Description: >
  This template deploys an ECS cluster to the provided VPC and subnets
  using an Auto Scaling Group

Parameters:

  EnvironmentName:
    Description: An environment name that will be prefixed to resource names
    Type: String

  LogGroupName:
    Type: String
    Default: "AppMeshExamples/mtls-acm-appmesh"

  ECSServiceLogGroupRetentionInDays:
    Type: Number
    Default: 30

  ECSServicesDomain:
    Type: String
    Description: "Domain name registered under Route-53 that will be used for Service Discovery"
    
  EC2Ami:
    Description: EC2 AMI ID
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"

Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - E3012

Resources:

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Ref EnvironmentName

  ECSServiceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties: 
      GroupDescription: "Security group for the service"
      VpcId:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      SecurityGroupIngress:
        - CidrIp:
            'Fn::ImportValue': !Sub "${EnvironmentName}:VpcCIDR"
          IpProtocol: -1

  TaskIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchFullAccess'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AWSAppMeshEnvoyAccess'
      Policies:
        - PolicyName: access-to-acm
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: acm:ExportCertificate
                Resource: 
                  - 
                    'Fn::ImportValue': !Sub "${EnvironmentName}:AcmPcaColorTellerEndpointCertArn"
                  - 
                    'Fn::ImportValue': !Sub "${EnvironmentName}:AcmPcaColorGatewayEndpointCertArn"
              - Effect: Allow
                Action: acm-pca:GetCertificateAuthorityCertificate
                Resource:
                  - 'Fn::ImportValue': !Sub "${EnvironmentName}:AcmPcaColorTellerRootCAArn"
                  - 
                    'Fn::ImportValue': !Sub "${EnvironmentName}:AcmPcaColorGatewayRootCAArn"

  TaskExecutionIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess'
      Policies:
      - PolicyName: secretsmanager-access
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
              - Effect: Allow
                Action: 'secretsmanager:GetSecretValue'
                Resource: {'Fn::ImportValue': !Sub "${EnvironmentName}:SecretCertArn"}

  ECSServiceLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: !Ref LogGroupName
      RetentionInDays: !Ref ECSServiceLogGroupRetentionInDays

  ECSServiceDiscoveryNamespace:
    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
    Properties:
      Vpc:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      Name: { Ref: ECSServicesDomain }

  BastionHost:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: !Ref EC2Ami
      InstanceType: t3.micro
      SecurityGroupIds:
      - !Ref ECSServiceSecurityGroup
      SubnetId: 
        'Fn::ImportValue': !Sub "${EnvironmentName}:PrivateSubnet1"
      IamInstanceProfile: !Ref BastionInstanceProfile
      Tags: 
        - Key: Name
          Value: bastion-host
  
  BastionInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref BastionInstanceRole
  
  BastionInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: [ec2.amazonaws.com]
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore'

Outputs:

  Cluster:
    Description: A reference to the ECS cluster
    Value: !Ref ECSCluster
    Export:
      Name: !Sub "${EnvironmentName}:ECSCluster"

  ECSServiceDiscoveryNamespace:
    Description: A SDS namespace that will be used by all services in this cluster
    Value: !Ref ECSServiceDiscoveryNamespace
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceDiscoveryNamespace"

  ECSServiceLogGroup:
    Description: Log group for services to publish logs
    Value: !Ref ECSServiceLogGroup
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceLogGroup"

  ECSServiceSecurityGroup:
    Description: Security group to be used by all services in the cluster
    Value: !Ref ECSServiceSecurityGroup
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceSecurityGroup"

  TaskExecutionIamRoleArn:
    Description: Task Executin IAM role used by ECS tasks
    Value: { "Fn::GetAtt": TaskExecutionIamRole.Arn }
    Export:
      Name: !Sub "${EnvironmentName}:TaskExecutionIamRoleArn"

  TaskIamRoleArn:
    Description: IAM role to be used by ECS task
    Value: { "Fn::GetAtt": TaskIamRole.Arn }
    Export:
      Name: !Sub "${EnvironmentName}:TaskIamRoleArn"