master.yaml

AWSTemplateFormatVersion: '2010-09-09'

Description: Deploys Stellar Core and Horizon on a single EC2 server using ECS. RDS is used for Postgres and EFS for data

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: "Stellar"
        Parameters: [StellarCoreVersion, HorizonVersion]
      - Label:
          default: "Instance"
        Parameters: [InstanceType, InstanceKeyPair]
      - Label:
          default: "Access"
        Parameters: [SshIpRange, HorizonIpRange, HorizonPort]
      - Label:
          default: "Database"
        Parameters: [PostgresVersion, DbInstanceType, DbStorage]

    ParameterLabels:
      StellarCoreVersion:
        default: "Stellar Core Version"
      HorizonVersion:
        default: "Horizon Version"
      PostgresVersion:
        default: "PostgreSQL Version"
      InstanceType:
        default: "Instance Type"
      InstanceKeyPair:
        default: "Key Pair"
      SshIpRange:
        default: "IP Range for SSH Access"
      HorizonIpRange:
        default: "IP Range for Horizon Access"
      HorizonPort:
        default: "Horizon Port"
      DbInstanceType:
        default: "Instance Type"
      DbStorage:
        default: "Storage"

Parameters:
  StellarCoreVersion:
    Description: Tag/Version of the docker image to be deployed
    Type: String
    Default: '9.2.0-551-7561c1d5'
    AllowedValues: [latest, 9.2.0-551-7561c1d5]

  HorizonVersion:
    Description: Tag/Version of the docker image to be deployed
    Type: String
    Default: '0.12.3'
    AllowedValues: [latest, 0.12.2, 0.12.3]

  PostgresVersion:
    Type: String
    Default: 9.6.8
    AllowedValues:
      - 9.6.8
      - 9.6.6
      - 10.3

  InstanceType:
    Type: String
    Default: t2.micro
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, m4.large, m5.large, c4.large, c5.large]
    ConstraintDescription: Please choose a valid instance type.

  InstanceKeyPair:
    Description: EC2 key pair used to SSH into the instance
    Type: AWS::EC2::KeyPair::KeyName
    MinLength: 1 # Force check for value before deployment

  SshIpRange:
    Description: IP range (CIDR notation) that will be allowed to SSH into the instance. Use https://www.google.com/search?q=ip to find you IP and enter it as x.x.x.x/32.
    Type: String
    AllowedPattern: "^([0-9]+\\.){3}[0-9]+/[0-9]{1,2}$"
    ConstraintDescription: "Must be a valid IP CIDR range of the form x.x.x.x/x."
    MinLength: 9
    Default: 123.456.789.0/32

  HorizonIpRange:
    Description: IP range (CIDR notation) that will be allowed to access the Horizon. Leave blank to block all external access
    Type: String
    AllowedPattern: "^(([0-9]+\\.){3}[0-9]+/[0-9]{1,2})*$"
    ConstraintDescription: "Must be a valid IP CIDR range of the form x.x.x.x/x."

  HorizonPort:
    Description: EC2 Instance port for Horizon (access may still be restricted by IP)
    Type: Number
    Default: 8000

  DbInstanceType:
    Default: db.t2.micro
    Type: String
    ConstraintDescription: DB instance type not supported
    AllowedValues:
      - db.t2.micro
      - db.t2.small
      - db.t2.medium
      - db.t2.large
      - db.t2.xlarge
      - db.m4.large
      - db.m4.xlarge
      - db.r4.large
      - db.r4.xlarge

  DbStorage:
    Type: Number
    Description: Database storage size in gigabytes (GB)
    MinValue: 20
    ConstraintDescription: Enter a size of at least 20 GB
    Default: 20


Conditions:
  AllowHorizonAccess: !Not [!Equals [ !Ref HorizonIpRange, '' ]]

Mappings:
  # Latest ECS optimized AMIs as of Apr 02 2018:
  # amzn-ami-2017.09.k-amazon-ecs-optimized. ECS agent: 1.17.2, Docker: 17.12.0-ce, ecs-init: 1.17.2-1
  # You can find the latest available images here: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
  AwsRegionMap:
    ap-northeast-1:
      AMI: ami-5add893c
    ap-northeast-2:
      AMI: ami-ba74d8d4
    ap-south-1:
      AMI: ami-2149114e
    ap-southeast-1:
      AMI: ami-acbcefd0
    ap-southeast-2:
      AMI: ami-4cc5072e
    ca-central-1:
      AMI: ami-a535b2c1
    eu-central-1:
      AMI: ami-ac055447
    eu-west-1:
      AMI: ami-bfb5fec6
    eu-west-2:
      AMI: ami-a48d6bc3
    eu-west-3:
      AMI: ami-914afcec
    sa-east-1:
      AMI: ami-d3bce9bf
    us-east-1:
      AMI: ami-cb17d8b6
    us-east-2:
      AMI: ami-1b90a67e
    us-west-1:
      AMI: ami-9cbbaffc
    us-west-2:
      AMI: ami-05b5277d

  StellarConfigMap:
    All:
      BucketDir: '/data/core/buckets'
      CatchupRecent: '8640'
      LogFilePath: ''
    Test:
      NetworkPassphrase: 'Test SDF Network ; September 2015'
      KnownPeers: 'core-testnet1.stellar.org,core-testnet2.stellar.org,core-testnet3.stellar.org'
      UnsafeQuorum: 'true'
      FailureSafety: '1'
      Commands: 'll?level=error&partition=Overlay' # Reduce chatty logging about connectionsS
      History: |
        {
          "h1": { "get": "curl -sf https://s3-eu-west-1.amazonaws.com/history.stellar.org/prd/core-testnet/core_testnet_001/{0} -o {1}" },
          "h2": { "get": "curl -sf https://s3-eu-west-1.amazonaws.com/history.stellar.org/prd/core-testnet/core_testnet_002/{0} -o {1}" },
          "h3": { "get": "curl -sf https://s3-eu-west-1.amazonaws.com/history.stellar.org/prd/core-testnet/core_testnet_003/{0} -o {1}" }
        }
      QuorumSet: |
        [{
          "threshold_percent": 51,
          "validators": ["GDKXE2OZMJIPOSLNA6N6F2BVCI3O777I2OOC4BV7VOYUEHYX7RTRYA7Y  sdf1",
                         "GCUCJTIYXSOXKBSNFGNFWW5MUQ54HKRPGJUTQFJ5RQXZXNOLNXYDHRAP  sdf2",
                         "GC2V2EFSXN6SQTWVYA5EPJPBWWIMSD2XQNKUOHGEKB535AQE2I6IXV2Z  sdf3"]
        }]

  HorizonConfigMap:
      Test:
        NetworkPassphrase: 'Test SDF Network ; September 2015'
        LogLevel: 'info'
        Ingest: 'true'
        PerHourRateLimit: '72000'

  CustomParamsMap:
    Get:
      DbSuperUser: 'postgres'
      DbAppUser: 'stellar'
      DbPort: 5432
      DbCoreSchemaName: 'core'
      DbHorizonSchemaName: 'horizon'
      StellarHttpPort: 11626
      StellarPeerPort: 11625
      RdsDbEngine: 'postgres'
      EfsPort: 2049
      EfsInstanceMountPoint: '/mnt/efs'
      ContainerDataDirectory: '/data'

  # These are all soft limits so they are not enforced or representative of per container usage
  # These memory limits are effectively just being used to reserve the full capacity of the EC2 instance for the service
  # A specific amount is reserved by each instance type for system usage. The full advertised amount is not available.
  # You have to log into and instance and run "free -m" to determine what is available to that instance type.
  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/memory-management.html
  MemoryReservationMap:
    t2.nano:
      core: 240
      horizon: 240
    t2.micro:
      core: 495
      horizon: 495
    t2.small:
      core: 998
      horizon: 998
    t2.medium:
      core: 1973
      horizon: 1973
    t2.large:
      core: 3990
      horizon: 3990
    m4.large:
      core: 3990
      horizon: 3990
    m5.large:
      core: 3842
      horizon: 3842
    c4.large:
      core: 1880
      horizon: 1880
    c5.large:
      core: 1854
      horizon: 1854


Resources:
  # Network
  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      EnableDnsSupport: true
      EnableDnsHostnames: true
      CidrBlock: '10.200.0.0/16'
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'

  PrivateSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      VpcId: !Ref 'Vpc'
      CidrBlock: '10.200.0.0/24'
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName} Private Subnet 1'

  PrivateSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: !Select [ 1, !GetAZs '' ]
      VpcId: !Ref 'Vpc'
      CidrBlock: '10.200.1.0/24'
      MapPublicIpOnLaunch: false
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName} Private Subnet 2'

  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'Vpc'
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName} Private Routes'

  PrivateRouteTableAssociation1:
      Type: AWS::EC2::SubnetRouteTableAssociation
      Properties:
        RouteTableId: !Ref PrivateRouteTable
        SubnetId: !Ref PrivateSubnet1

  PrivateRouteTableAssociation2:
      Type: AWS::EC2::SubnetRouteTableAssociation
      Properties:
        RouteTableId: !Ref PrivateRouteTable
        SubnetId: !Ref PrivateSubnet2

  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      VpcId: !Ref 'Vpc'
      CidrBlock: '10.200.10.0/24'
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName} Public Subnet'

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'

  GatewayAttachement:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref 'Vpc'
      InternetGatewayId: !Ref 'InternetGateway'

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref 'Vpc'
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName} Public Routes'

  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: GatewayAttachement
    Properties:
      RouteTableId: !Ref 'PublicRouteTable'
      DestinationCidrBlock: '0.0.0.0/0'
      GatewayId: !Ref 'InternetGateway'

  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable

  # ECS Resources
  EcsCluster:
    Type: AWS::ECS::Cluster

  EcsHostSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Ref AWS::StackName
      GroupDescription: Access to the ECS hosts that run containers
      VpcId: !Ref 'Vpc'
      SecurityGroupIngress:
        - CidrIp: !Ref SshIpRange
          Description: Allow SSH access via a specific IP Range
          IpProtocol: 'tcp'
          FromPort: 22
          ToPort: 22
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-instances'

  # Specify this here instead of above so that we can use the "Condition" key
  EcsSecurityGroupIngressHorizon:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: AllowHorizonAccess
    Properties:
      GroupId: !Ref 'EcsHostSecurityGroup'
      Description: Allow Horizon access via a specific IP Range
      CidrIp: !Ref HorizonIpRange
      IpProtocol: 'tcp'
      FromPort: !Ref 'HorizonPort'
      ToPort: !Ref 'HorizonPort'

  EcsSecurityGroupIngressFromSelf:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref 'EcsHostSecurityGroup'
      Description: Ingress from other hosts in the same security group
      IpProtocol: -1
      SourceSecurityGroupId: !Ref 'EcsHostSecurityGroup'

  # This launches the actual EC2 instance that will register as a member of the cluster and run the containers.
  EcsAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    DependsOn:
      - EfsMountTarget1
      - EfsMountTarget2
    Properties:
      VPCZoneIdentifier:
        - !Ref PublicSubnet
      LaunchConfigurationName: !Ref 'EcsLaunchConfiguration'
      MinSize: 1
      MaxSize: 2 # Allows capacity for AutoScalingReplacingUpdate
      DesiredCapacity: 1
      MetricsCollection:
        - Granularity: '1Minute'
      Tags:
        - Key: Name
          Value: !Ref 'AWS::StackName'
          PropagateAtLaunch: 'true'
    CreationPolicy:
      ResourceSignal:
        Timeout: PT10M
    UpdatePolicy:
      AutoScalingReplacingUpdate:
        WillReplace: 'true'

  EcsInstanceElasticIP:
    Type: AWS::EC2::EIP
    DependsOn: GatewayAttachement # Associating the IP with the vpc requires that we add this dependency explicitly
    Properties:
      Domain: vpc

  EcsLaunchConfiguration:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: !FindInMap [AwsRegionMap, !Ref 'AWS::Region', AMI]
      SecurityGroups: [!Ref 'EcsHostSecurityGroup']
      InstanceType: !Ref 'InstanceType'
      IamInstanceProfile: !Ref 'Ec2InstanceProfile'
      InstanceMonitoring: false # Disable detailed monitoring at the instance level to avoid additional charges. ECS provides detailed CPU data
      KeyName: !Ref 'InstanceKeyPair'
      AssociatePublicIpAddress: 'true' # Will be replaced by elastic IP, but we need a public ip at the start to install packages
      UserData:
        Fn::Base64: !Sub
          - |
            Content-Type: multipart/mixed; boundary="==BOUNDARY=="
            MIME-Version: 1.0

            --==BOUNDARY==
            Content-Type: text/cloud-boothook; charset="us-ascii"

            ##### INSTALL TOOLS
            cloud-init-per once install_packages yum install -y aws-cli amazon-efs-utils aws-cfn-bootstrap awslogs jq
            cloud-init-per once install_postgres yum install -y postgresql96 # separate line to make it obvious when diffing other templates

            ##### MOUNT EFS FILESYSTEM
            # Mount EFS using amazon-efs-utils and save exit code to be used later by cfn-signal
            # Mounting is done in cloud-boothook to make sure it is done before docker/ecs starts
            cloud-init-per once mkdir_efs mkdir -p ${efsInstanceMountPoint}
            mount -t efs ${EfsFileSystem} ${efsInstanceMountPoint}
            echo -n $? > /var/log/efs-mount-exit-code.log

            --==BOUNDARY==
            Content-Type: text/x-shellscript; charset="us-ascii"
            #!/bin/bash

            ##### INSTALL SECURITY UPDATES
            # Do this here rather in cloud-boothook so we can see it easier in the logs on cloudwatch
            yum update -y --security

            ##### ASSIGN ELASTIC IP
            # Get the instance id from instance metadata and assign the elastic ip to this instance
            instance_id=$(curl http://169.254.169.254/latest/meta-data/instance-id)
            aws ec2 associate-address --instance-id $instance_id --allocation-id ${EcsInstanceElasticIP.AllocationId} --region ${AWS::Region}

            ##### SETUP INSTANCE LOGS
            # Set the region to send CloudWatch Logs data to the region where the container instance is located
            sed -i -e "s/region = us-east-1/region = ${AWS::Region}/g" /etc/awslogs/awscli.conf

            # Inject the CloudWatch Logs configuration file contents
            cat > /etc/awslogs/awslogs.conf <<- EOF
            [general]
            state_file = /var/lib/awslogs/agent-state

            [/var/log/messages]
            file = /var/log/messages
            log_group_name = ${instancesLogGroup}
            log_stream_name = {container_instance_id}/var/log/messages
            datetime_format = %b %d %H:%M:%S

            [/var/log/cfn-init.log]
            file = /var/log/cfn-init.log
            log_group_name = ${instancesLogGroup}
            log_stream_name = {container_instance_id}/var/log/cfn-init.log
            datetime_format = %Y-%m-%dT%H:%M:%SZ

            [/var/log/cloud-init-output.log]
            file = /var/log/cloud-init-output.log
            log_group_name = ${instancesLogGroup}
            log_stream_name = {container_instance_id}/var/log/cloud-init-output.log
            datetime_format = %Y-%m-%dT%H:%M:%SZ

            [/var/log/amazon/efs/mount.log]
            file = /var/log/amazon/efs/mount.log
            log_group_name = ${instancesLogGroup}
            log_stream_name = {container_instance_id}/var/log/amazon/efs/mount.log
            datetime_format = %Y-%m-%dT%H:%M:%SZ
            EOF

            # Get the instance id from instance metadata and replace the container instance ID placeholders with the actual values
            container_instance_id=$(curl http://169.254.169.254/latest/meta-data/instance-id)
            sed -i -e "s/{container_instance_id}/$container_instance_id/g" /etc/awslogs/awslogs.conf

            # Start/Enable awslogs service
            service awslogs start
            chkconfig awslogs on

            ##### ECS CLUSTER CONFIG
            # Update the cluster config with the cluster name
            echo ECS_CLUSTER=${EcsCluster} >> /etc/ecs/ecs.config

            ##### DB INIT
            # Wait for postgres. Note pg_isready works without user/pass but including them avoids login errors in the server logs
            export PGPASSWORD=${DbSuperUserPassword.Password}
            while ! pg_isready -h "${Database.Endpoint.Address}"  -U "${dbSuperUser}" -p "${dbPort}" --quiet ; do
              echo "Waiting for postgres to be available..."
              sleep 5
            done

            # Check if stellar user and schemas have already been created. If not, create them.
            export PGPASSWORD=${DbAppPassword.Password}
            if psql -h "${Database.Endpoint.Address}" -U "${dbAppUser}" -p "${dbPort}" -c 'select 1' "${dbCoreSchema}" && \
               psql -h "${Database.Endpoint.Address}" -U "${dbAppUser}" -p "${dbPort}" -c 'select 1' "${dbHorizonSchema}"
            then
              echo "User/Schema already exists"
            else
              echo "User/Schema does not exist. Creating."
              export PGPASSWORD=${DbSuperUserPassword.Password}
              psql -h "${Database.Endpoint.Address}" -U "${dbSuperUser}" -p "${dbPort}" -v ON_ERROR_STOP=1 <<-EOSQL
                CREATE USER ${dbAppUser} WITH PASSWORD '${DbAppPassword.Password}';
                CREATE DATABASE ${dbCoreSchema};
                CREATE DATABASE ${dbHorizonSchema};
                GRANT ALL PRIVILEGES ON DATABASE ${dbCoreSchema} TO ${dbAppUser};
                GRANT ALL PRIVILEGES ON DATABASE ${dbHorizonSchema} TO ${dbAppUser};
            EOSQL
              # Note. The lack of indentation above is required to properly close the heredoc
            fi

            ##### SIGNAL ASG
            # Send a signal to the AutoScalingGroup with the return value of the EFS mount command to let it know creation completed
            efs_exit_code=$(cat /var/log/efs-mount-exit-code.log)
            /opt/aws/bin/cfn-signal -e $efs_exit_code --stack ${AWS::StackName} --resource EcsAutoScalingGroup --region ${AWS::Region}

          # The variables are substituted above in addition to other template resources and attributes like ${EcsCluster}
          - dbSuperUser: !FindInMap [CustomParamsMap, Get, DbSuperUser]
            dbAppUser: !FindInMap [CustomParamsMap, Get, DbAppUser]
            dbPort: !FindInMap [CustomParamsMap, Get, DbPort]
            dbCoreSchema: !FindInMap [CustomParamsMap, Get, DbCoreSchemaName]
            dbHorizonSchema: !FindInMap [CustomParamsMap, Get, DbHorizonSchemaName]
            efsInstanceMountPoint: !FindInMap [CustomParamsMap, Get, EfsInstanceMountPoint]
            instancesLogGroup: !Sub '/stellar/${AWS::StackName}-instances' # hardcoded in outputs also

  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [!Ref 'Ec2Role']

  # Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts to communicate with the ECS control plane.
  Ec2Role:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      ManagedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role']
      Policies: # Additional permissions beyond AmazonEC2ContainerServiceforEC2Role used for instance logging
        - PolicyName: 'AllowInstanceLogs'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: [ 'logs:CreateLogGroup', 'logs:DescribeLogStreams' ]
                Resource: 'arn:aws:logs:*:*:*'
        - PolicyName: 'AssociateElasticIP'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: [ 'ec2:AllocateAddress', 'ec2:AssociateAddress', 'ec2:DescribeAddresses', 'ec2:DisassociateAddress' ]
                Resource: '*'
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: ['ec2.amazonaws.com']
          Action: ['sts:AssumeRole']

  # EFS
  EfsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: EFS Security Groups
      VpcId: !Ref 'Vpc'
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref EcsHostSecurityGroup
          Description: Allows ECS hosts to access the EFS
          IpProtocol: 'tcp'
          FromPort: !FindInMap [CustomParamsMap, Get, EfsPort]
          ToPort: !FindInMap [CustomParamsMap, Get, EfsPort]
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-efs

  EfsFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      Encrypted: false
      PerformanceMode: generalPurpose
      FileSystemTags:
        - Key: Name
          Value: !Sub ${AWS::StackName}-efs

  EfsMountTarget1:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref EfsFileSystem
      SecurityGroups:
        - !Ref EfsSecurityGroup
      SubnetId: !Ref PrivateSubnet1

  EfsMountTarget2:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref EfsFileSystem
      SecurityGroups:
        - !Ref EfsSecurityGroup
      SubnetId: !Ref PrivateSubnet2

  # DATABASE
  DatabaseSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Access to the RDS DB
      VpcId: !Ref Vpc
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref EcsHostSecurityGroup
          Description: Allow Postgress access from ECS hosts
          IpProtocol: 'tcp'
          FromPort: !FindInMap [CustomParamsMap, Get, DbPort]
          ToPort: !FindInMap [CustomParamsMap, Get, DbPort]
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-db'

  DatabaseSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: Database subnet group
      SubnetIds:
        - !Ref PrivateSubnet1
        - !Ref PrivateSubnet2
      Tags:
      - Key: Name
        Value: !Ref 'AWS::StackName'

  Database:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSubnetGroupName: !Ref DatabaseSubnetGroup
      VPCSecurityGroups:
        - !Ref DatabaseSecurityGroup
      Engine: !FindInMap [CustomParamsMap, Get, RdsDbEngine]
      EngineVersion: !Ref PostgresVersion
      MasterUsername: !FindInMap [CustomParamsMap, Get, DbSuperUser] # Hardcoded to make sure users never accidentally wipe out their db by changing it
      MasterUserPassword: !GetAtt DbSuperUserPassword.Password
      DBInstanceClass: !Ref DbInstanceType
      AllocatedStorage: !Ref DbStorage
      StorageType: gp2
      MultiAZ: false
      AvailabilityZone: !GetAtt PublicSubnet.AvailabilityZone # Ensure that the DB is in the same AZ as the instance to avoid inter-AZ charges
      CopyTagsToSnapshot: true
      Tags:
      - Key: Name
        Value: !Ref 'AWS::StackName'

  EcsService:
    Type: AWS::ECS::Service
    DependsOn: Database
    Properties:
      Cluster: !Ref EcsCluster
      DesiredCount: 1
      DeploymentConfiguration:
        MaximumPercent: 100 # Shutdown the old task before starting the new one, don't want the writing to efs/db simultaneously
        MinimumHealthyPercent: 0
      TaskDefinition: !Ref EcsTaskDefinition

  EcsTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref 'AWS::StackName'
      NetworkMode: host
      Volumes:
        - Name: efs-volume
          Host:
            SourcePath: !FindInMap [CustomParamsMap, Get, EfsInstanceMountPoint]
      ContainerDefinitions:
        - Name: 'core'
          Essential: true
          Image: !Sub 'starformlabs/stellar-core:${StellarCoreVersion}'
          MemoryReservation: !FindInMap [MemoryReservationMap, !Ref 'InstanceType', core]
          MountPoints:
            - SourceVolume: efs-volume
              ContainerPath: !FindInMap [CustomParamsMap, Get, ContainerDataDirectory]
          PortMappings:
            - ContainerPort: !FindInMap [CustomParamsMap, Get, StellarPeerPort]
          Environment:
            # Used by entry.sh
            - Name: DB_USER
              Value: !FindInMap [CustomParamsMap, Get, DbAppUser]
            - Name: DB_PASS
              Value: !GetAtt DbAppPassword.Password
            - Name: DB_NAME
              Value: !FindInMap [CustomParamsMap, Get, DbCoreSchemaName]
            - Name: DB_HOST
              Value: !GetAtt Database.Endpoint.Address
            - Name: DB_PORT
              Value: !FindInMap [CustomParamsMap, Get, DbPort]
            - Name: DATA_DIR
              Value: !FindInMap [CustomParamsMap, Get, ContainerDataDirectory]

            # Used by Stellar Core
            - Name: DATABASE
              Value:
                Fn::Sub:
                  - 'postgresql://dbname=${db} host=${host} port=${port} user=${user} password=${pass}'
                  - db: !FindInMap [CustomParamsMap, Get, DbCoreSchemaName]
                    host: !GetAtt Database.Endpoint.Address
                    port: !FindInMap [CustomParamsMap, Get, DbPort]
                    user: !FindInMap [CustomParamsMap, Get, DbAppUser]
                    pass: !GetAtt DbAppPassword.Password
            - Name: NETWORK_PASSPHRASE
              Value: !FindInMap [StellarConfigMap, Test, NetworkPassphrase]
            - Name: KNOWN_PEERS
              Value: !FindInMap [StellarConfigMap, Test, KnownPeers]
            - Name: BUCKET_DIR_PATH
              Value: !FindInMap [StellarConfigMap, All, BucketDir]
            - Name: UNSAFE_QUORUM
              Value: !FindInMap [StellarConfigMap, Test, UnsafeQuorum]
            - Name: FAILURE_SAFETY
              Value: !FindInMap [StellarConfigMap, Test, FailureSafety]
            - Name: CATCHUP_RECENT
              Value: !FindInMap [StellarConfigMap, All, CatchupRecent]
            - Name: LOG_FILE_PATH
              Value: !FindInMap [StellarConfigMap, All, LogFilePath]
            - Name: QUORUM_SET
              Value: !FindInMap [StellarConfigMap, Test, QuorumSet]
            - Name: HISTORY
              Value: !FindInMap [StellarConfigMap, Test, History]
            - Name: COMMANDS
              Value: !FindInMap [StellarConfigMap, Test, Commands]
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref 'ContainersLogGroup'
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: !Ref 'AWS::StackName'

        - Name: 'horizon'
          Essential: true
          Image: !Sub 'starformlabs/stellar-horizon:${HorizonVersion}'
          MemoryReservation: !FindInMap [MemoryReservationMap, !Ref 'InstanceType', horizon]
          MountPoints:
            - SourceVolume: efs-volume
              ContainerPath: !FindInMap [CustomParamsMap, Get, ContainerDataDirectory]
          PortMappings:
            - ContainerPort: !Ref HorizonPort
          Environment:
            # Used by entry.sh
            - Name: DB_USER
              Value: !FindInMap [CustomParamsMap, Get, DbAppUser]
            - Name: DB_PASS
              Value: !GetAtt DbAppPassword.Password
            - Name: DB_NAME
              Value: !FindInMap [CustomParamsMap, Get, DbHorizonSchemaName]
            - Name: DB_HOST
              Value: !GetAtt Database.Endpoint.Address
            - Name: DB_PORT
              Value: !FindInMap [CustomParamsMap, Get, DbPort]
            - Name: DATA_DIR
              Value: !FindInMap [CustomParamsMap, Get, ContainerDataDirectory]

            # Used by Horizon directly
            - Name: PORT # Horizon Port
              Value: !Ref HorizonPort
            - Name: DATABASE_URL
              Value:
                Fn::Sub:
                  - 'postgres://${user}:${pass}@${host}:${port}/${db}?sslmode=disable'
                  - db: !FindInMap [CustomParamsMap, Get, DbHorizonSchemaName]
                    user: !FindInMap [CustomParamsMap, Get, DbAppUser]
                    pass: !GetAtt DbAppPassword.Password
                    host: !GetAtt Database.Endpoint.Address
                    port: !FindInMap [CustomParamsMap, Get, DbPort]
            - Name: STELLAR_CORE_DATABASE_URL
              Value:
                Fn::Sub:
                  - 'postgres://${user}:${pass}@${host}:${port}/${db}?sslmode=disable'
                  - db: !FindInMap [CustomParamsMap, Get, DbCoreSchemaName]
                    user: !FindInMap [CustomParamsMap, Get, DbAppUser]
                    pass: !GetAtt DbAppPassword.Password
                    host: !GetAtt Database.Endpoint.Address
                    port: !FindInMap [CustomParamsMap, Get, DbPort]
            - Name: STELLAR_CORE_URL
              Value:
                Fn::Sub:
                  - 'http://${host}:${port}'
                  - host: 'localhost' # we are using host based networking so containers can access each other on localhost
                    port: !FindInMap [CustomParamsMap, Get, StellarHttpPort]
            - Name: LOG_LEVEL
              Value: !FindInMap [HorizonConfigMap, Test, LogLevel]
            - Name: INGEST
              Value: !FindInMap [HorizonConfigMap, Test, Ingest]
            - Name: PER_HOUR_RATE_LIMIT
              Value: !FindInMap [HorizonConfigMap, Test, PerHourRateLimit]
            - Name: NETWORK_PASSPHRASE
              Value: !FindInMap [HorizonConfigMap, Test, NetworkPassphrase]
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref 'ContainersLogGroup'
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: !Ref 'AWS::StackName'

  DbSuperUserPassword:
    Type: 'AWS::CloudFormation::CustomResource'
    Properties:
      ServiceToken: !GetAtt PasswordGeneratorLambda.Arn
      ParameterNamePrefix: !Sub '/${AWS::StackName}/database/master-password'

  DbAppPassword:
    Type: 'AWS::CloudFormation::CustomResource'
    Properties:
      ServiceToken: !GetAtt PasswordGeneratorLambda.Arn
      ParameterNamePrefix: !Sub '/${AWS::StackName}/database/app-password'

  PasswordGeneratorLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Description: 'Generates random password'
      Handler: 'index.handler'
      Role: !GetAtt PasswordGeneratorRole.Arn
      Code:
        ZipFile: |
          const response = require('cfn-response');
          const AWS = require('aws-sdk');
          const ssm = new AWS.SSM();

          exports.handler = (event, context) => {
            if (event.RequestType == 'Delete') {
              // Remove param when CloudFormation deletes the resource. The param name is the PhysicalResourceId
              ssm.deleteParameter({ Name: event.PhysicalResourceId }).promise()
                .then((data) => {
                  return response.send(event, context, response.SUCCESS, data);
              }).catch((err)=> {
                  return response.send(event, context, response.FAILED, err);
              });
            }
            else{ // Create or Update. Update (only happens when param name changes) will return a new physical id which will cause CF to delete the old one
              let responseData;

              new BackportedSecretsManager().getRandomPassword({ PasswordLength: 45, ExcludePunctuation: true }).promise()
                .then((data) => {
                  const password = data.RandomPassword.substring(0, 32); // We only really wanted 32 chars for the password
                  const randomString = data.RandomPassword.substring(32); // Last 13 used to add randomness to the SSM param name to avoid deletion on replacement
                  const paramName = event.ResourceProperties.ParameterNamePrefix + '-' + randomString;

                  responseData = {
                    ParameterName: paramName,
                    EncodedParameterName: encodeURIComponent(encodeURIComponent(paramName)), // Double encoded to work with AWS console
                    Password: password
                  }

                  const params = {
                    Name: paramName,
                    Type: 'SecureString',
                    Value: password,
                    Overwrite: true
                  };
                  return ssm.putParameter(params).promise();
              }).then(() => {
                  return response.send(event, context, response.SUCCESS, responseData, responseData.ParameterName); // Use param name as PhysicalResourceId
              }).catch((err)=> {
                  return response.send(event, context, response.FAILED, err);
              });
            }
          };

          // The Nodejs SDK currently available to Lambda doesn't yet support the Secrets Manager API
          // This is the code from latest sdk required to support a minimal version of getRandomPassword() only

          const BackportedSecretsManager = AWS.Service.defineService('secretsmanager', ['2017-10-17']);
          AWS.apiLoader.services['secretsmanager'] = {};
          Object.defineProperty(AWS.apiLoader.services['secretsmanager'], '2017-10-17', {
            get: function get() { return secretsmanagerModel; }, enumerable: true, configurable: true
          });

          const secretsmanagerModel = {
            version: '2.0',
            metadata: {
              apiVersion: '2017-10-17',
              endpointPrefix: 'secretsmanager',
              jsonVersion: '1.1',
              protocol: 'json',
              serviceFullName: 'AWS Secrets Manager',
              serviceId: 'Secrets Manager',
              signatureVersion: 'v4',
              signingName: 'secretsmanager',
              targetPrefix: 'secretsmanager',
              uid: 'secretsmanager-2017-10-17'
            },
            operations: {
              GetRandomPassword: {
                input: { type: 'structure', members: { PasswordLength: { type: 'long' }, ExcludePunctuation: { type: 'boolean' } } },
                output: { type: 'structure', members: { RandomPassword: {} } }
              }
            }
          };
      Runtime: 'nodejs6.10'
      Timeout: '30'

  PasswordGeneratorRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Path: '/'
      ManagedPolicyArns: ['arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']
      Policies:
        - PolicyName: 'GeneratePassword'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 'secretsmanager:GetRandomPassword'
                Resource: '*'
        - PolicyName: 'CreateSsmParams'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: ['ssm:PutParameter', 'ssm:DeleteParameter', 'kms:Encrypt']
                Resource: "*"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: 'lambda.amazonaws.com'
            Action: 'sts:AssumeRole'

  ContainersLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/stellar/${AWS::StackName}-containers'
      RetentionInDays: 7

Outputs:
  SshUrl:
    Value: !Sub 'ssh://ec2-user@${EcsInstanceElasticIP}'
  HorizonUrl:
    Condition: AllowHorizonAccess
    Value: !Sub 'http://${EcsInstanceElasticIP}:${HorizonPort}'
  Database:
    Value: !Sub 'https://console.aws.amazon.com/rds/home?region=${AWS::Region}#dbinstance:id=${Database}'
  ContainersLogGroup:
    Value: !Sub 'https://console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#logStream:group=${ContainersLogGroup}'
  InstancesLogGroup:
    Value: !Sub 'https://console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#logStream:group=/stellar/${AWS::StackName}-instances'
  AutoScalingGroup:
    Value: !Sub 'https://console.aws.amazon.com/ec2/autoscaling/home?region=${AWS::Region}#AutoScalingGroups:id=${EcsAutoScalingGroup};view=instances'
  ECS:
    Value: !Sub 'https://console.aws.amazon.com/ecs/home?region=${AWS::Region}#/clusters/${EcsCluster}/services/${EcsService.Name}/events'
  DbSuperUser:
    Value: !FindInMap [CustomParamsMap, Get, DbSuperUser]
  DbSuperUserPassword:
    Value: !Sub 'https://console.aws.amazon.com/systems-manager/parameters/${DbSuperUserPassword.EncodedParameterName}/description?region=${AWS::Region}'
  DbAppUser:
    Value: !FindInMap [CustomParamsMap, Get, DbAppUser]
  DbAppPassword:
    Value: !Sub 'https://console.aws.amazon.com/systems-manager/parameters/${DbAppPassword.EncodedParameterName}/description?region=${AWS::Region}'