AWSTemplateFormatVersion: 2010-09-09

Description: 'Creates the security groups for RDS, ALB, Container and EFS.'

Metadata:
  LICENSE: Apache License Version 2.0
  cfn-lint:
    config:
      ignore_checks:
        # Check for QSID
        - E9008

Parameters:
  VPCID:
    Description: 'ID of the VPC (e.g: vpc-0343606e).'
    Type: 'AWS::EC2::VPC::Id'
  ALBAccessCIDR:
    AllowedPattern: >-
      ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x
    Description: Allowed CIDR block for external web access to the Application Load Balancer (x.x.x.x/x)
    Type: String

Resources:
  DBSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: RDS Security Group
      VpcId: !Ref VPCID
      SecurityGroupIngress:
        - IpProtocol: tcp
          Description: Allow access from container security group
          FromPort: '3306'
          ToPort: '3306'
          SourceSecurityGroupId: !GetAtt 
            - ContainerSecurityGroup
            - GroupId
      Tags:
        - Key: Name
          Value: !Join 
            - '-'
            - - !Ref 'AWS::StackName'
              - DBSecurityGroup
  ALBSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: ELB Security Group
      VpcId: !Ref VPCID
      SecurityGroupIngress:
        - IpProtocol: tcp
          Description: Allow HTTP access
          FromPort: '80'
          ToPort: '80'
          CidrIp: !Ref ALBAccessCIDR
        - IpProtocol: tcp
          Description: Allow HTTPS access
          FromPort: '443'
          ToPort: '443'
          CidrIp: !Ref ALBAccessCIDR
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '443'
          ToPort: '443'
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: !Join 
            - '-'
            - - !Ref 'AWS::StackName'
              - ALBSecurityGroup
  ContainerSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: ECS Security Group
      VpcId: !Ref VPCID
      SecurityGroupIngress:
        - IpProtocol: tcp
          Description: Allow access from EFS security group
          FromPort: '2049'
          ToPort: '2049'
          SourceSecurityGroupId: !Ref EFSSecurityGroup
        - IpProtocol: tcp
          Description: Allow HTTPS access from ALB security group
          FromPort: '443'
          ToPort: '443'
          SourceSecurityGroupId: !GetAtt 
            - ALBSecurityGroup
            - GroupId
        - IpProtocol: tcp
          Description: Allow HTTP access from ALB security group
          FromPort: '80'
          ToPort: '80'
          SourceSecurityGroupId: !GetAtt 
            - ALBSecurityGroup
            - GroupId
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '443'
          ToPort: '443'
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: !Join 
            - '-'
            - - !Ref 'AWS::StackName'
              - ContainerSecurityGroup
  SecurityGroupRuleAppDBEgress:
    Type: 'AWS::EC2::SecurityGroupEgress'
    Properties:
      IpProtocol: tcp
      FromPort: '3306'
      ToPort: '3306'
      DestinationSecurityGroupId: !GetAtt 
        - DBSecurityGroup
        - GroupId
      GroupId: !GetAtt 
        - ContainerSecurityGroup
        - GroupId
  EFSSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: EFS Security Group
      VpcId: !Ref VPCID
      Tags:
        - Key: Name
          Value: !Join 
            - '-'
            - - !Ref 'AWS::StackName'
              - EFSSecurityGroup
  SecurityGroupRuleAppEFS:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      IpProtocol: tcp
      Description: Allow access from container security group
      FromPort: '2049'
      ToPort: '2049'
      SourceSecurityGroupId: !GetAtt 
        - ContainerSecurityGroup
        - GroupId
      GroupId: !GetAtt 
        - EFSSecurityGroup
        - GroupId
  SecurityGroupRuleEFSContainerEgress:
    Type: 'AWS::EC2::SecurityGroupEgress'
    Properties:
      IpProtocol: tcp
      FromPort: '2049'
      ToPort: '2049'
      DestinationSecurityGroupId: !GetAtt 
        - ContainerSecurityGroup
        - GroupId
      GroupId: !GetAtt 
        - EFSSecurityGroup
        - GroupId
  SecurityGroupRuleContainerEFSEgress:
    Type: 'AWS::EC2::SecurityGroupEgress'
    Properties:
      IpProtocol: tcp
      FromPort: '2049'
      ToPort: '2049'
      DestinationSecurityGroupId: !GetAtt 
        - EFSSecurityGroup
        - GroupId
      GroupId: !GetAtt 
        - ContainerSecurityGroup
        - GroupId

Outputs:
  DBSecurityGroupId:
    Description: The group ID of the database security group.
    Value: !GetAtt 
      - DBSecurityGroup
      - GroupId
  LoadBalancerSecurityGroupId:
    Description: The group ID of the load balancer security group.
    Value: !GetAtt 
      - ALBSecurityGroup
      - GroupId
  ContainerSecurityGroupId:
    Description: The group ID of the container security group.
    Value: !GetAtt 
      - ContainerSecurityGroup
      - GroupId
  FileSystemSecurityGroupId:
    Description: The group ID of the filesystem security group.
    Value: !GetAtt 
      - EFSSecurityGroup
      - GroupId