        - Key: 'Purpose'
          Value: 'Cloud9EC2BastionHostInstance'


#========
Outputs:
#========
  SSHPrometheusInstance:
    Description: SSH command for Prometheus instance
    Value: !Join ["" , [ "ssh -i /home/ec2-user/environment/EC2KeyMSKDemo ec2-user@", !GetAtt PrometheusEC2Instance.PrivateIp ]]
    Export:
      Name: !Sub "${AWS::StackName}-PrometheusEC2Instance"
  PrometheusSecurityGroupId:
    Description: The security group id for the Prometheus Server
    Value: !GetAtt PrometheusServerSecurityGroup.GroupId
    Export:
      Name: !Sub "${AWS::StackName}-PrometheusServerSecurityGroup"
  PrometheusInstanceId:
    Description: InstanceId of the newly created Prometheus instance
    Value: !Ref 'PrometheusEC2Instance'
  PrometheusInstancePrivateIP:
    Description: The Private IP of the Prometheus server
    Value: !GetAtt PrometheusEC2Instance.PrivateIp