AWSTemplateFormatVersion: 2010-09-09
Description: >
  This AWS CloudFormation Network Resources template to create Network Resources like PrivateSubnet,NatGateway,Security Groups,Target Group,Loadbalancer,Listner,EIP in the Existing VPC to work with Fargate in Create Cluster Wizard (production version) (qs-1shsu3b6j)
Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - W9006 # temporary to get rid of warnings
        - W9002 # temporary to get rid of warnings
        - W9003 # temporary to get rid of warnings
        - W1001 # temporary to get rid of warnings
        - W9901 # Not passing all the default parameters to reduce verbosity
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Existing VPC Network configuration
      Parameters:
      - VPCID
      - VPCCIDR
      - NumberOfAvalZones
      - AvailabilityZones
      - CreatePublicSubnets
      - PublicSubnet1
      - PublicSubnet2
      - PublicSubnet3
      - RCHATPRODEIP1
      - RCHATPRODEIP2
      - JVBPRODEIP1
      - JVBPRODEIP2
      - ElasticFileSystemResource
      - CertificateID
    - Label:
        default: Create Private Subnet and NATGateways
      Parameters:
      - CreatePrivateSubnets
      - CreateNATGateways
      - PrivateSubnet1ACIDR
      - PrivateSubnet2ACIDR
      - PrivateSubnet3ACIDR
      - SecurityIngressCidrIp
    ParameterLabels:
      AvailabilityZones:
        default: Availability Zones
      NumberOfAvalZones:
        default: Number Of Availability Zones
      CreatePublicSubnets:
        default: Create public subnets
      PublicSubnet1:
        default: Public subnet 1 ID
      PublicSubnet2:
        default: Public subnet 2 ID
      PublicSubnet3:
        default: Public subnet 3 ID
      CreateNATGateways:
        default: Create NAT Gateways
      CreatePrivateSubnets:
        default: Create private subnets
      PrivateSubnet1ACIDR:
        default: Private subnet 1A CIDR
      PrivateSubnet2ACIDR:
        default: Private subnet 2A CIDR
      PrivateSubnet3ACIDR:
        default: Private subnet 3A CIDR
      VPCID:
        default: VPC ID
      VPCCIDR:
        default: VPC CIDR Block
      SecurityIngressCidrIp:
        default: Allowed SecurityIngressCidrIp Block
      ElasticFileSystemResource:
        default: ElasticFileSystemResource
      CertificateID:
        default: CertificateID for Secure Network Loadbalancer
      RCHATPRODEIP1:
        default: EIP1 for Rocket Chat LoadBalancer
      RCHATPRODEIP2:
        default: EIP2 for Rocket Chat LoadBalancer
      JVBPRODEIP1:
        default: EIP1 for JVB LoadBalancer
      JVBPRODEIP2:
        default: EIP2 for JVB LoadBalancer
Parameters:
  AvailabilityZones:
    Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.'
    Type: List<AWS::EC2::AvailabilityZone::Name>
    Default: ''
  PublicSubnet1:
    Description: VPC Public Subnet 1
    Type: String
    Default: ''
  PublicSubnet2:
    Description: VPC Public Subnet 2
    Type: String
    Default: ''
  PublicSubnet3:
    Description: VPC Public Subnet 3
    Type: String
    Default: ''
  NumberOfAvalZones:
    Description: Number of Availability Zone parameter must be integer 
    Default: ''
    Type: String    
  CreateNATGateways:
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'true'
    Description: Set to false when creating only private subnets. If True, both CreatePublicSubnets and CreatePrivateSubnets must also be true.
    Type: String
  CreatePublicSubnets:
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'true'
    Description: Set to false to create only public subnets. If false, the CIDR parameters for ALL private subnets will be ignored.
    Type: String
  CreatePrivateSubnets:
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'true'
    Description: Set to false to create only public subnets. If false, the CIDR parameters for ALL private subnets will be ignored.
    Type: String
  PrivateSubnet1ACIDR:
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: ''
    Description: CIDR block for private subnet 1A located in Availability Zone 1
    Type: String
  PrivateSubnet2ACIDR:
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: ''
    Description: CIDR block for private subnet 2A located in Availability Zone 2
    Type: String
  PrivateSubnet3ACIDR:
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: ''
    Description: CIDR block for private subnet 3A located in Availability Zone 3
    Type: String
  VPCID:
    Description: VPC ID
    Type: String
    Default: ''
  VPCCIDR:
    Description: VPC CIDR
    Default: ''
    Type: String
  SecurityIngressCidrIp:    
    Description: VPC SecurityIngressCidrIp
    Type: String
    Default: 0.0.0.0/0
  ElasticFileSystemResource:
    Description: EFS Name required for MountTarget
    Type: String
    Default: ''
  CertificateID:
    Description: SSL CertificateID Required for SSL enabled NLB
    Type: String
    Default: '' 
  RCHATPRODEIP1:
    Description: EIP1 for Rocket Chat LoadBalancer
    Type: String
    Default: ''
  RCHATPRODEIP2:
    Description: EIP2 for Rocket Chat LoadBalancer
    Type: String
    Default: ''
  JVBPRODEIP1:
    Description: EIP1 for JVB LoadBalancer
    Type: String
    Default: ''
  JVBPRODEIP2:
    Description: EIP2 for JVB LoadBalancer
    Type: String
    Default: ''	  
Conditions:
  3AZCondition: !Equals [!Ref 'NumberOfAvalZones', '3']
  PublicSubnetsCondition: !Equals [!Ref 'CreatePublicSubnets', 'true']
  PrivateSubnetsCondition: !Equals [!Ref 'CreatePrivateSubnets', 'true']
  PrivateSubnets&3AZCondition: !And
    - !Condition 'PrivateSubnetsCondition'
    - !Condition '3AZCondition'
  PublicSubnets&3AZCondition: !And
    - !Condition 'PublicSubnetsCondition'
    - !Condition '3AZCondition'  
  NATGatewaysCondition: !Equals [!Ref 'CreateNATGateways', 'true']
  NATGateways&PublicSubnets&PrivateSubnetsCondition: !And
    - !Condition 'NATGatewaysCondition'
    - !Condition 'PublicSubnetsCondition'
    - !Condition 'PrivateSubnetsCondition'
  NATGateways&PublicSubnets&PrivateSubnets&3AZCondition: !And
    - !Condition 'NATGatewaysCondition'
    - !Condition 'PublicSubnetsCondition'
    - !Condition 'PrivateSubnetsCondition'
    - !Condition '3AZCondition'
Rules:
  NAT:
    RuleCondition: !Equals [!Ref CreateNATGateways, 'true']
    Assertions:
      - Assert: !And
          - !Equals [!Ref CreatePrivateSubnets, 'true']
          - !Equals [!Ref CreatePublicSubnets, 'true']
        AssertDescription: To enable NAT gateways you must have both CreatePrivateSubnets and CreatePublicSubnets set to 'true'
  Subnets:
    Assertions:
      - Assert: !Or
          - !Equals [!Ref CreatePrivateSubnets, 'true']
          - !Equals [!Ref CreatePublicSubnets, 'true']
        AssertDescription: At least one of CreatePublicSubnets or CreatePrivateSubnets must be set to 'true'    
Resources:
  PrivateSubnet1A:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPCID
      CidrBlock: !Ref 'PrivateSubnet1ACIDR'
      AvailabilityZone: !Select ['0', !Ref 'AvailabilityZones']
      Tags:
        - Key: Name
          Value: Private subnet 1A
  PrivateSubnet2A:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPCID
      CidrBlock: !Ref 'PrivateSubnet2ACIDR'
      AvailabilityZone: !Select ['1', !Ref 'AvailabilityZones']
      Tags:
        - Key: Name
          Value: Private subnet 2A
  PrivateSubnet3A:
    Condition: PrivateSubnets&3AZCondition
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPCID
      CidrBlock: !Ref 'PrivateSubnet3ACIDR'
      AvailabilityZone: !Select ['2', !Ref 'AvailabilityZones']
      Tags:
        - Key: Name
          Value: Private subnet 3A
  PrivateSubnet1ARouteTable:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'VPCID'
      Tags:
        - Key: Name
          Value: Private subnet 1A
        - Key: Network
          Value: Private
  PrivateSubnet1ARoute:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'PrivateSubnet1ARouteTable'
      DestinationCidrBlock: '0.0.0.0/0'
      NatGatewayId: !Ref 'NATGateway1'
  PrivateSubnet1ARouteTableAssociation:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'PrivateSubnet1A'
      RouteTableId: !Ref 'PrivateSubnet1ARouteTable'
  PrivateSubnet2ARouteTable:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'VPCID'
      Tags:
        - Key: Name
          Value: Private subnet 2A
        - Key: Network
          Value: Private
  PrivateSubnet2ARoute:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'PrivateSubnet2ARouteTable'
      DestinationCidrBlock: '0.0.0.0/0'
      NatGatewayId: !Ref 'NATGateway2'
  PrivateSubnet2ARouteTableAssociation:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'PrivateSubnet2A'
      RouteTableId: !Ref 'PrivateSubnet2ARouteTable'
  PrivateSubnet3ARouteTable:
    Condition: PrivateSubnets&3AZCondition
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'VPCID'
      Tags:
        - Key: Name
          Value: Private subnet 3A
        - Key: Network
          Value: Private
  PrivateSubnet3ARoute:
    Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref 'PrivateSubnet3ARouteTable'
      DestinationCidrBlock: '0.0.0.0/0'
      NatGatewayId: !Ref 'NATGateway3'
  PrivateSubnet3ARouteTableAssociation:
    Condition: PrivateSubnets&3AZCondition
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref 'PrivateSubnet3A'
      RouteTableId: !Ref 'PrivateSubnet3ARouteTable'
  NAT1EIP:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: NAT1EIP
  NAT2EIP:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: NAT2EIP
  NAT3EIP:
    Condition: NATGateways&PublicSubnets&PrivateSubnets&3AZCondition
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: NAT3EIP
  NATGateway1:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt 'NAT1EIP.AllocationId'
      SubnetId: !Ref 'PublicSubnet1'
      Tags:
        - Key: Name
          Value: NATGateway1
  NATGateway2:
    Condition: NATGateways&PublicSubnets&PrivateSubnetsCondition
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt 'NAT2EIP.AllocationId'
      SubnetId: !Ref 'PublicSubnet2'
      Tags:
        - Key: Name
          Value: NATGateway2
  NATGateway3:
    Condition: PrivateSubnets&3AZCondition
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt 'NAT3EIP.AllocationId'
      SubnetId: !Ref 'PublicSubnet3'
      Tags:
        - Key: Name
          Value: NATGateway3
  S3VPCEndpoint:
    Condition: PrivateSubnetsCondition
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: '*'
            Effect: Allow
            Resource: '*'
            Principal: '*'
      RouteTableIds:
        - !Ref 'PrivateSubnet1ARouteTable'
        - !Ref 'PrivateSubnet2ARouteTable'
        - !If [PrivateSubnets&3AZCondition, !Ref 'PrivateSubnet3ARouteTable', !Ref 'AWS::NoValue']
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcId: !Ref 'VPCID'
  ContainerSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: ECS Allowed Ports
      VpcId: !Ref VPCID 
      SecurityGroupIngress:
        - IpProtocol: ALL
          CidrIp: !Ref VPCCIDR
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref VPCCIDR
        - IpProtocol: tcp
          FromPort: 2049
          ToPort: 2049
          CidrIp: !Ref VPCCIDR
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: !Ref VPCCIDR
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: !Ref VPCCIDR
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          CidrIp: !Ref VPCCIDR
        - IpProtocol: udp
          FromPort: 10000
          ToPort: 10000
          CidrIp: !Ref SecurityIngressCidrIp
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !Ref SecurityIngressCidrIp
      Tags:
        - Key: Name
          Value: !Join
            - '-'
            - - 'prod'
              - 'cloudmeet'
              - 'ctr-sg'          
  MountTargetAz1a:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref ElasticFileSystemResource
      SubnetId:
        Ref: "PrivateSubnet1A"
      SecurityGroups:
        - !Ref ContainerSecurityGroup

  MountTargetAz1b:
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref ElasticFileSystemResource
      SubnetId:
        Ref: "PrivateSubnet2A"
      SecurityGroups:
        - !Ref ContainerSecurityGroup

  MountTargetAz1c:
    Condition: PrivateSubnets&3AZCondition    
    Type: 'AWS::EFS::MountTarget'
    Properties:
      FileSystemId: !Ref ElasticFileSystemResource
      SubnetId:
        Ref: "PrivateSubnet3A"
      SecurityGroups:
        - !Ref ContainerSecurityGroup

  RCHATPRODNLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: Prod-Rchat-NLB
      Scheme: internet-facing
      Type: network
      SubnetMappings:
        - AllocationId: !Ref RCHATPRODEIP1
          SubnetId: !Ref PublicSubnet1
        - AllocationId: !Ref RCHATPRODEIP2
          SubnetId: !Ref PublicSubnet2
      Tags:
        - Key: Name
          Value: Prod-Rchat-NLB
 
  RchatPRODNlbListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref RCHATPRODNLB
      Protocol: TLS
      Port: 443
      Certificates:
        - CertificateArn: !Ref CertificateID
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref RCHATPRODTLSTG
  
  RCHATPRODTLSTG:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: Prod-Rchat-NLB-TG
      VpcId: !Ref VPCID
      HealthCheckEnabled: true
      HealthCheckPort: '80'
      HealthCheckIntervalSeconds: 30
      HealthyThresholdCount: 10
      UnhealthyThresholdCount: 10      
      Port: 80
      Protocol: TCP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '60'
      Tags:
        - Key: Name
          Value: Prod-Rchat-NLB-TG
      TargetType: ip

  JVBPRODNLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: Prod-JVB-NLB
      Scheme: internet-facing
      Type: network
      SubnetMappings:
        - AllocationId: !Ref JVBPRODEIP1
          SubnetId: !Ref PublicSubnet1
        - AllocationId: !Ref JVBPRODEIP2
          SubnetId: !Ref PublicSubnet2
      Tags:
        - Key: Name
          Value: Prod-JVB-NLB
 
  JVBPRODNlbListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref JVBPRODNLB
      Protocol: TLS
      Port: 443
      Certificates:
        - CertificateArn: !Ref CertificateID
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref JVBPRODTLSTG
  
  JVBPRODTLSTG:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: Prod-JVB-TLS-TG
      VpcId: !Ref VPCID
      HealthCheckEnabled: true
      HealthCheckPort: '80'
      HealthCheckIntervalSeconds: 30
      HealthyThresholdCount: 10
      UnhealthyThresholdCount: 10
      Port: 80
      Protocol: TCP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '60'
      Tags:
        - Key: Name
          Value: Prod-JVB-TLS-TG
      TargetType: ip
      
  JVBPRODUDPListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref JVBPRODNLB
      Protocol: UDP
      Port: 10000
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref JVBPRODUDPTG

  JVBPRODUDPTG:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: Prod-JVB-UDP-TG
      VpcId: !Ref VPCID
      HealthCheckEnabled: true
      HealthCheckPort: '80'
      HealthCheckIntervalSeconds: 30
      HealthyThresholdCount: 10
      UnhealthyThresholdCount: 10
      Port: 10000
      Protocol: UDP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '60'
      Tags:
        - Key: Name
          Value: Prod-JVB-UDP-TG
      TargetType: ip

  JVBPrivateNamespace:
    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
    Properties:
      Name: temp
      Vpc: !Ref VPCID

  JVBDiscoveryService:
    Type: AWS::ServiceDiscovery::Service
    Properties:
      Description: Discovery Service for the Jitsi Application
      DnsConfig:
        RoutingPolicy: MULTIVALUE
        DnsRecords:
          - TTL: 60
            Type: A
      HealthCheckCustomConfig:
        FailureThreshold: 1
      Name: jitsixmppservice
      NamespaceId: !Ref JVBPrivateNamespace

Outputs:
  PrivateSubnet1AID:
    Condition: PrivateSubnetsCondition
    Description: Private subnet 1A ID in Availability Zone 1
    Value: !Ref 'PrivateSubnet1A'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PrivateSubnet1AID' ] ]
  PrivateSubnet2AID:
    Condition: PrivateSubnetsCondition
    Description: Private subnet 2A ID in Availability Zone 2
    Value: !Ref 'PrivateSubnet2A'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PrivateSubnet2AID' ] ]
  PrivateSubnet3AID:
    Condition: PrivateSubnets&3AZCondition
    Description: Private subnet 3A ID in Availability Zone 3
    Value: !Ref 'PrivateSubnet3A'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PrivateSubnet3AID' ] ]
  ContainerSecurityGroup:
    Description: Container Security Group Name 
    Value: !Ref 'ContainerSecurityGroup'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ContainerSecurityGroup' ] ]
  RCHATPRODTLSTG:
    Description: Rchat TLS Target Group Name 
    Value: !Ref 'RCHATPRODTLSTG'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'RCHATPRODTLSTG' ] ]
  JVBPRODTLSTG:
    Description: Jitsi TLS Target Group Name 
    Value: !Ref 'JVBPRODTLSTG'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'JVBPRODTLSTG' ] ]
  JVBPRODUDPTG:
    Description: Jitsi UDP Target Group Name 
    Value: !Ref 'JVBPRODUDPTG'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'JVBPRODUDPTG' ] ]
  JVBDiscoveryService:
    Description: Jitsi Local Discovery Service 
    Value: !GetAtt 'JVBDiscoveryService.Arn'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'JVBDiscoveryService' ] ]
  RCHATPRODNLBUrl:
    Description: The URL of the Rocket Chat Network Load Balancer 
    Value: !GetAtt 'RCHATPRODNLB.DNSName'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'RCHATPRODNLBUrl' ] ]
  JVBPRODNLBUrl:
    Description: The URL of the Jitsi Call Network Load Balancer 
    Value: !GetAtt 'JVBPRODNLB.DNSName'
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'JVBPRODNLBUrl' ] ]