# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AWSTemplateFormatVersion: 2010-09-09
Description: Sample CloudFormation Template to create webserver instance from Jenkins Job.

Parameters:
  LatestAmiId:
    Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
    AllowedValues:
      - /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
  InstanceType:
    Description: Please select an EC2 Instance Type
    Type: String
    Default: t2.micro
    AllowedValues:
      - t2.micro
  DefaultVPCId:
    Description: Default VPC ID
    Type: AWS::EC2::VPC::Id

Resources:
  WebServerSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable HTTP access via port 80
      VpcId: !Ref DefaultVPCId
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic on port 80 from Instance
          FromPort: 80
          IpProtocol: tcp
          ToPort: 80
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic on port 443 from Instance
          FromPort: 443
          IpProtocol: tcp
          ToPort: 443
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W2
            reason: "Egress on port 80 and 443 to install packages on the instance."
          - id: W5
            reason: "Egress on port 80 and 443 to install packages on the instance."
          - id: W9
            reason: "Ingress on port 80 from /0."

  SecurityGroupIngressPort80:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Allow all inbound traffic on port 80
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      GroupId: !Ref WebServerSecurityGroup
      CidrIp: 0.0.0.0/0

  WebServerInstanceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  
  WebServerInstanceProfile: 
    Type: "AWS::IAM::InstanceProfile"
    Properties: 
      Path: "/"
      Roles: 
        - !Ref WebServerInstanceRole

  WebServer:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LatestAmiId
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref WebServerInstanceProfile
      SecurityGroupIds:
        - !Ref WebServerSecurityGroup
      UserData:
        Fn::Base64: |-
          #!/bin/bash
          sudo su
          yum update -y
          yum install httpd -y
          service httpd start
          chkconfig httpd on
          echo "<html><body><h1>Deployed from Jenkins in DevOps Account. </h1> <br> <h4> Web server is running at: $(curl http://169.254.169.254/latest/meta-data/public-hostname)</h4></body></html>" > /var/www/html/index.html

Outputs:
  WebServerIP:
    Description: The IP of the Web Server Instance
    Value: !GetAtt WebServer.PublicIp