---
AWSTemplateFormatVersion: 2010-09-09
Description: Sgs and Roles 

Parameters:

  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VpcId of your existing Virtual Private Cloud (VPC)
  VpcSgId:
    Type: String
    Description: Default VPC Sg the deploy creates
  # CVpnSgId:
  #   Type: AWS::EC2::SecurityGroup::Id
  Environment:
    Type: String
  # OnPremPlId:
  #   Type: String
  #   Description: Id of On-Prem prefix list

Resources:

  ToolsSg:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: For video instances registered with BackendLb
      SecurityGroupIngress:
        # - IpProtocol: -1
        #   SourcePrefixListId: !Ref OnPremPlId
        #   Description: OnPremPlId
        # - IpProtocol: -1
        #   SourceSecurityGroupId: !Ref CVpnSgId
        #   Description: CVpnSgId
        - IpProtocol: -1
          SourceSecurityGroupId: !Ref VpcSgId
          Description: VpcSgId
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
          Description: HTTP
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
          Description: HTTPS
      VpcId:  !Ref VpcId

# Tools Role

  ToolsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/PowerUserAccess
        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

  ToolsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - !Ref ToolsRole


Outputs:

#

  ToolsSgId:
    Description: Sg Id - Tools
    Value: !Ref ToolsSg
    Export:
      Name: !Sub "${AWS::StackName}-ToolsSgId"

#

  ToolsRoleName:
    Description: Tools Role Name
    Value: !Ref ToolsRole
    Export:
      Name: !Sub "${AWS::StackName}-ToolsRoleName"

  ToolsRoleArn:
    Description: Tools Role Arn
    Value: !GetAtt ToolsRole.Arn
    Export:
      Name: !Sub "${AWS::StackName}-ToolsRoleArn"

  ToolsInstanceProfileName:
    Description: Instance Role Name for Tools Role
    Value: !Ref ToolsInstanceProfile
    Export:
      Name: !Sub "${AWS::StackName}-ToolsInstanceProfileName"

  ToolsInstanceProfileArn:
    Description: Instance Role Arn for Tools Role
    Value: !GetAtt ToolsInstanceProfile.Arn
    Export:
      Name: !Sub "${AWS::StackName}-ToolsInstanceProfileArn"


...