# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# or in the "license" file accompanying this file. This file is distributed
# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied. See the License for the specific language governing
# permissions and limitations under the License.
# The child templates we added an X to the end of the solutionID for so only the root template is counted in reporting. 
Description: (SO0153X) - __SOLUTION_NAME__ __VERSION__ Create a security group to allow for accessing the remote hosts.
Parameters:
  HostAccessCIDR:
    Default: 1.1.1.1/32
    Description: CIDR Block for the edit Host to control authorized access.
    Type: String
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'
  VPCID:
    Description: ID of the VPC (e.g., vpc-0343606e)
    Type: AWS::EC2::VPC::Id
  RemoteDisplayProtocol:
    Description: Remote Display Protocol configured on the instance (Teradici PCoIP | NICE DCV)
    Type: String
    Default: teradici
    AllowedValues:
      - teradici
      - nicedcv

Conditions:
  DeployTeradici: !Equals [!Ref RemoteDisplayProtocol, teradici]
  DeployNICEDCV: !Equals [!Ref RemoteDisplayProtocol, nicedcv]

Resources:
  HostSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W5
            reason: "Using open egress so that EC2 has full internet access"
          - id: W29
            reason: "Using open egress so that EC2 has full internet access"
    Properties:
      GroupDescription: ssh and rdp
      SecurityGroupEgress:
        - IpProtocol: udp
          Description: "All UDP Traffic"
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          Description: "All TCP Traffic"
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
      SecurityGroupIngress:
        - IpProtocol: tcp
          Description: "Microsoft Remote Desktop"
          FromPort: 3389
          ToPort: 3389
          CidrIp: !Ref 'HostAccessCIDR'
        - !If 
          - DeployTeradici
          - IpProtocol: tcp
            Description: "HTTPS"
            FromPort: 443
            ToPort: 443
            CidrIp: !Ref 'HostAccessCIDR'
          - !Ref AWS::NoValue
        - !If 
          - DeployTeradici
          - IpProtocol: udp
            Description: "Teradici PCoIP"
            FromPort: 4172
            ToPort: 4172
            CidrIp: !Ref 'HostAccessCIDR'
          - !Ref AWS::NoValue
        - !If 
          - DeployTeradici
          - IpProtocol: tcp
            Description: "Teradici PCoIP"
            FromPort: 4172
            ToPort: 4172
            CidrIp: !Ref 'HostAccessCIDR'
          - !Ref AWS::NoValue
        - !If 
          - DeployNICEDCV
          - IpProtocol: tcp
            Description: "NICE DCV"
            FromPort: 8443
            ToPort: 8443
            CidrIp: !Ref 'HostAccessCIDR'
          - !Ref AWS::NoValue
        - !If 
          - DeployNICEDCV
          - IpProtocol: udp
            Description: "NICE DCV"
            FromPort: 8443
            ToPort: 8443
            CidrIp: !Ref 'HostAccessCIDR'
          - !Ref AWS::NoValue
      VpcId: !Ref 'VPCID'
Outputs:
  EditInstanceSG:
    Value: !Ref 'HostSecurityGroup'
    Description: The SG for the Edit Instance