{

"Resources": {

"AdminAPISecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
  "GroupDescription": "Admin API security group",
  "VpcId": {"Ref": "VPC"},

  "SecurityGroupIngress": [
    {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "10.0.0.0/16"},
    {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "CidrIp": "10.0.0.0/16"}
  ],
  "SecurityGroupEgress": [
    {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0"},
    {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "CidrIp": "0.0.0.0/0"}
  ]
}},

"BackendSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "Allow the application instances to access the NAT device",
    "VpcId" : { "Ref" : "VPC" },
    "SecurityGroupIngress": [
      {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0"},
      {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "SourceSecurityGroupId": {"Ref": "AdminAPISecurityGroup"}},
      {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": {"Ref": "AdminAPISecurityGroup"}}
    ],
    "SecurityGroupEgress": [
      {"IpProtocol": "-1", "CidrIp": "0.0.0.0/0"}
    ]
  }
},

"BackendDBIngress": {
  "Type": "AWS::EC2::SecurityGroupIngress",
  "Properties": {
    "GroupId": {"Fn::GetAtt": ["DBSecurityGroup", "GroupId"]},
    "IpProtocol": "-1",
    "SourceSecurityGroupId": {"Fn::GetAtt": ["BackendSecurityGroup", "GroupId"]}
  }
},

"AdminAPILoadBalancer": {"Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": {
  "Subnets": [{"Ref": "PublicSubnet"}],
  "Scheme": "internal",
  "SecurityGroups": [{"Ref": "AdminAPISecurityGroup"}],

  "HealthCheck": {
    "HealthyThreshold": "3",
    "Interval": "30",
    "Target": "HTTP:80/health",
    "Timeout": "5",
    "UnhealthyThreshold": "3"
  },

  "Listeners": [
    {
      "LoadBalancerPort": "443",
      "InstancePort": "80",
      "Protocol": "SSL",
      "InstanceProtocol": "TCP",

      "SSLCertificateId": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "ServerCertificateARN" ]}
    },

    {
      "LoadBalancerPort": "51607",
      "InstancePort": "51607",
      "Protocol": "TCP",
      "InstanceProtocol": "TCP"
    }
  ]
}},

"AdminAPIDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
  "HostedZoneId": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "HostedZoneId" ]},
  "Name": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "DNSName" ]},
  "Type": "CNAME", "TTL": "300",
  "ResourceRecords": [{"Fn::GetAtt": ["AdminAPILoadBalancer", "DNSName"]}]
}},

"AdminAPIScalingGroup": {
  "Type": "AWS::AutoScaling::AutoScalingGroup",
  "DependsOn": "BastionBoxReady",

  "UpdatePolicy": {
    "AutoScalingRollingUpdate": {
      "MinInstancesInService": "1",
      "MaxBatchSize": "1",
      "PauseTime": "PT0S"
    }
  },

  "Properties": {
    "AvailabilityZones": [{"Fn::GetAtt": ["PrivateSubnet", "AvailabilityZone"]}],
    "VPCZoneIdentifier": [{"Ref": "PrivateSubnet"}],
    "LaunchConfigurationName": {"Ref": "BackendLaunchConfiguration"},

    "MinSize": "1",
    "MaxSize": "2",

    "HealthCheckType": "ELB",
    "HealthCheckGracePeriod": "1600",
    "LoadBalancerNames": [
      {"Ref": "AdminAPILoadBalancer"}
    ],

    "TerminationPolicies": ["OldestLaunchConfiguration", "OldestInstance"],

    "MetricsCollection": [{
      "Granularity": "1Minute",
      "Metrics": ["GroupMinSize", "GroupMaxSize"]
    }]
  }
},

"AdminAPIScalingGroupReadyWaitHandle": {"Type": "AWS::CloudFormation::WaitConditionHandle", "Properties": {}},

"AdminAPIScalingGroupReady": {"Type": "AWS::CloudFormation::WaitCondition", "Properties": {
  "Handle": {"Ref": "AdminAPIScalingGroupReadyWaitHandle"},
  "Count": "1",
  "Timeout": "1200"
}},

"BackendLaunchConfiguration" : {
  "Type" : "AWS::AutoScaling::LaunchConfiguration",

  "Metadata": {
    "AWS::CloudFormation::Init": {}
  },

  "Properties" : {
    "InstanceType": "m3.medium",
    "ImageId": {"Ref": "InstanceAMIVar"},
    "KeyName": {"Ref": "IAMKeypairNameVar"},
    "SecurityGroups": [{"Ref": "BackendSecurityGroup"}],

    "BlockDeviceMappings": [
      {"DeviceName": "/dev/xvdc", "Ebs": {
        "SnapshotId": {"Ref": "DockerLibrarySnapshotVar"},
        "VolumeSize": "50"
      }},

      {"DeviceName": "/dev/xvdd", "Ebs": {
        "VolumeSize": "300"
      }}
    ],

    "UserData": {"Fn::Base64": {"Fn::Join": ["", [
      "#!/bin/bash\n",
      "export AWS_REGION='", {"Ref": "AWS::Region"}, "'\n",
      "export AWS_STACK_NAME='", {"Ref": "AWS::StackName"}, "'\n",
      "export AWS_INSTANCE_LOGICAL_NAME='BackendLaunchConfiguration'\n",
      "export AWS_INSTANCE_WAIT_HANDLE='", {"Ref": "AdminAPIScalingGroupReadyWaitHandle"}, "'\n",
      {"Ref": "UserDataEnvironmentVar"}, "\n",
      {"Ref": "CommonRoleScriptVar"}, "\n",
      {"Ref": "BackendRoleScriptVar"}, "\n"
    ]]}}
  }
}

}

}