AWSTemplateFormatVersion: 2010-09-09
Description: >-
  AWS CloudFormation Sample Template: Create an LB connected to an EC2 machine with a nginx server on it.
  This template assumes that you have a correctly setup VPC with 1 or more private subnets and 2 or more public subnets.
  If you plan to SSH directly into the EC2 machine, you might also need to manually create a Bastion host.
  Depending on your VPC setup.

  NOTE: This Template will Create Resources on AWS that will incurr cost!

Parameters:
  VpcId:
    Type: 'AWS::EC2::VPC::Id'
    Description: VpcId of your existing Virtual Private Cloud (VPC)
    ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
  LoadBalancerSubnets:
    Type: 'List<AWS::EC2::Subnet::Id>'
    Description: The list of public SubnetIds to be used by the Load Balancer
    ConstraintDescription: >-
      must be a list of at least two existing public subnets associated with at least
      two different availability zones. They should be residing in the selected
      Virtual Private Cloud.
  WebAppSubnets:
    Type: AWS::EC2::Subnet::Id
    Description: The subnet ID for the webapp server
    ConstraintDescription: >-
      Must be the ID of a Private subnet in your VPC
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t2.small
  KeyName:
    Description: The EC2 Key Pair to allow SSH access to the instances
    Type: 'AWS::EC2::KeyPair::KeyName'
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  IngressLocation:
    Description: The IP address range that can be used to access EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Mappings:
  Region2Examples:
    us-east-1:
      Examples: 'https://s3.amazonaws.com/cloudformation-examples-us-east-1'
    us-west-2:
      Examples: 'https://s3-us-west-2.amazonaws.com/cloudformation-examples-us-west-2'
  AWSInstanceType2Arch:
    t2.nano:
      Arch: HVM64
    t2.micro:
      Arch: HVM64
    t2.small:
      Arch: HVM64
    t2.medium:
      Arch: HVM64
    t2.large:
      Arch: HVM64
  AWSInstanceType2NATArch:
    t2.nano:
      Arch: NATHVM64
    t2.micro:
      Arch: NATHVM64
    t2.small:
      Arch: NATHVM64
    t2.medium:
      Arch: NATHVM64
    t2.large:
      Arch: NATHVM64
  AWSRegionArch2AMI:
    us-east-1:
      HVM64: ami-0c2b8ca1dad447f8a
    us-west-2:
      HVM64: ami-083ac7c7ecf9bb9b0
Resources:
  MyEC2Instance: 
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: !FindInMap 
        - AWSRegionArch2AMI
        - !Ref 'AWS::Region'
        - !FindInMap 
          - AWSInstanceType2Arch
          - !Ref InstanceType
          - Arch
      KeyName: !Ref KeyName
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          yum update -y
          amazon-linux-extras install epel -y
          yum install nginx git gcc build-essential python3-pip python3-devel python3-setuptools -y
          mkdir /var/www
          git clone https://github.com/PagerDuty/sample-app-workshop.git /var/www
          cd /var/www
          python3 -m venv svcstopappenv
          source svcstopappenv/bin/activate
          pip3 install -r requirements.txt && deactivate
          cp /var/www/config/svcstopapp.service /etc/systemd/system
          usermod -a -G nginx ec2-user
          chmod -R 755 /var/www
          chown -R ec2-user:nginx /var/www
          systemctl start svcstopapp.service
          systemctl enable svcstopapp.service
          cp config/nginx.conf /etc/nginx/nginx.conf
          cp config/svcstopapp.conf /etc/nginx/conf.d/svcstopapp.conf
          systemctl start nginx
          systemctl enable nginx
      SecurityGroupIds:
            - !GetAtt "InstanceSecurityGroup.GroupId"
      InstanceType: !Ref InstanceType
      SubnetId: !Ref WebAppSubnets
  ApplicationLoadBalancer:
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
    Properties:
      SecurityGroups: 
        - !Ref LoadBalancerSecurityGroup
      Subnets: !Ref LoadBalancerSubnets
  ALBListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ALBTargetGroup
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: '80'
      Protocol: HTTP
  ALBTargetGroup:
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
    Properties:
      HealthCheckIntervalSeconds: 10
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      Port: 80
      Protocol: HTTP
      UnhealthyThresholdCount: 2
      VpcId: !Ref VpcId
      Targets:
      - Id:
          Ref: MyEC2Instance
  InstanceSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable SSH access and HTTP from the load balancer only
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: !Ref IngressLocation
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          SourceSecurityGroupId: !Select 
            - 0
            - !GetAtt 
              - ApplicationLoadBalancer
              - SecurityGroups
      VpcId: !Ref VpcId
  LoadBalancerSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable Access to Loadbalancer from selected IP Range
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: !Ref IngressLocation
      VpcId: !Ref VpcId
Outputs:
  URL:
    Description: The URL of the website
    Value: !Join 
      - ''
      - - 'http://'
        - !GetAtt 
          - ApplicationLoadBalancer
          - DNSName