---
AWSTemplateFormatVersion: 2010-09-09
Description: This template is used for setting up Security Groups. (qs-1s4ldl6ta)

Metadata:
  LICENSE: Apache License Version 2.0
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Network configuration
      Parameters:
      - AccessCIDR
      - VPCID
      - VPCCIDR
      - BastionSecurityGroupID
    ParameterLabels:
      AccessCIDR:
        default: Access CIDR
      VPCID:
        default: VPC ID
      VPCCIDR:
        default: VPC CIDR
      BastionSecurityGroupID:
        default: Bastion security group ID
Parameters:
  AccessCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: Must be a valid IP range in the form x.x.x.x/x.
    Description: 'CIDR IP range permitted for access. A value of
      0.0.0.0/0 allows access from any IP address.'
    Type: String
  VPCID:
    Description: VPC ID of your existing Virtual Private Cloud (VPC) where you want.
      to depoy RDS.
    Type: AWS::EC2::VPC::Id
  VPCCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: Must be a valid IP range in the form x.x.x.x/x.
    Description: The CIDR block for VPC.
    Type: String
  BastionSecurityGroupID:
    Description: The BastionSecurityGroupID range that is permitted to access.
    Type: String
Conditions:
  IsChinaRegion: !Or 
      - !Equals 
        - !Ref 'AWS::Region'
        - cn-north-1
      - !Equals 
        - !Ref 'AWS::Region'
        - cn-northwest-1
  IsNotChinaRegion: !Not
    - !Or
      - !Equals 
        - !Ref 'AWS::Region'
        - cn-north-1
      - !Equals 
        - !Ref 'AWS::Region'
        - cn-northwest-1
Resources:
  ClickHouseServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: IsNotChinaRegion
    Properties:
      GroupDescription: Allow access to ClickHouse port.
      VpcId: !Ref VPCID
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 2181
        ToPort: 2181
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 2888
        ToPort: 2888
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 3888
        ToPort: 3888
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9000
        ToPort: 9000
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9009
        ToPort: 9009
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 8123
        ToPort: 8123
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9116
        ToPort: 9116
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9100
        ToPort: 9100
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        SourceSecurityGroupId: !Ref BastionSecurityGroupID
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0
  AdminServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: IsNotChinaRegion
    Properties:
      GroupDescription: App server security group.
      VpcId: !Ref VPCID
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        SourceSecurityGroupId: !Ref BastionSecurityGroupID
      - IpProtocol: tcp
        FromPort: 9090
        ToPort: 9090
        CidrIp: !Ref AccessCIDR
      - IpProtocol: tcp
        FromPort: 3000
        ToPort: 3000
        CidrIp: !Ref AccessCIDR  
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0
  ClickHouseServerSecurityGroupCN:
    Type: AWS::EC2::SecurityGroup
    Condition: IsChinaRegion
    Properties:
      GroupDescription: Allow access to ClickHouse port.
      VpcId: !Ref VPCID
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 2181
        ToPort: 2181
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 2888
        ToPort: 2888
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 3888
        ToPort: 3888
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9000
        ToPort: 9000
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9009
        ToPort: 9009
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 8123
        ToPort: 8123
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9116
        ToPort: 9116
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 9100
        ToPort: 9100
        CidrIp: !Ref VPCCIDR
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0
  AdminServerSecurityGroupCN:
    Type: AWS::EC2::SecurityGroup
    Condition: IsChinaRegion
    Properties:
      GroupDescription: App server security group.
      VpcId: !Ref VPCID
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
      - IpProtocol: tcp
        FromPort: 9090
        ToPort: 9090
        CidrIp: !Ref AccessCIDR
      - IpProtocol: tcp
        FromPort: 3000
        ToPort: 3000
        CidrIp: !Ref AccessCIDR  
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 0
        ToPort: 65535
        CidrIp: 0.0.0.0/0
Outputs:
  ClickHouseServerSecurityGroup:
    Description: ClickHouse Security Group
    Value: !If [IsNotChinaRegion, !Ref ClickHouseServerSecurityGroup, !Ref ClickHouseServerSecurityGroupCN]
  AdminServerSecurityGroup:
    Description: Admin Server Security Group
    Value: !If [IsNotChinaRegion, !Ref AdminServerSecurityGroup, !Ref AdminServerSecurityGroupCN]