# Title: Create VPC with a Linux host bastion
# Tags: infra
# Description: This template build this typical Linux bastion [architecture](http://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html) except it only deploys one host bastion on one public subnet
# MinimalVersion: v0.1.3

# Create a new VPC and make it public with an internet gateway
vpc = create vpc cidr=10.0.0.0/16 name=BastionVpc
gateway = create internetgateway
attach internetgateway id=$gateway vpc=$vpc

# Create 2 private subnets each on a different availability zone
# That is where you will deploy resources only accessible through the bastion
create subnet cidr=10.0.0.0/19 name=PrivSubnet1 vpc=$vpc availabilityzone={availabilityzone.1}
create subnet cidr=10.0.32.0/19 name=PrivSubnet2 vpc=$vpc availabilityzone={availabilityzone.2}

# Create the the public subnet hosting the bastion
pubSubnet = create subnet cidr=10.0.128.0/20 name=PubSubnet1 vpc=$vpc availabilityzone={availabilityzone.1}
update subnet id=$pubSubnet public=true

# Create a route table (with routing only allowed within VPC by default)
rtable = create routetable vpc=$vpc

# Make the public subnet use the route table
attach routetable id=$rtable subnet=$pubSubnet

create route cidr=0.0.0.0/0 gateway=$gateway table=$rtable

# Create the firewall with the remote access CIDR applied on each bastion host
bastionSecGroup = create securitygroup vpc=$vpc description=BastionSecGroup name=bastion-secgroup
update securitygroup id=$bastionSecGroup inbound=authorize protocol=tcp cidr={remoteaccess-cidr} portrange=22
update securitygroup id=$bastionSecGroup inbound=authorize protocol=icmp cidr={remoteaccess-cidr} portrange=any

# Allow only a set of permitted actions for the 2 host bastions
create role name=BastionHostRole principal-service=ec2.amazonaws.com sleep-after=30
bastionEc2Policy = create policy name=BastionEc2Permissions action=[ec2:DescribeAddresses,ec2:AssociateAddress] resource="*" effect=Allow
attach policy role=BastionHostRole arn=$bastionEc2Policy

# Create one elastic IPs for that will be dynamically aasigned to the host bastion by the bootstrap script
create elasticip domain=vpc

# Create the autoscaling group
launchConfig = create launchconfiguration image={instance.image} keypair={keypair.name} securitygroups=$bastionSecGroup name=BastionHostsLaunchConfig type=t2.micro role=BastionHostRole userdata=https://raw.githubusercontent.com/wallix/awless-templates/master/userdata/prepare_bastion.yml
create scalinggroup desired-capacity=1 launchconfiguration=$launchConfig max-size=1 min-size=1 name=autoscaling-instances-group subnets=$pubSubnet