AWSTemplateFormatVersion: '2010-09-09'
Description: SSM VPC Interface Endpoints - allows SSM Run Command to reach instances in private subnets

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC where compromised instances run
  VpcCidr:
    Type: String
    Description: VPC CIDR block (e.g., 10.0.0.0/16)
    Default: 10.0.0.0/16
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Private subnet IDs for interface endpoints

Resources:
  # Security Group for VPC Endpoints
  EndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: vpc-endpoints-sg
      GroupDescription: Allow HTTPS from VPC for SSM endpoints
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !Ref VpcCidr
      Tags:
        - Key: Name
          Value: vpc-endpoints-sg

  # SSM Interface Endpoints
  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VpcId
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds: !Ref SubnetIds
      SecurityGroupIds:
        - !Ref EndpointSecurityGroup

  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VpcId
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds: !Ref SubnetIds
      SecurityGroupIds:
        - !Ref EndpointSecurityGroup

  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VpcId
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds: !Ref SubnetIds
      SecurityGroupIds:
        - !Ref EndpointSecurityGroup

  # Required only if SSM sessions are encrypted with a customer-managed KMS key
  KMSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VpcId
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.kms'
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds: !Ref SubnetIds
      SecurityGroupIds:
        - !Ref EndpointSecurityGroup

Outputs:
  SSMEndpointId:
    Value: !Ref SSMEndpoint
    Description: SSM Interface Endpoint ID
  EndpointSecurityGroupId:
    Value: !Ref EndpointSecurityGroup
    Description: Security Group for VPC Endpoints