AWSTemplateFormatVersion: 2010-09-09
Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VpcId of your existing Virtual Private Cloud (VPC)
    ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.

  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: SubnetId of an existing public subnet (for the primary network) in selected Virtual Private Cloud (VPC)
    ConstraintDescription: must be an existing public subnet in the selected Virtual Private Cloud.

  EC2InstanceType :
    Description : Rapticore Server EC2 instance type
    Type : String
    Default : t3.large
    ConstraintDescription : must be a valid EC2 instance type.
    AllowedValues: [t3.medium, t3.large, t3.2xlarge, c3.large, c3.xlarge, c3.2xlarge, c3.4xlarge, c4.large, c4.xlarge, c4.2xlarge, c4.4xlarge, c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge]

  Domain:
    Description: 'The domain name of your Rapticore instance.'
    Type: String
    ConstraintDescription: must be a valid domain name i.e., domain.ore.rapticore.cloud

  HostedZoneID:
      Description: 'The ID of your Route 53 hosted zone. Domain name record will be created in this zone.'
      Type: 'AWS::Route53::HostedZone::Id'

Resources:
  #####
  # Network resources
  #####
  RapticoreSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable HTTP access
      VpcId: !Ref VpcId
      Tags:
        - Key: Name
          Value: Rapticore-Standard-Security-Group
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 6100
          ToPort: 6100
          CidrIp: 0.0.0.0/0

  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Join [ "", [ !Select [0, !Split [., !Ref Domain ]],'-elb' ] ]
      IpAddressType: ipv4
      Scheme: internet-facing
      Subnets: [!Ref SubnetId]
      Type: network
      Tags:
          - Key: 'Name'
            Value: !Join [ "", [!Ref Domain,'-loadbalancer' ] ]
  NetworkLoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Join [ "", [ !Select [0, !Split [., !Ref Domain ]],'-target-group' ] ]
      Port: 443
      Protocol: TLS
      VpcId: !Ref VpcId
      TargetType: instance
      Targets:
        - Id:  !Ref EC2Instance
  # Set up TLS Cert
  Cert:
    Type: 'AWS::CertificateManager::Certificate'
    Properties:
      DomainName: !Ref Domain
      ValidationMethod: DNS

  NetworkLoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup
      LoadBalancerArn: !Ref NetworkLoadBalancer
      Port: 443
      Protocol: TLS
      Certificates:
        - CertificateArn: !Ref Cert

  #####
  # EC2 resources
  #####
  EC2InstanceProfileRoleForRapticore:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Description: !Sub 'Rapticore Standard EC2 IAM Role Deployment'
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - iam:ListRole*
                  - ec2:DescribeRegions
                  - iam:GetRole*
                Effect: Allow
                Resource: '*'
                Sid: AllowIamEc2ReadyOnly
              - Action: sts:AssumeRole
                Effect: Allow
                Resource: 'arn:aws:iam::*:role/rapticore*'
                Sid: EC2AssumeRole
          PolicyName: RapticoreEc2Policy
        - PolicyDocument:
            Statement:
              - Action:
                  - sqs:ChangeMessageVisibility
                  - sqs:DeleteMessage
                  - sqs:GetQueueAttributes
                  - sqs:GetQueueUrl
                  - sqs:ListDeadLetterSourceQueues
                  - sqs:ListQueueTags
                  - sqs:ListQueues
                  - sqs:ReceiveMessage
                  - sqs:SendMessage
                Effect: Allow
                Resource: arn:aws:sqs:us-west-2:343027753149:real-time-threat-alert-trigger
                Sid: AllowRapticoreRealtimeAlert
          PolicyName: RapticoreRealTimeAlertPolicy
      RoleName: !Join [ "", [ 'RapticoreStandardEc2IAMRole', !Select [0, !Split [., !Ref Domain ]] ] ]


  EC2InstanceProfileForRapticore:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref EC2InstanceProfileRoleForRapticore

  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      IamInstanceProfile: !Ref EC2InstanceProfileForRapticore
      ImageId: ami-09ca9451840476dc8
      InstanceType: !Ref EC2InstanceType
      SecurityGroupIds:
        - !Ref RapticoreSecurityGroup
      SubnetId: !Ref SubnetId
      Tags:
        - Key: Name
          Value: !Join [ "", [!Ref Domain,'Rapticore-standard' ] ]

  # Set up A Record via Route 53
  Route53Record:
    Type: AWS::Route53::RecordSetGroup
    Properties:
      HostedZoneId: !Ref HostedZoneID
      Comment: Route 53 record for Rapticore Standard
      RecordSets:
        - Name: !Ref Domain
          Type: A
          AliasTarget:
            HostedZoneId: !GetAtt 'NetworkLoadBalancer.CanonicalHostedZoneID'
            DNSName: !GetAtt NetworkLoadBalancer.DNSName


Outputs:
  RapticoreStandardURL:
    Value: !Join [ "", [ "https://", !Ref Domain ] ]
    Description: Rapticore Standard URL
  RapticoreStandardInstanceId:
    Description: Instance ID of the launched EC2 instance
    Value:  !Ref EC2Instance
    Export:
      Name: !Join [ "", [ "RapticoreStandardInstanceId-", !Select [0, !Split [., !Ref Domain ]] ] ]