---
AWSTemplateFormatVersion: 2010-09-09
Description: QS(5027) Atlassian Vpc Bastion Oct,19,2016 (qs-bpj6s43e1)
Metadata:
  QSLint:
    Exclusions: [W4002, E3012, E1001, E9101, W9006, W9002, W9003, ERDSDBInstancePubliclyAccessible, EIAMPolicyWildcardResource, ERDSStorageEncryptionEnabled]
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Networking
        Parameters: [VPC, Subnet, AccessCIDR, KeyName]
      - Label:
          default: 'Linux Bastion Configuration'
        Parameters: [LatestAmiId]
    ParameterLabels:
      AccessCIDR:
        default: IP range Permitted Access
      KeyName:
        default: Key Name *
      LatestAmiId:
        default: System property with AMI ID
      Subnet:
        default: External subnet *
      VPC:
        default: VPC *
Parameters:
  AccessCIDR:
    Default: '0.0.0.0/0'
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x.
    Description: The CIDR IP range that is permitted to access Services in this VPC. Use 0.0.0.0/0 if you want public access from the internet.
    Type: String
    MinLength: 9
    MaxLength: 18
  KeyName:
    ConstraintDescription: Must be the name of an existing EC2 Key Pair.
    Description: The EC2 Key Pair to allow SSH access to the instances.
    Type: AWS::EC2::KeyPair::KeyName
  LatestAmiId:
    Default: '/aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2'
    Description: (leave default) System property containing AMI ID for the Bastion host.
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
  Subnet:
    ConstraintDescription: Must be one of the external Subnet ID's within the selected VPC.
    Description: External Subnet where your bastion will be deployed. MUST be within the selected VPC.
    Type: "AWS::EC2::Subnet::Id"
  VPC:
    ConstraintDescription: Must be the ID of a VPC.
    Description: Virtual Private Cloud
    Type: "AWS::EC2::VPC::Id"

Resources:
  Bastion:
    Type: AWS::EC2::Instance
    DeletionPolicy: Delete
    UpdateReplacePolicy: Retain
    Properties:
      ImageId: !Ref LatestAmiId
      InstanceType: t3.micro
      KeyName: !Ref KeyName
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: "0"
          GroupSet: [ !Ref SecurityGroup ]
          SubnetId: !Ref Subnet
      Tags:
        - Key: Name
          Value: "Bastion for Atlassian Product VPC"
        # NOTE: The leading COMMIT/TIMESTAMP are used to locate the position to update; see scripts/update-tags.py
        - Key: "atl:quickstart:commit-id"
          Value: "COMMIT: ebd2820214350ed6bb34df8cc0f7fadbb3ffa5e2"
        - Key: "atl:quickstart:timestamp"
          Value: "TIMESTAMP: 2021-06-09T01:26:03Z"
  SecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: Security group allowing SSH access
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref AccessCIDR
Outputs:
  BastionPubIp:
    Description: The Public IP to ssh to the Bastion
    Value: !GetAtt Bastion.PublicIp
  BastionPrivateIp:
    Description: The Private IP of the Bastion within the VPC
    Value: !GetAtt Bastion.PrivateIp