AWSTemplateFormatVersion: 2010-09-09

Parameters:
  Namespace:
    Description: A string of 4-20 lowercase letters and digits, starting with a letter. Included in resource names, allowing multiple deployments.
    Default: filegateway
    Type: String
    AllowedPattern: "^[a-z]{1}[a-z0-9]{3,19}$"
    ConstraintDescription: Between 4-20 letters and digits, starting with a letter
  ParameterVPCId:
    Description: ID of the VPC
    Type: AWS::EC2::VPC::Id
  ParameterSubnetId:
    Description: SubnetId, for Availability Zone 1 in the region in your VPC. 
    Type: AWS::EC2::Subnet::Id
  ParameterAZ:
    Type: String
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/storagegateway/ami/FILE_S3/latest'
  InstanceType:
    Description: EC2 instance type
    Type: String
    Default: m5.xlarge
    AllowedValues: [
      c4.xlarge, c4.2xlarge, c4.4xlarge, c4.8xlarge, 
      c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.12xlarge, c5.18xlarge, 
      i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge, i3.16xlarge,
      m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge,
      m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m5.metal,
      r3.xlarge, r3.2xlarge, r3.4xlarge, r3.8xlarge, r3.16xlarge
    ]
    ConstraintDescription: Please choose a valid instance type.
  EBSVolumeSize:
    Type: Number
    Default: 150
    Description: The Amazon EBS volume size attached to the File Gateway as cache, in GiBs. 
  FileGatewayBucketName:
    Type: String
    Description: The S3 bucket name for s3 file gateway
    
Resources:
  FileGatewayBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Join
            - '-'
            - - !Ref FileGatewayBucketName
              - !Ref AWS::AccountId
              - !Ref AWS::Region
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      VersioningConfiguration:
        Status: Enabled
        
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22
      GroupName: !Sub ${Namespace}-InstanceSecurityGroup-${AWS::AccountId}-${AWS::Region}
      SecurityGroupIngress:
        - CidrIp: '0.0.0.0/0'
          Description: web:80/tcp
          FromPort: 80
          IpProtocol: TCP
          ToPort: 80
        - CidrIp: '0.0.0.0/0'
          Description: efs:2049/tcp
          FromPort: 2049
          IpProtocol: TCP
          ToPort: 2049
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: "-1"
      Tags:
        - Key: project
          Value: !Sub "${Namespace}-sg"
      VpcId: !Ref 'ParameterVPCId'
  
  EC2S3FileGateway:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref LatestAmiId
      AvailabilityZone: !Ref ParameterAZ
      SecurityGroupIds: 
        - !Ref 'InstanceSecurityGroup'
      SubnetId: !Ref ParameterSubnetId
      InstanceType: !Ref 'InstanceType'
      BlockDeviceMappings: 
        - DeviceName: /dev/sdb
          Ebs: 
            VolumeSize: !Ref EBSVolumeSize
            VolumeType: "gp2"
            DeleteOnTermination: true
      IamInstanceProfile: !Ref 'EC2InstanceProfile'
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: 
        - !Ref 'EC2Role'