AWSTemplateFormatVersion: 2010-09-09
Description: CoreOS stack

# Mappings
# =================================================

Mappings:
  RegionMap:
    eu-west-1:
      ami: ami-8368adf4
    us-east-1:
      ami: ami-3becf652
    us-west-1:
      ami: ami-e4dde5a1
    us-west-2:
      ami: ami-388bfe08
    ap-southeast-1:
      ami: ami-28bdee7a
    ap-southeast-2:
      ami: ami-7d2fb747
    ap-northeast-1:
      ami: ami-fb5822fa
    sa-east-1:
      ami: ami-83c76a9e


# Parameters
# =================================================

Parameters:
  InstanceType:
    Description: "EC2 instance type (e.g. m1.small, c1.medium, ...)"
    Type: String
    Default: c3.large
    AllowedValues: [ t1.micro, m1.small, m1.medium, m1.large, m1.xlarge, m3.xlarge, m3.2xlarge, m2.xlarge, m2.2xlarge, m2.4xlarge, c1.medium, c1.xlarge, cc1.4xlarge, cc2.8xlarge, cg1.4xlarge, hi1.4xlarge, hs1.8xlarge, c3.large, c3.xlarge ]
    ConstraintDescription: Must be a valid EC2 instance type

  ClusterSize:
    Description: Number of nodes in your cluster (3-12)
    Type: Number
    Default: 2
    MinValue: 2
    MaxValue: 12

  DiscoveryURL:
    Description: An unique etcd cluster discovery URL. Grab a new token from https://discovery.etcd.io/new
    Type: String

  AdvertisedIPAddress:
    Type: String
    Description: "Use 'private' if your etcd cluster is within one region or 'public' if it spans regions or cloud providers."
    Default: private
    AllowedValues: [ private, public ]

  AllowSSHFrom:
    Description: The net block (CIDR) that SSH is available to.
    Default: "0.0.0.0/0"
    Type: String

  KeyPair:
    Description: The name of an existing EC2 Key Pair to allow SSH access to the instance.
    Type: String


# Resources
# =================================================

Resources:

  CoreOSELB:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      CrossZone: true
      Listeners:
        - InstancePort: 80
          Protocol: HTTP
          LoadBalancerPort: 80
      HealthCheck:
        HealthyThreshold: 2
        Timeout: 9
        Interval: 10
        UnhealthyThreshold: 5
        Target: "HTTP:80/"
      AvailabilityZones:
        "Fn::GetAZs":
          Ref: "AWS::Region"

  CoreOSAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        Ref: CoreOSUser

  CoreOSUser:
    DependsOn: CoreOSELB
    Type: AWS::IAM::User
    Properties:
      Policies:
        - PolicyName: ebs
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action: "elb:*"
                Resource: "*"

  CoreOSSecurityGroup:
    DependsOn: CoreOSELB
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: CoreOS SecurityGroup
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp:
            Ref: AllowSSHFrom

        - FromPort: 80
          ToPort: 80
          IpProtocol: tcp
          SourceSecurityGroupOwnerId:
            "Fn::GetAtt":
              - CoreOSELB
              - "SourceSecurityGroup.OwnerAlias"
          SourceSecurityGroupName:
            "Fn::GetAtt":
              - CoreOSELB
              - "SourceSecurityGroup.GroupName"

  Ingress4001:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName:
        Ref: CoreOSSecurityGroup
      IpProtocol: tcp
      FromPort: 4001
      ToPort: 4001
      SourceSecurityGroupId:
        "Fn::GetAtt":
          - CoreOSSecurityGroup
          - GroupId

  Ingress7001:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName:
        Ref: CoreOSSecurityGroup
      IpProtocol: tcp
      FromPort: 7001
      ToPort: 7001
      SourceSecurityGroupId:
        "Fn::GetAtt":
          - CoreOSSecurityGroup
          - GroupId

  IngressApps:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupName:
        Ref: CoreOSSecurityGroup
      IpProtocol: tcp
      FromPort: 5000
      ToPort: 6000
      SourceSecurityGroupId:
        "Fn::GetAtt":
          - CoreOSSecurityGroup
          - GroupId

  CoreOSServerAutoScale:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AvailabilityZones:
        "Fn::GetAZs":
          Ref: "AWS::Region"
      LaunchConfigurationName:
        Ref: CoreOSServerLaunchConfig
      MinSize: 2
      MaxSize: 12
      DesiredCapacity:
        Ref: ClusterSize
      LoadBalancerNames:
        - Ref: CoreOSELB
      Tags:
        - Key: Name
          Value:
            Ref: "AWS::StackName"
          PropagateAtLaunch: true

  CoreOSServerLaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId:
        "Fn::FindInMap":
          - RegionMap
          - Ref: AWS::Region
          - ami
      InstanceType:
        Ref: InstanceType
      KeyName:
        Ref: KeyPair
      SecurityGroups:
        - Ref: CoreOSSecurityGroup
      UserData:
        "Fn::Base64":
          "Fn::Join":
            - ""
            -
              - "#cloud-config\n\n"
              - "coreos:\n"
              - "  etcd:\n"
              - "    discovery: "
              - Ref: DiscoveryURL
              - "\n"
              - "    addr: $"
              - Ref: AdvertisedIPAddress
              - "_ipv4:4001\n"
              - "    peer-addr: $"
              - Ref: AdvertisedIPAddress
              - "_ipv4:7001\n"
              - "  units:\n"
              - "    - name: etcd.service\n"
              - "      command: start\n"
              - "    - name: fleet.service\n"
              - "      command: start\n"


# Outputs
# =================================================

Outputs:
  AccessKeyId:
    Description: AWS AccessKeyId for the coreos IAM user
    Value:
      Ref: CoreOSAccessKey

  SecretAccessKey:
    Description: AWS SecretAccessKey for the coreos IAM user
    Value:
      "Fn::GetAtt":
        - CoreOSAccessKey
        - SecretAccessKey