---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Managed node group for EKS cluster'

Parameters:
  VPCStackName:
    Description: The name of the CloudFormation stack with which the private EKS cluster was created
    Type: String
    Default: ""

  ClusterStackName:
    Description: The name of the CloudFormation stack with which the private EKS cluster was created
    Type: String
    Default: ""

  WorkerNodeGroupName:
    Description: Name of the worker nodegroup
    Type: String
    Default: "managed-workers"

  WorkerNodeInstanceType:
    Description: EC2 instance type for the node instances; must be a type that can be registered with an NLB by instance ID
    Type: String
    Default: m5.xlarge
    AllowedValues:
    - m5.large
    - m5.xlarge
    - c5.large
    - c5.xlarge
    ConstraintDescription: Must be a valid EC2 instance type

  WorkerNodeGroupMinSize:
    Type: Number
    Description: Minimum size of Node ASG.
    Default: 1

  WorkerNodeGroupMaxSize:
    Type: Number
    Description: Maximum size of Node ASG.
    Default: 4

  WorkerNodeGroupDesiredSize:
    Type: Number
    Description: Desired size of Node ASG.
    Default: 2

  WorkerNodeImageId:
    Type: String
    Default: ""
    Description: (Optional) Specify your own custom image ID. This value overrides any AWS Systems Manager Parameter Store value specified above.

  WorkerNodeImageIdSSMParam:
    Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
    Default: /aws/service/eks/optimized-ami/1.22/amazon-linux-2/recommended/image_id
    Description: AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances. 

  LaunchTemplateName:
    Description: Name of the LaunchTemplate used for worker nodes
    Type: String
    Default: "EKS-ManagedWorker-LaunchTemplate"  

  ClusterName:
    Description: Name of the EKS cluster
    Type: String
    Default: ""

  ClusterEndpoint:
    Description: API server URL for the EKS cluster
    Type: String
    Default: ""

  ClusterCertificateAuthority:
    Description: Certificate Authority certificate for the EKS Cluster
    AllowedPattern: "^LS0tLS1(.*)"
    Type: String      
    Default: "LS0tLS1=="

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Base Stack"
        Parameters:
          - ClusterStackName
      -
        Label:
          default: "Worker Nodegroup Configuration"
        Parameters:
          - WorkerNodeGroupName
          - WorkerNodeGroupMinSize
          - WorkerNodeGroupMaxSize
          - WorkerNodeGroupDesiredSize
      -
        Label:
          default: "Launch Template Configuration"
        Parameters:
          - LaunchTemplateName
          - WorkerNodeImageIdSSMParam
          - WorkerNodeImageId
          - WorkerNodeInstanceType
      -
        Label:
          default: "EKS Cluster Parameters"
        Parameters:
          - ClusterName
          - ClusterEndpoint
          - ClusterCertificateAuthority

Conditions:
  HasWorkerNodeImageId: !Not
    - "Fn::Equals":
        - Ref: WorkerNodeImageId
        - ""

Resources:
  WorkerNodeLaunchRemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: !Join [ '-', [!Sub "${AWS::StackName}", !Ref LaunchTemplateName] ]
      LaunchTemplateData:
        DisableApiTermination: 'false'
        InstanceType: !Ref WorkerNodeInstanceType
        ImageId: !If
          - HasWorkerNodeImageId
          - Ref: WorkerNodeImageId
          - Ref: WorkerNodeImageIdSSMParam           
        SecurityGroupIds:
          - Fn::ImportValue: !Sub ${ClusterStackName}-CLUSTER-SECURITY-GROUP
          - Fn::ImportValue: !Sub ${VPCStackName}-NLB-INGRESS-SECURITY-GROUP
        MetadataOptions:
          HttpEndpoint: "enabled"
          HttpTokens: "optional"
          HttpPutResponseHopLimit: 2
        UserData:
          Fn::Base64:
            !Sub |
              MIME-Version: 1.0
              Content-Type: multipart/mixed; boundary="//"

              --//
              Content-Type: text/x-shellscript; charset="us-ascii"
              #!/bin/bash
              set -ex
              /etc/eks/bootstrap.sh ${ClusterName} \
              --b64-cluster-ca ${ClusterCertificateAuthority} \
              --apiserver-endpoint ${ClusterEndpoint} 
              --//--

  WorkerNodeInstanceRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ec2.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

  WorkerNodeGroup:
    Type: AWS::EKS::Nodegroup
    Properties:
      NodegroupName: !Ref WorkerNodeGroupName
      ClusterName: !Ref ClusterName
      NodeRole: !GetAtt WorkerNodeInstanceRole.Arn
      ScalingConfig:
        MinSize: !Ref WorkerNodeGroupMinSize
        MaxSize: !Ref WorkerNodeGroupMaxSize
        DesiredSize: !Ref WorkerNodeGroupDesiredSize      
      Subnets:
        - Fn::ImportValue: !Sub ${VPCStackName}-WORKER-SUBNET01
        - Fn::ImportValue: !Sub ${VPCStackName}-WORKER-SUBNET02
      LaunchTemplate:
        Id: !Ref WorkerNodeLaunchRemplate
        Version: !GetAtt WorkerNodeLaunchRemplate.DefaultVersionNumber
      Labels:
        role: managed-worker
        cluster: !Ref ClusterName

Outputs:
  WorkerNodeInstanceRole:
    Description: Worker Node Instance Role
    Value: !GetAtt WorkerNodeInstanceRole.Arn
    Export:
      Name: !Sub ${AWS::StackName}-MANAGED-WORKERNODE-ROLE

  LaunchTemplate:
    Description: Launch Template ID and Version
    Value: !Join [ '', ['ID=', !Ref WorkerNodeLaunchRemplate,  ' Version=', !GetAtt WorkerNodeLaunchRemplate.DefaultVersionNumber] ]