Parameters:
  ProjectName:
    Type: String
    Description: Project name to link stacks

  EnvoyImage:
    Type: String
    Description: Envoy container image

  ColorServerImage:
    Type: String
    Description: Color server app container image

  ContainerPort:
    Type: Number
    Description: Port number to use for applications
    Default: 8080

Resources:
  PublicLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Type: network
      Scheme: internet-facing
      Subnets:
      - Fn::ImportValue: !Sub '${ProjectName}:PublicSubnet1'
      - Fn::ImportValue: !Sub '${ProjectName}:PublicSubnet2'

  WebTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckIntervalSeconds: 30
      HealthCheckPort: 8080
      HealthCheckProtocol: TCP
      HealthCheckTimeoutSeconds: 10
      HealthyThresholdCount: 3
      TargetType: ip
      Name: !Sub '${ProjectName}-wtg'
      Port: 80
      Protocol: TCP
      UnhealthyThresholdCount: 3
      TargetGroupAttributes:
      - Key: deregistration_delay.timeout_seconds
        Value: 120
      VpcId:
        Fn::ImportValue: !Sub '${ProjectName}:VPC'

  PublicLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    DependsOn:
      - PublicLoadBalancer
    Properties:
      DefaultActions:
      - TargetGroupArn: !Ref WebTargetGroup
        Type: 'forward'
      LoadBalancerArn: !Ref PublicLoadBalancer
      Port: 80
      Protocol: TCP

  TaskSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security group for the tasks"
      VpcId:
        Fn::ImportValue: !Sub '${ProjectName}:VPC'
      SecurityGroupIngress:
      - CidrIp:
          Fn::ImportValue: !Sub '${ProjectName}:VpcCIDR'
        IpProtocol: -1

  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '${ProjectName}-log-group'
      RetentionInDays: 30

  TaskIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/CloudWatchFullAccess
      - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
      - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess

  TaskExecutionIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
      - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security group for the instances"
      VpcId:
        Fn::ImportValue: !Sub '${ProjectName}:VPC'
      SecurityGroupIngress:
      - CidrIp:
          Fn::ImportValue: !Sub '${ProjectName}:VpcCIDR'
        IpProtocol: -1

  ColorGatewayRegistry:
    Type: AWS::ServiceDiscovery::Service
    Properties:
      Name: 'color_gateway'
      DnsConfig:
        NamespaceId:
          Fn::ImportValue: !Sub '${ProjectName}:CloudMapNamespaceId'
        DnsRecords:
        - Type: A
          TTL: 300
      HealthCheckCustomConfig:
        FailureThreshold: 1

  ColorGatewayService:
    Type: AWS::ECS::Service
    DependsOn:
    - ColorServerService
    - PublicLoadBalancerListener
    Properties:
      Cluster:
        Fn::ImportValue: !Sub '${ProjectName}:ECSCluster'
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 100
      DesiredCount: 1
      LaunchType: 'FARGATE'
      ServiceRegistries:
      - RegistryArn: !GetAtt 'ColorGatewayRegistry.Arn'
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
          - !Ref SecurityGroup
          Subnets:
          - Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet1'
          - Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet2'
      TaskDefinition: !Ref ColorGatewayTaskDef
      LoadBalancers:
      - ContainerName: app
        ContainerPort: !Ref ContainerPort
        TargetGroupArn: !Ref WebTargetGroup

  ColorGatewayTaskDef:
    Type: AWS::ECS::TaskDefinition
    Properties:
      RequiresCompatibilities:
      - 'FARGATE'
      Family: 'color_gateway'
      NetworkMode: 'awsvpc'
      Cpu: 256
      Memory: 512
      TaskRoleArn: !Ref TaskIamRole
      ExecutionRoleArn: !Ref TaskExecutionIamRole
      ContainerDefinitions:
      - Name: app
        Image: !Ref EnvoyImage
        Essential: true
        User: '1337'
        Ulimits:
        - Name: "nofile"
          HardLimit: 15000
          SoftLimit: 15000
        PortMappings:
        - ContainerPort: 9901
          Protocol: 'tcp'
        - ContainerPort: !Ref ContainerPort
          Protocol: 'tcp'   
        HealthCheck:
          Command:
          - 'CMD-SHELL'
          - 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
          Interval: 5
          Timeout: 2
          Retries: 3
        LogConfiguration:
          LogDriver: 'awslogs'
          Options:
            awslogs-group: !Sub '${ProjectName}-log-group'
            awslogs-region: !Ref AWS::Region
            awslogs-stream-prefix: 'color_gateway-envoy'
        Environment:
        - Name: 'APPMESH_RESOURCE_ARN'
          Value: !Sub 'mesh/${ProjectName}-mesh/virtualGateway/color_gateway'
        - Name: 'ENVOY_LOG_LEVEL'
          Value: 'debug'

  ColorServerRegistry:
    Type: AWS::ServiceDiscovery::Service
    Properties:
      Name: 'color_server'
      DnsConfig:
        NamespaceId:
          Fn::ImportValue: !Sub '${ProjectName}:CloudMapNamespaceId'
        DnsRecords:
        - Type: A
          TTL: 300
      HealthCheckCustomConfig:
        FailureThreshold: 1

  ColorServerService:
    Type: AWS::ECS::Service
    Properties:
      Cluster:
        Fn::ImportValue: !Sub '${ProjectName}:ECSCluster'
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 100
      DesiredCount: 1
      LaunchType: 'FARGATE'
      ServiceRegistries:
      - RegistryArn: !GetAtt 'ColorServerRegistry.Arn'
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
          - !Ref SecurityGroup
          Subnets:
          - Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet1'
          - Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet2'
      TaskDefinition: !Ref ColorServerTaskDef

  ColorServerTaskDef:
    Type: AWS::ECS::TaskDefinition
    Properties:
      RequiresCompatibilities:
      - 'FARGATE'
      Family: 'color_server'
      NetworkMode: 'awsvpc'
      Cpu: 256
      Memory: 512
      TaskRoleArn: !Ref TaskIamRole
      ExecutionRoleArn: !Ref TaskExecutionIamRole
      ProxyConfiguration:
        Type: 'APPMESH'
        ContainerName: 'envoy'
        ProxyConfigurationProperties:
        - Name: 'IgnoredUID'
          Value: '1337'
        - Name: 'ProxyIngressPort'
          Value: '15000'
        - Name: 'ProxyEgressPort'
          Value: '15001'
        - Name: 'AppPorts'
          Value: !Sub '${ContainerPort}'
        - Name: 'EgressIgnoredIPs'
          Value: '169.254.170.2,169.254.169.254'
      ContainerDefinitions:
      - Name: 'app'
        Image: !Ref ColorServerImage
        Essential: true
        LogConfiguration:
          LogDriver: 'awslogs'
          Options:
            awslogs-group: !Sub '${ProjectName}-log-group'
            awslogs-region: !Ref AWS::Region
            awslogs-stream-prefix: 'color_server'
        PortMappings:
        - ContainerPort: !Ref ContainerPort
          Protocol: 'tcp'
        Environment:
        - Name: 'PORT'
          Value: !Sub '${ContainerPort}'
        - Name: 'COLOR'
          Value: !Sub 'no color!'
      - Name: envoy
        Image: !Ref EnvoyImage
        Essential: true
        User: '1337'
        Ulimits:
        - Name: "nofile"
          HardLimit: 15000
          SoftLimit: 15000
        PortMappings:
        - ContainerPort: 9901
          Protocol: 'tcp'
        - ContainerPort: 15000
          Protocol: 'tcp'
        - ContainerPort: 15001
          Protocol: 'tcp'
        HealthCheck:
          Command:
          - 'CMD-SHELL'
          - 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
          Interval: 5
          Timeout: 2
          Retries: 3
        LogConfiguration:
          LogDriver: 'awslogs'
          Options:
            awslogs-group: !Sub '${ProjectName}-log-group'
            awslogs-region: !Ref AWS::Region
            awslogs-stream-prefix: 'color_server-envoy'
        Environment:
        - Name: 'APPMESH_RESOURCE_ARN'
          Value: !Sub 'mesh/${ProjectName}-mesh/virtualNode/color_server'
        - Name: 'ENVOY_LOG_LEVEL'
          Value: 'debug'

Outputs:
  PublicEndpoint:
    Description: 'Public endpoint for the color client service'
    Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
    Export:
      Name: !Sub '${ProjectName}:PublicEndpoint'