aws_single_instance_hosting.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Callsign registration service for HAM radio Nets'
Parameters:
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t3.small
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large,
      t3.nano, t3.micro, t3.small, t3.medium, t3.large, t4g.small]
    ConstraintDescription: must be a valid EC2 instance type.
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
  LatestAmiId:
    Type:  'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
  QRZUsername:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: /registrator/qrz_username
  QRZPassword:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: /registrator/qrz_password
  AdminPassword:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: /registrator/admin_password
  DNSZoneName:
    Type: 'AWS::SSM::Parameter::Value<String>'
    Default: /registrator/DNS_Zone_Name

Resources:

  S3IAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Principal:
              Service: ec2.amazonaws.com
            Effect: Allow
            Sid: ''
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - 's3:GetObject'
                Resource: !Sub 'arn:aws:s3:::registrator-app-files/registrator.zip'
                Effect: Allow
          PolicyName: AuthenticatedS3GetObjects
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - 'ec2:CreateTags'
                  - 'ec2:DescribeInstances'
                Resource: '*'
                Effect: Allow
          PolicyName: TagRootVolume

  S3IAMInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - !Ref S3IAMRole

  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: '10.10.0.0/16'
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: 'Registrator VPC'
        - Key: Project
          Value: 'CheckIn'

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: 'Registrator IG'

  InternetGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway
      VpcId: !Ref VPC

  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: '10.10.1.0/24'
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: 'Registrator Public Subnet (AZ1)'

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: 'Registrator Public Routes'

  DefaultPublicRoute:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet1

  EC2Instance:
    Type: AWS::EC2::Instance
    DependsOn: InternetGatewayAttachment
    Properties:
      IamInstanceProfile: !Ref S3IAMInstanceProfile
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash -xe
          # Get the latest CloudFormation package
          yum update -y aws-cfn-bootstrap 
          # Tag root volume
          AWS_AVAIL_ZONE=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone)
          AWS_REGION="`echo \"$AWS_AVAIL_ZONE\" | sed 's/[a-z]$//'`"
          AWS_INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
          ROOT_VOLUME_IDS=$(aws ec2 describe-instances --region $AWS_REGION --instance-id $AWS_INSTANCE_ID --output text --query Reservations[0].Instances[0].BlockDeviceMappings[0].Ebs.VolumeId)
          aws ec2 create-tags --resources $ROOT_VOLUME_IDS --region $AWS_REGION --tags Key=Project,Value=CheckIn Key=Name,Value=RegistratorVolume
          # Install Python 3
          yum install python3 -y
          # Download and unpack files
          mkdir -p /usr/src/registrator
          aws s3 cp s3://registrator-app-files/registrator.zip /usr/src/registrator
          cd /usr/src/registrator
          unzip ./registrator.zip
          rm -f ./registrator.zip
          # Install dependencies
          pip3 install --no-cache-dir -r requirements.txt
          # port replacement
          sed -i 's/debug=True/debug=False/g' ./app.py
          sed -i 's/port=8080/port=80/g' ./app.py
          sed -i 's/superpassword123/${AdminPassword}/g' ./app.py
          export QRZ_USER=${QRZUsername}
          export QRZ_PASSWORD=${QRZPassword}
          # Send CFN signal
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource SampleWaitCondition --region ${AWS::Region}
          python3 ./app.py
      InstanceType: !Ref 'InstanceType'
      NetworkInterfaces: 
        - DeviceIndex: "0"
          AssociatePublicIpAddress: "true"
          GroupSet: 
            - !Ref InstanceSecurityGroup
          SubnetId: !Ref PublicSubnet1
      KeyName: !Ref 'KeyName'
      ImageId: !Ref 'LatestAmiId'

  SampleWaitCondition:
    CreationPolicy:
      ResourceSignal:
        Timeout: PT5M
        Count: 1
    Type: AWS::CloudFormation::WaitCondition

  DNSRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneName: !Ref 'DNSZoneName'
      Comment: DNS name for registrator instance.
      Name: !Join ['', ['r', ., !Ref 'DNSZoneName']]
      Type: A
      TTL: '120'
      ResourceRecords:
      - !GetAtt EC2Instance.PublicIp

  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Enable SSH and HTTP access
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: !Ref 'SSHLocation'
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: '0.0.0.0/0'

Outputs:
  InstanceIPAddress:
    Description: IP address of the newly created EC2 instance
    Value: !GetAtt EC2Instance.PublicIp