AWSTemplateFormatVersion: 2010-09-09

Description: >
  In this template we are demonstrating an EC2 with SSM Session Manager enabled.  We will create an instance in a public subnet for simplicity,
  but you could just as easily connect to a private instance through a route defined in a NAT Gateway.
  The SSM Agent running on the EC2 instances must be able to connect to Session Manager’s public endpoint.
  For more information see: https://aws.amazon.com/blogs/aws/new-session-manager/

Parameters:
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Description: Select Amazon Linux(1) or 2
    Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2
    AllowedValues:
      - /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2 # Amazon Linux [1]
      - /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 # Amazon Linux 2
  InstanceType:
    Type: String
    Default: t2.nano
    Description: Select an instance type
    AllowedValues:
      - t2.nano
      - t2.micro
      - t3.nano
      - t3.micro
  VpcCidr:
    Description: Please enter the IP range (CIDR notation) for this VPC
    Type: String
    Default: 10.0.0.0/16
  PublicSubnetCidr:
    Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
    Type: String
    Default: 10.0.10.0/24

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: "EC2 Settings"
        Parameters:
          - LatestAmiId
          - InstanceType
      - Label:
          default: "We create a boilerplate VPC to place the EC2 instance into"
        Parameters:
          - VpcCidr
          - PublicSubnetCidr

Resources:
  Ec2InPublicSubnet:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LatestAmiId
      InstanceType: !Ref InstanceType
      # KeyName: NO SSH Key needed
      IamInstanceProfile: !Ref Ec2InstanceProfile
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          GroupSet:
            - !Ref Ec2InstanceSecurityGroup
          SubnetId: !Ref PublicSubnet
      Tags:
        - Key: Name
          Value: Session Manager test instance

  # By default, AWS Systems Manager doesn't have permission to perform actions on your instances.
  # You must grant access by using an AWS Identity and Access Management (IAM) instance profile.
  # https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html
  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [ !Ref Ec2InstanceRole ]
  Ec2InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ ec2.amazonaws.com ]
            Action:
              - sts:AssumeRole
      Path: /

  Ec2InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SG with no ingress ports open
      VpcId: !Ref Vpc
      SecurityGroupEgress:
        - IpProtocol: -1 # all
          FromPort: -1 # all
          ToPort: -1 # all
          CidrIp: 0.0.0.0/0

  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref Vpc
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref Vpc
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: !Ref PublicSubnetCidr
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: Public Subnet
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref Vpc
      Tags:
        - Key: Name
          Value: Public subnet routes
  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnetRouteTableAssoc:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet
  NoIngressSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "no-ingress-sg"
      GroupDescription: "Security group with no ingress rule"
      VpcId: !Ref Vpc

Outputs:

  SessionManagementListUrl:
    Description: The URL to the Session Management Console listing all instances it is aware of
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/start-session?region=${AWS::Region}
  SessionManagementInstanceUrl:
    Description: The URL to the Session Management Console for this instance
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/systems-manager/session-manager/${Ec2InPublicSubnet}?region=${AWS::Region}