AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  ApplicationAccountRoleArn:
    Type: String
    Description: Application account role Arn in logging account
    Default: ""

Conditions:
  HasLoggingAccount: !Not [!Equals [!Ref "ApplicationAccountRoleArn", ""]]

Resources:
  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Sub "cluster-${AWS::AccountId}"
      CapacityProviders:
        - FARGATE
      DefaultCapacityProviderStrategy:
        - CapacityProvider: FARGATE
          Weight: 1

  ECRRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: !Sub "repository-${AWS::AccountId}"

  TaskExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "ECSExecutionRole-${AWS::AccountId}"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        [
          "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
          "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess",
        ]

  AssumeLoggingPolicy:
    Condition: HasLoggingAccount
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: assume-logging-policy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: "sts:AssumeRole"
            Resource: !Ref ApplicationAccountRoleArn
      Roles:
        - !Ref TaskExecutionRole

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.10.0.0/16"
      EnableDnsSupport: true
      EnableDnsHostnames: true

  InternetGateway:
    Type: AWS::EC2::InternetGateway

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [0, !GetAZs ""]
      CidrBlock: "10.10.1.0/24"
      MapPublicIpOnLaunch: true

  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [1, !GetAZs ""]
      CidrBlock: "10.10.2.0/24"
      MapPublicIpOnLaunch: true

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC

  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet1

  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet2

  ContainerSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: "Container SG"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: "-1"
          CidrIp: 0.0.0.0/0

Outputs:
  ECRRepository:
    Value: !GetAtt ECRRepository.Arn
  ECSCluster:
    Value: !Ref ECSCluster
  IAMRole:
    Value: !GetAtt TaskExecutionRole.Arn
  VPC:
    Value: !Ref VPC
  PublicSubnets:
    Value: !Join [",", [!Ref PublicSubnet1, !Ref PublicSubnet2]]
  ContainerSG:
    Value: !Ref ContainerSG