Description: >
  This template deploys an ECS cluster to the provided VPC and subnets
  using an Auto Scaling Group

Parameters:

  EnvironmentName:
    Description: An environment name that will be prefixed to resource names
    Type: String

  InstanceType:
    Description: Which instance type should we use to build the ECS cluster?
    Type: String
    Default: c4.large

  KeyName:
    Description: The EC2 Key Pair to allow SSH access to the instances
    Type: AWS::EC2::KeyPair::KeyName
  
  ECSServiceLogGroupRetentionInDays:
    Type: Number
    Default: 30

  ECSServicesDomain:
    Type: String
    Description: "Domain name registerd under Route-53 that will be used for Service Discovery"

  EC2Ami:
    Description: EC2 AMI ID
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"

Resources:

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Ref EnvironmentName

  ECSInstancesSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties: 
      GroupDescription: "Security group for the instances"
      VpcId:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      SecurityGroupIngress:
        - CidrIp:
            'Fn::ImportValue': !Sub "${EnvironmentName}:VpcCIDR"
          IpProtocol: -1

  ECSServiceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties: 
      GroupDescription: "Security group for the service"
      VpcId:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      SecurityGroupIngress:
        - CidrIp:
            'Fn::ImportValue': !Sub "${EnvironmentName}:VpcCIDR"
          IpProtocol: -1

  TaskIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      Policies:
      - PolicyName: ACMExportCertificateAccess
        PolicyDocument: |
          {
            "Statement": [{
              "Effect": "Allow",
              "Action": ["acm:ExportCertificate"],
              "Resource": ["*"]
            }]
          }
      - PolicyName: ACMCertificateAuthorityAccess
        PolicyDocument: |
          {
            "Statement": [{
              "Effect": "Allow",
              "Action": ["acm-pca:GetCertificateAuthorityCertificate"],
              "Resource": ["*"]
            }]
          }
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchFullAccess
        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
        - arn:aws:iam::aws:policy/AWSAppMeshPreviewEnvoyAccess
        - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess

  TaskExecutionIamRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

  ECSServiceLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      RetentionInDays:
        Ref: ECSServiceLogGroupRetentionInDays

  ECSServiceDiscoveryNamespace:
    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
    Properties:
      Vpc:
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      Name: { Ref: ECSServicesDomain }

  BastionSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow http to client host
      VpcId: 
        'Fn::ImportValue': !Sub "${EnvironmentName}:VPC"
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0

  BastionHost:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: !Ref EC2Ami
      KeyName: !Ref KeyName
      InstanceType: t2.micro
      SecurityGroupIds:
      - !Ref BastionSecurityGroup
      SubnetId: 
        'Fn::ImportValue': !Sub "${EnvironmentName}:PublicSubnet1"
      Tags: 
        - Key: Name
          Value: bastion-host

Outputs:

  Cluster:
    Description: A reference to the ECS cluster
    Value: !Ref ECSCluster
    Export:
      Name: !Sub "${EnvironmentName}:ECSCluster"

  ECSServiceDiscoveryNamespace:
    Description: A SDS namespace that will be used by all services in this cluster
    Value: !Ref ECSServiceDiscoveryNamespace
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceDiscoveryNamespace"

  ECSServiceLogGroup:
    Description: Log group for services to publish logs
    Value: !Ref ECSServiceLogGroup
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceLogGroup"

  ECSServiceSecurityGroup:
    Description: Security group to be used by all services in the cluster
    Value: !Ref ECSServiceSecurityGroup
    Export:
      Name: !Sub "${EnvironmentName}:ECSServiceSecurityGroup"

  TaskExecutionIamRoleArn:
    Description: Task Executin IAM role used by ECS tasks
    Value: { "Fn::GetAtt": TaskExecutionIamRole.Arn }
    Export:
      Name: !Sub "${EnvironmentName}:TaskExecutionIamRoleArn"

  TaskIamRoleArn:
    Description: IAM role to be used by ECS task
    Value: { "Fn::GetAtt": TaskIamRole.Arn }
    Export:
      Name: !Sub "${EnvironmentName}:TaskIamRoleArn"

  BastionIP:
    Description: Public IP for ssh access to bastion host
    Value:
      'Fn::GetAtt': [ BastionHost, PublicIp ]