AWSTemplateFormatVersion: 2010-09-09
Description: This template deploys InterSystems IRIS 
  into an existing VPC, including 3 Availability Zones. **WARNING** This template creates Amazon EC2 
  instance and related resources. You will be billed for the AWS resources used if
  you create a stack from this template. (qs-1r9onjih3)
Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - W9002
        - W9003
        - W9006
        - W9901
        - E9902
  QuickStartDocumentation:
    EntrypointName: "Parameters for deploying into an existing VPC"
    Order: "2"
  Author: Anton Umnikov
  Last Updated: November 20, 2020
  AWS::CloudFormation::Interface: 
    ParameterGroups: 
      - Label: 
          default: "IRIS configuration"
        Parameters: 
          - IRISPasswordParameter
          - S3BucketNameParameter
      - Label: 
          default: "Network configuration"
        Parameters: 
          - VpcIdParameter
          - InstanceSubnetIdParameter
          - RemoteAccessCIDRParameter
      - Label: 
          default: "EC2 instance configuration"
        Parameters: 
          - InstanceTypeParameter
          - SshKeyParameter
      - Label: 
          default: "AWS Quick Start configuration"
        Parameters: 
          - QSS3BucketName
          - QSS3BucketRegion
          - QSS3KeyPrefix
    ParameterLabels: 
      VpcIdParameter: 
        default: "VPC ID for workload"
      InstanceSubnetIdParameter: 
        default: "Subnets to deploy IRIS"
      RemoteAccessCIDRParameter:
        default: "CIDR block for remote access"
      InstanceTypeParameter:
        default: "EC2 instance type for IRIS nodes"
      SshKeyParameter:
        default: "SSH key-pair name to connect to EC2 instances"
      IRISPasswordParameter:
        default: "IRIS password"
      S3BucketNameParameter:
        default: "IRIS S3 bucket name"
      QSS3BucketName:
        default: Quick Start S3 bucket name
      QSS3BucketRegion:
        default: Quick Start S3 bucket Region
      QSS3KeyPrefix:
        default: Quick Start S3 key prefix
Parameters:
  VpcIdParameter:
    Description: ID of the VPC to launch EC2 instances into.
    Type: AWS::EC2::VPC::Id
  InstanceSubnetIdParameter:
    Description: 3 subnets in separate Availability Zones.
    Type: 'List<AWS::EC2::Subnet::Id>'
  BastionSubnetIdParameter:
    Description: Public subnets
    Type: 'List<AWS::EC2::Subnet::Id>'
  SshKeyParameter:
    Description: SSH key pair to log in to the instances.
    #Default: anton-isc
    Type: AWS::EC2::KeyPair::KeyName
  RemoteAccessCIDRParameter:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
    Description: Allowed CIDR block for external access to the instances. Restrict this to <your-own-ip>/32 for better security.
    Default: 0.0.0.0/0
    Type: String
  IRISPasswordParameter:
    Description: Password for the IRIS administrator (SuperUser/_SYSTEM user). Use at least 4 alphanumeric characters.
    Type: String
    NoEcho: true
    MinLength: 4
    MaxLength: 32
    AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
  S3BucketNameParameter:
    Description: S3 bucket with IRIS binaries.
    Type: String
    Default: ''
  InstanceTypeParameter:
    Description: Cluster node instance type.
    Type: String
    Default: m5.large
    AllowedValues: 
      - m5.large
      - r5.xlarge
      - r5.2xlarge
      - r5.4xlarge
      - r5.8xlarge
      - r5.16xlarge
  QSS3BucketName:
    AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
    ConstraintDescription: The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Default: aws-quickstart
    Description: Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.
    Type: String
  QSS3BucketRegion:
    Default: 'us-east-1'
    Description: 'AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.'
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: ^[0-9a-zA-Z-/]*$
    ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/).
    Default: quickstart-intersystems-iris/
    Description: S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.
    Type: String
Conditions:
  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart']
Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F1000
            reason: "Standard Amazon practice"
    Properties:
      GroupDescription: Allow all hosts in this group to access each other.
      GroupName: !Sub "${AWS::StackName}-IRIS-SG"
      VpcId: !Ref VpcIdParameter
  SecurityGroupIngressSSH:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 22
      ToPort: 22
      CidrIp: !Ref RemoteAccessCIDRParameter
  SecurityGroupIngressIRISSuperServer:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 51773
      ToPort: 51773
      CidrIp: !Ref RemoteAccessCIDRParameter
  SecurityGroupIngressIRISWeb:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 52773
      ToPort: 52773
      CidrIp: !Ref RemoteAccessCIDRParameter
  SecurityGroupIngressIRISAgent:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 2188
      ToPort: 2188
      SourceSecurityGroupId: !Ref InstanceSecurityGroup
  SecurityGroupIngressIRISECP:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 51773
      ToPort: 51773
      SourceSecurityGroupId: !Ref InstanceSecurityGroup
  SecurityGroupIngressIRISVPC:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref InstanceSecurityGroup
      IpProtocol: TCP
      FromPort: 52773
      ToPort: 52773
      CidrIp: 0.0.0.0/0
      #CidrIp: !GetAtt VpcIdParameter.CidrBlock
  Node01:
    Type: AWS::CloudFormation::Stack
    Properties:
      Parameters:
        #VpcIdParameter: !Ref VpcIdParameter
        InstanceSubnetIdParameter: !Select [0,!Ref InstanceSubnetIdParameter]
        InstanceSecurityGroupParameter: !Ref InstanceSecurityGroup
        SshKeyParameter: !Ref SshKeyParameter
        IRISPasswordParameter: !Ref IRISPasswordParameter
        S3BucketNameParameter: !Ref S3BucketNameParameter
        InstanceTypeParameter: !Ref InstanceTypeParameter
        MirrorInstanceRole: PRIMARY
        MirrorArbiterIP: !GetAtt 'Arbiter.Outputs.NodePrivateIP'
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        QSS3BucketName: !Ref QSS3BucketName
      TemplateURL:
        !Sub
          - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/iris-cluster-iris-node.template.yaml'
          - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
            S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      #https://isc-tech-validation.s3.amazonaws.com/MirrorNode.yaml
  Node02:
    Type: AWS::CloudFormation::Stack
    Properties:
      Parameters:
        #VpcIdParameter: !Ref VpcIdParameter
        InstanceSubnetIdParameter: !Select [1,!Ref InstanceSubnetIdParameter]
        InstanceSecurityGroupParameter: !Ref InstanceSecurityGroup
        SshKeyParameter: !Ref SshKeyParameter
        IRISPasswordParameter: !Ref IRISPasswordParameter
        S3BucketNameParameter: !Ref S3BucketNameParameter
        InstanceTypeParameter: !Ref InstanceTypeParameter
        MirrorInstanceRole: FAILOVER
        MirrorPrimaryIP: !GetAtt 'Node01.Outputs.NodePrivateIP'
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        QSS3BucketName: !Ref QSS3BucketName
      TemplateURL:
        !Sub
          - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/iris-cluster-iris-node.template.yaml'
          - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
            S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      #https://isc-tech-validation.s3.amazonaws.com/MirrorNode.yaml
  Arbiter:
    Type: AWS::CloudFormation::Stack
    Properties:
      Parameters:
        #VpcIdParameter: !Ref VpcIdParameter
        InstanceSubnetIdParameter: !Select [2,!Ref InstanceSubnetIdParameter]
        InstanceSecurityGroupParameter: !Ref InstanceSecurityGroup
        SshKeyParameter: !Ref SshKeyParameter
        S3BucketNameParameter: !Ref S3BucketNameParameter
        InstanceTypeParameter: t3.small
        MirrorInstanceRole: ARBITER
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
      TemplateURL:
        !Sub
          - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/iris-cluster-arbiter-node.template.yaml'
          - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion]
            S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      #https://isc-tech-validation.s3.amazonaws.com/ArbiterNode.yaml
  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties: 
      IpAddressType: ipv4
      Type: network
      # Name: !Sub "${AWS::StackName}-NLB" # throws an error "name too long"
      Scheme: internet-facing
      Subnets:
        - !Select [0,!Ref BastionSubnetIdParameter]
        - !Select [1,!Ref BastionSubnetIdParameter]
  NLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties: 
      DefaultActions: 
        - Type: forward
          TargetGroupArn: !Ref LBTargetGroup
      LoadBalancerArn: !Ref LoadBalancer
      Port: 51773
      Protocol: TCP
  LBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckPath: /csp/mirror_status.cxw
      HealthCheckPort: '52773'
      HealthCheckProtocol: HTTP
      #HealthCheckTimeoutSeconds: 10
      #HealthCheckIntervalSeconds: 10
      #UnhealthyThresholdCount: 3
      VpcId: !Ref VpcIdParameter
      # Name: !Sub "${AWS::StackName}-TargetGroup" # throws an error "name too long"
      Port: 51773
      Protocol: TCP
      TargetType: ip
      Targets:
        - Id: !GetAtt 'Node01.Outputs.NodePrivateIP'
        - Id: !GetAtt 'Node02.Outputs.NodePrivateIP'
Outputs:
  JDBCEndpoint:
    Description: JDBC Connection String
    Value: !Join
      - ''
      - ['jdbc:IRIS://', !GetAtt 'LoadBalancer.DNSName', ':51773/DATA']
  Node01PrivateIP:
    Description: Node 01 Private IP
    Value: !Join
      - ''
      - ['',!GetAtt 'Node01.Outputs.NodePrivateIP', '']
  Node02PrivateIP:
    Description: Node 02 Private IP
    Value: !Join
      - ''
      - ['',!GetAtt 'Node02.Outputs.NodePrivateIP', '']