AWSTemplateFormatVersion: 2010-09-09
# Added a comment for the first time.

Parameters:

  LinuxImageId:
    Type: String
    Default: ''
    Description: Enter the AMI ID for the Snort Sensor.

Mappings: {}

Conditions: {}

Outputs: {}

Resources:

  VPC:
    Type: 'AWS::EC2::VPC'
    Properties: 
      CidrBlock: '10.2.0.0/16'
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
        - Key: Name
          Value: on-prem-vpc

  PubSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref VPC
      CidrBlock: '10.2.1.0/24'
      Tags:
        - Key: Name
          Value: on-prem-pub-sn

  PrvSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref VPC
      CidrBlock: '10.2.2.0/24'
      Tags:
        - Key: Name
          Value: on-prem-prv-sn
  
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: on-prem-igw

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC
   
  EIP:
    DependsOn: InternetGatewayAttachment
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: on-prem-igw-eip
  
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt EIP.AllocationId
      SubnetId: !Ref PubSubnet
      Tags:
        - Key: Name
          Value: on-prem-ngw
  
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: on-prem-pub-rt
  
  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PubSubnet
  
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: on-prem-prv-rt
  
  DefaultPrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  
  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      SubnetId: !Ref PrvSubnet

  SnortSensor:
    Type: 'AWS::EC2::Instance'
    Properties:
      NetworkInterfaces:
        - SubnetId: !Ref PrvSubnet
          DeviceIndex: 0
          GroupSet: 
            - !Ref PrvSG
      InstanceType: t2.medium
      ImageId: !Ref LinuxImageId
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash -xe
          yum update -y
      Tags: 
        - 
          Key: "Name"
          Value: "SnortSensor"
        - 
          Key: "SSMType"
          Value: "SnortSensor"
        - 
          Key: "SSMManaged"
          Value: "True"
      IamInstanceProfile: !Ref SSMInstanceProfile

  SSMInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties: 
      InstanceProfileName: OnPremInstanceProfile
      Roles: 
        - !Ref SSMInstanceRole
  
  SSMInstanceRole:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: OnPremInstanceRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement: 
          - 
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
        - arn:aws:iam::aws:policy/AmazonS3FullAccess
        - arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess
        - arn:aws:iam::aws:policy/CloudWatchFullAccess

  SSMEndPoint:
    Type: AWS::EC2::VPCEndpoint
    Properties: 
      PrivateDnsEnabled: 'true'
      SecurityGroupIds: 
        - !Ref PrvSG
      ServiceName: 
        !Join
        - ''
        - - 'com.amazonaws.'
          - !Ref 'AWS::Region'
          - '.ssm'
      SubnetIds: 
        - !Ref PrvSubnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface
  
  SSMMessagesEndPoint:
    Type: AWS::EC2::VPCEndpoint
    Properties: 
      PrivateDnsEnabled: 'true'
      SecurityGroupIds: 
        - !Ref PrvSG
      ServiceName: 
        !Join
          - ''
          - - 'com.amazonaws.'
            - !Ref 'AWS::Region'
            - '.ssmmessages'
      SubnetIds: 
        - !Ref PrvSubnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface

  EC2MessagesEndPoint:
    Type: AWS::EC2::VPCEndpoint
    Properties: 
      PrivateDnsEnabled: 'true'
      SecurityGroupIds: 
        - !Ref PrvSG
      ServiceName: 
        !Join
          - ''
          - - 'com.amazonaws.'
            - !Ref 'AWS::Region'
            - '.ec2messages'
      SubnetIds: 
        - !Ref PrvSubnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface

  EC2EndPoint:
    Type: AWS::EC2::VPCEndpoint
    Properties: 
      PrivateDnsEnabled: 'true'
      SecurityGroupIds: 
        - !Ref PrvSG
      ServiceName: 
        !Join
          - ''
          - - 'com.amazonaws.'
            - !Ref 'AWS::Region'
            - '.ec2'
      SubnetIds: 
        - !Ref PrvSubnet
      VpcId: !Ref VPC
      VpcEndpointType: Interface

  PubSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow all
      VpcId: !Ref VPC
      SecurityGroupIngress:
      - IpProtocol: -1
        FromPort: -1
        ToPort: -1
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: on-prem-pub-sg

  PrvSG:
    Type: AWS::EC2::SecurityGroup
    DependsOn: PubSG
    Properties:
      GroupDescription: Allow public SG
      VpcId: !Ref VPC
      SecurityGroupIngress:
      - IpProtocol: -1
        SourceSecurityGroupName: on-prem-pub-sg
      Tags:
        - Key: Name
          Value: on-prem-prv-sg