---
AWSTemplateFormatVersion: 2010-09-09

Description: Reference Architecture to host Moodle on AWS - Creates bastion (desired:0; min:0; max:1) Auto Scaling group

Metadata:

  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: AWS Parameters
      Parameters:
        - EC2KeyName
        - BastionInstanceType
        - BastionSecurityGroup
        - NumberOfSubnets
        - Subnet
    ParameterLabels:
      BastionSecurityGroup:
        default: Bastion Security Group
      BastionInstanceType:
        default: Instance Type
      EC2KeyName:
        default: Existing Key Pair
      NumberOfSubnets:
        default: Number of subnets
      Subnet:
        default: Subnets

Parameters:

  BastionSecurityGroup:
    Description: Select the bastion security group.
    Type: AWS::EC2::SecurityGroup::Id
  BastionInstanceType:
    AllowedValues:
      - t3.nano 
      - t3.micro 
      - t3.small 
      - t3.medium 
      - t3.large 
      - t3.xlarge 
      - t3.2xlarge
      - m5.large 
      - m5.xlarge 
      - m5.2xlarge 
      - m5.4xlarge 
      - m5.8xlarge 
      - m5.12xlarge
      - m5.16xlarge
      - m5.24xlarge      
      - c5.large 
      - c5.xlarge 
      - c5.2xlarge 
      - c5.4xlarge 
      - c5.9xlarge 
      - c5.12xlarge
      - c5.18xlarge  
      - c5.24xlarge      
      - r5.large 
      - r5.xlarge 
      - r5.2xlarge 
      - r5.4xlarge 
      - r5.8xlarge 
      - r5.12xlarge
      - r5.16xlarge
      - r5.24xlarge
      - t3a.nano 
      - t3a.micro 
      - t3a.small 
      - t3a.medium 
      - t3a.large 
      - t3a.xlarge 
      - t3a.2xlarge
      - m5a.large 
      - m5a.xlarge 
      - m5a.2xlarge 
      - m5a.4xlarge 
      - m5a.8xlarge 
      - m5a.12xlarge
      - m5a.16xlarge
      - m5a.24xlarge      
      - c5a.large 
      - c5a.xlarge 
      - c5a.2xlarge 
      - c5a.4xlarge 
      - c5a.9xlarge 
      - c5a.12xlarge
      - c5a.18xlarge  
      - c5a.24xlarge      
      - r5a.large 
      - r5a.xlarge 
      - r5a.2xlarge 
      - r5a.4xlarge 
      - r5a.8xlarge 
      - r5a.12xlarge
      - r5a.16xlarge
      - r5a.24xlarge
      - t4g.nano 
      - t4g.micro 
      - t4g.small 
      - t4g.medium 
      - t4g.large 
      - t4g.xlarge 
      - t4g.2xlarge
      - m6g.large 
      - m6g.xlarge 
      - m6g.2xlarge 
      - m6g.4xlarge 
      - m6g.8xlarge 
      - m6g.12xlarge
      - m6g.16xlarge
      - m6g.24xlarge      
      - c6g.large 
      - c6g.xlarge 
      - c6g.2xlarge 
      - c6g.4xlarge 
      - c6g.9xlarge 
      - c6g.12xlarge
      - c6g.18xlarge  
      - c6g.24xlarge      
      - r6g.large 
      - r6g.xlarge 
      - r6g.2xlarge 
      - r6g.4xlarge 
      - r6g.8xlarge 
      - r6g.12xlarge
      - r6g.16xlarge
      - r6g.24xlarge
    ConstraintDescription: Must be a valid Amazon EC2 instance type.
    Default: t4g.nano
    Description: Bastion EC2 instance type.
    Type: String
  EC2KeyName:
    Description: Name of an EC2 KeyPair. Your bastion instances will launch with this KeyPair.
    Type: AWS::EC2::KeyPair::KeyName
  NumberOfSubnets:
    AllowedValues:
    - 1
    - 2
    - 3
    Default: 2
    Description: Number of subnets. This must match your selections in the list of subnets below.
    Type: String 
  Subnet:
    Description: Select existing subnets. The number selected must match the number of subnets above. Subnets selected must be in separate AZs.
    Type: List<AWS::EC2::Subnet::Id>
  LatestAmiId :
    Type : AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
  LatestArmAmiId :
    Type : AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2
    
    
Conditions:

  NumberOfSubnets1:
      !Equals [ 1, !Ref NumberOfSubnets ]
  NumberOfSubnets2:
      !Equals [ 2, !Ref NumberOfSubnets ]
  NumberOfSubnets3:
      !Equals [ 3, !Ref NumberOfSubnets ]
  Subnet0: !Or
    - !Condition NumberOfSubnets1
    - !Condition NumberOfSubnets2
    - !Condition NumberOfSubnets3
  Subnet1: !Or
    - !Condition NumberOfSubnets2
    - !Condition NumberOfSubnets3
  Subnet2: !Condition NumberOfSubnets3
  UsingGraviton2Ami:  !Or
    - !Equals ["t4",!Select [0, !Split [ "g.", !Ref BastionInstanceType]]]
    - !Equals ["c6",!Select [0, !Split [ "g.", !Ref BastionInstanceType]]]
    - !Equals ["m6",!Select [0, !Split [ "g.", !Ref BastionInstanceType]]]
    - !Equals ["r6",!Select [0, !Split [ "g.", !Ref BastionInstanceType]]]


Resources:

  BastionAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      Cooldown: 60
      HealthCheckGracePeriod: 120
      HealthCheckType: EC2
      LaunchTemplate:
        LaunchTemplateId: !Ref BastionLaunchTemplate
        Version: !GetAtt BastionLaunchTemplate.LatestVersionNumber
      MaxSize: 1
      MinSize: 0
      Tags:
        - Key: Name
          Value: !Join [ '', [ 'Bastion / ', !Ref 'AWS::StackName' ] ]
          PropagateAtLaunch: true
      VPCZoneIdentifier:
        !If
          [ NumberOfSubnets1,
          [ !Select [ 0, !Ref Subnet ] ],
          !If
            [ NumberOfSubnets2,
            [ !Select [ 0, !Ref Subnet ], !Select [ 1, !Ref Subnet ] ],
            [ !Select [ 0, !Ref Subnet ], !Select [ 1, !Ref Subnet ], !Select [ 2, !Ref Subnet ] ]
            ]
          ]
  BastionLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        IamInstanceProfile: 
          Arn: !GetAtt BastionInstanceProfile.Arn
        ImageId: !If [UsingGraviton2Ami, !Ref LatestArmAmiId, !Ref LatestAmiId]
        Monitoring: 
          Enabled: true
        InstanceType: !Ref BastionInstanceType
        KeyName: !Ref EC2KeyName
        SecurityGroupIds:
          - !Ref BastionSecurityGroup
        UserData:
            Fn::Base64:
              !Sub |
                #!/bin/bash -xe
                sudo systemctl enable amazon-ssm-agent
                sudo systemctl start amazon-ssm-agent
                sudo systemctl status amazon-ssm-agent
              
  BastionInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: '/'
      Roles:
      - !Ref BastionInstanceRole
  BastionInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
      Path: '/'
      Policies:
      - PolicyName: logs
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
            - logs:DescribeLogStreams
            Resource:
            - arn:aws:logs:*:*:*