{

"Resources": {


"AdminAPISecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
  "GroupDescription": "Admin API security group",
  "VpcId": {"Ref": "VPC"},

  "SecurityGroupIngress": [
    {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "10.0.0.0/16"},
    {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "CidrIp": "10.0.0.0/16"}
  ],
  "SecurityGroupEgress": [
    {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0"},
    {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "CidrIp": "0.0.0.0/0"}
  ]
}},

"BackendSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "Allow the application instances to access the NAT device",
    "VpcId" : { "Ref" : "VPC" },
    "SecurityGroupIngress": [
      {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0"},
      {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "SourceSecurityGroupId": {"Ref": "AdminAPISecurityGroup"}},
      {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "SourceSecurityGroupId": {"Ref": "AdminAPISecurityGroup"}}
    ],
    "SecurityGroupEgress": [
      {"IpProtocol": "-1", "CidrIp": "0.0.0.0/0"}
    ]
  }
},

"BackendDBIngress": {
  "Type": "AWS::EC2::SecurityGroupIngress",
  "Properties": {
    "GroupId": {"Fn::GetAtt": ["DBSecurityGroup", "GroupId"]},
    "IpProtocol": "-1",
    "SourceSecurityGroupId": {"Fn::GetAtt": ["BackendSecurityGroup", "GroupId"]}
  }
},

"AdminAPILoadBalancer": {"Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": {
  "Subnets": [{"Ref": "PublicSubnet"}],
  "Scheme": "internal",
  "SecurityGroups": [{"Ref": "AdminAPISecurityGroup"}],

  "HealthCheck": {
    "HealthyThreshold": "3",
    "Interval": "60",
    "Target": "HTTP:80/health",
    "Timeout": "5",
    "UnhealthyThreshold": "10"
  },

  "Listeners": [
    {
      "LoadBalancerPort": "443",
      "InstancePort": "80",
      "Protocol": "SSL",
      "InstanceProtocol": "TCP",

      "SSLCertificateId": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "ServerCertificateARN" ]}
    },

    {
      "LoadBalancerPort": "51607",
      "InstancePort": "51607",
      "Protocol": "TCP",
      "InstanceProtocol": "TCP"
    }
  ]
}},

"AdminAPIDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
  "HostedZoneId": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "HostedZoneId" ]},
  "Name": {"Fn::FindInMap": ["StackZoneRecords", "AdminAPI", "DNSName" ]},
  "Type": "CNAME", "TTL": "300",
  "ResourceRecords": [{"Fn::GetAtt": ["AdminAPILoadBalancer", "DNSName"]}]
}},

"BitcoinDaemonRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {

    "AssumeRolePolicyDocument": {
      "Statement": [ {
        "Effect": "Allow",
          "Principal": {
            "Service": [ "ec2.amazonaws.com" ]
          },
          "Action": [ "sts:AssumeRole" ]
      } ]
    },

    "Path": "/",

    "Policies": [{
      "PolicyName": "BlockchainAccess",

      "PolicyDocument": {
        "Statement": [{
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::bex-blockchain-main",
            "arn:aws:s3:::bex-blockchain-main/*",
            "arn:aws:s3:::bex-blockchain-testnet3",
            "arn:aws:s3:::bex-blockchain-testnet3/*"
          ]
        }]
      }
    }]

  }
},

"BackendProfile": {
  "Type": "AWS::IAM::InstanceProfile",
  "Properties": {
    "Path": "/",
    "Roles": [{"Ref": "BitcoinDaemonRole"}]
  }
}

}

}