mcCFNGamingServerSolution.YAML

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation Template to setup a cloud optimised Personal Gaming server.  

Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Personal Gaming Server Configuration
        Parameters:
          - GameServer
          - InstanceType
          - DiskSize
          - DiskType
          - GamingTCPTrafficPortStart
          - GamingTCPTrafficPortEnd
          - GamingUDPTrafficPortStart
          - GamingUDPTrafficPortEnd
      - Label:
          default: AWS Configuration
        Parameters:
          - KeyName
          - HostedZoneId
          - Domain
          - ShutdownTimeHours
          - ShutdownTimeMins
          - IdTagValue
      - Label:
          default: You should not need to change anything in this section.
        Parameters:
          - IdTagName
          - LatestAMIIDx86
    ParameterLabels:
      GameServer:
        default: Choose what game server you wish to install
      InstanceType:
        default: Select the server size (we recommend selecting a larger instance for initial install and then changing this to a smaller size later).
      DiskSize:
        default: How many Gibibytes would you like?
      DiskType:
        default: What do you want your hard-drive made from (GP3 is recommended)?
      KeyName:
        default: Select the key pair you will use to access server OS
      Domain:
        default: Enter the domain name you will use.  Note this should be controlled by the Hosted Zone above (see setup instructions earlier)
      HostedZoneId:
        default: Enter the ARN for the Hosted Zone that contains your DNS records (see earlier step)
      IdTagName:
        default: Tag name that will be used to identify your gaming server(s)
      IdTagValue:
        default: Tag value that will be used to identify your gaming server(s)
      ShutdownTimeHours:
        default: The time of day to shutdown the server automatically in hours (NOTE GMT/UTC TIME!! - not local time zone)
      ShutdownTimeMins:
        default: The minutes past the hours specfied above to automatically shut down your server
      LatestAMIIDx86:
        default: The AMI to use. This is the machine image and includes at a minimum the OS for the server
      GamingTCPTrafficPortStart:
        default: Start of the port range that should be accessible from the internet for TCP traffic.  Leave blank if you only want to allow UDP traffic to your server.
      GamingTCPTrafficPortEnd:
        default: End of the port range that should be accessible from the internet for TCP traffic. 
      GamingUDPTrafficPortStart:
        default: Start of the port range that should be accessible from the internet for UDP traffic.  Leave blank if you only want to allow TCP traffic to your server.
      GamingUDPTrafficPortEnd:
        default: End of the port range that should be accessible from the internet for UDP traffic. 
              
Parameters:
  GameServer:
    Description: Please enter the URL for the shell script to install the game server of your choice - we call this the game cartridge URL.  Please note this must be an uncompressed shell script to run on selected AMI (Ubuntu by default).
    Type: String
    AllowedPattern: https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)
    ConstraintDescription: 'Must be a valid URL.'
    Default: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/Bash/palworld.sh
  KeyName:
    Description: >-
      This is required so you can access the server.  If there is no option to
      select one, please go back and create one before trying to run this
      template again
    AllowedPattern: .+
    ConstraintDescription: >-
      You must choose a keypair otherwise you won't be able to login to your
      server's OS
    Type: 'AWS::EC2::KeyPair::KeyName'
  DiskSize:
    Description: >-
      Size of disk - you must choose a disk size of at least 8GiB (because this
      is the size of the Linux AMI)
    AllowedPattern: '^([8-9]|([1-9]\d{1,}))$'
    ConstraintDescription: You must choose a disk size of at least 8 GiB
    Default: '8'
    Type: String
  DiskType:
    Description: Choose disk type.  GP3 is recommended
    AllowedPattern: .+
    AllowedValues:
      - gp3
      - gp2
      - standard
      - IO2
    Default: gp3
    ConstraintDescription: You must choose a disk type
    Type: String
  InstanceType:
    Description: 'Select the AWS EC2 instance type you want.  You can change avaialble options later via the AWS Console - see blog entry for more details'
    AllowedPattern: .+
    ConstraintDescription: You must choose a server size
    Type: String
    AllowedValues:
      - t3.medium
      - t3.large
      - t3.xlarge
  LatestAMIIDx86:
    Description: Defaults to the latest Ubuntu AMI ID.  You can replace this if you would like to use a different AMI / Operating System.
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: /aws/service/canonical/ubuntu/server/20.04/stable/current/amd64/hvm/ebs-gp2/ami-id
  GamingTCPTrafficPortStart:
    Description: Enter port number for your server ingress security group.  This will open your gaming server to TCP traffic to a range of ports with this as the lower boundary.
    Type: String
    AllowedPattern: ^(^$|[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
    ConstraintDescription: Must be a valid port number.
  GamingTCPTrafficPortEnd:
    Description: Enter port number for your server ingress security group.  This will open your gaming server to TCP traffic to a range of ports with this as the upper boundary.
    Type: String
    AllowedPattern: ^(^$|[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
    ConstraintDescription: Must be a valid port number.
  GamingUDPTrafficPortStart:
    Description: Enter port number for your server ingress security group.  This will open your gaming server to UDP traffic to a range of ports with this as the lower boundary.
    Type: String
    AllowedPattern: ^(^$|[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
    ConstraintDescription: Must be a valid port number.
    Default: '8211'
  GamingUDPTrafficPortEnd:
    Description: Enter port number for your server ingress security group.  This will open your gaming server to UDP traffic to a range of ports with this as the upper boundary.
    Type: String
    AllowedPattern: ^(^$|[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
    ConstraintDescription: Must be a valid port number.
    Default: '8211'
  Domain:
    Description: Domain name you will use to access your server (e.g. mygameserver.link).  This is optional however without it you will need to configure a new IP address each stop/start
    Type: String
  HostedZoneId:
    Description: Select the ID of your hosted zone - if there isn't one please go back to the section that describes setting up a domain name and hosted zone
    Type: 'AWS::Route53::HostedZone::Id'
    ConstraintDescription: >-
      Although optional, it's required if you are using a custom domain
      (recommended) so the DNS record for your domain can be updated
  IdTagName:
    Description: The name of the tag that will be used to identify your gaming server(s).  DO NOT CHANGE THIS VALUE
    AllowedPattern: mcServerFinder
    Default: mcServerFinder
    Type: String
    ConstraintDescription: Please set this to "mcserverfinder" this is required so we can find your server(s) to control them
  IdTagValue:
    Description: The value of the tag that will be used to identify your gaming server(s).  This can be useful if you want to control different servers independently - such as if you wanted to spin up a server to test out some features or mods without risking your main server - in this case you may want to change the tag value to something like mcDev or mcTest for example.
    AllowedPattern: .+
    Type: String
    Default: mcServer
    ConstraintDescription: This is a mandatory field - you must pust something in.  We recommend not changing the default value.
  ShutdownTimeHours:
    Description: Setting a time here will automatically stop your server at the same time every day.  You adjust the rule, add rules, changes days etc. later directly in the AWS EventBridge Console.  IMPORTANT NOTE - the time must be set in GMT not your local time zone (also note therefore this time will appear to change when going from summer time to winter for relevant time zones).  Leaving blank will not set an auto server shut down rule.
    Type: String
    AllowedValues:
      - 'None - do not auto shut-down'
      - '23'
      - '22'
      - '21'
      - '20'
      - '19'
      - '18'
      - '17'
      - '16'
      - '15'
      - '14'
      - '13'
      - '12'
      - '11'
      - '10'
      - '9'
      - '8'
      - '7'
      - '6'
      - '5'
      - '4'
      - '3'
      - '2'
      - '1'
      - '0'
  ShutdownTimeMins:
    Description: Minutes past the hours to auto shut down your server each day
    Type: String
    AllowedValues:
      - 'Not Applicable'
      - '0'
      - '5'
      - '10'
      - '15'
      - '20'
      - '25'
      - '30'
      - '35'
      - '40'
      - '45'
      - '50'
      - '55'

Conditions:
  ShutdownTimeHoursIsNull: !Equals
    - !Ref ShutdownTimeHours
    - 'None - do not auto shut-down'
  ShutdownTimeMinsIsNull: !Equals
    - !Ref ShutdownTimeMins
    - 'None'
  noSecIngress: !And
    - !Condition hasTCP
    - !Condition hasUDP
  hasTCP: !Not 
    - !Equals 
      - !Ref GamingTCPTrafficPortStart
      - ''
  hasUDP: !Not 
    - !Equals
      - !Ref GamingUDPTrafficPortStart
      - ''

Resources:
  mcEC2Instance:
    Type: 'AWS::EC2::Instance'
    DependsOn: mcIgAttachment
    Properties:
      SecurityGroupIds:
        - !Ref mcSecurityGroup
      InstanceType: !Ref InstanceType
      CreditSpecification:
        CPUCredits: Standard
      SubnetId: !Ref mcSubnet
      IamInstanceProfile: !Ref mcInstanceProfile
      KeyName: !Ref KeyName
      Tags:
        - Key: Name
          Value: Cloudformation MC server
        - Key: !Ref IdTagName
          Value: !Ref IdTagValue
        - Key: domain
          Value: !Ref Domain
        - Key: hostedZoneId
          Value: !Ref HostedZoneId
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            DeleteOnTermination: 'true'
            Encrypted: 'false'
            VolumeSize: !Ref DiskSize
            VolumeType: !Ref DiskType
      ImageId: !Ref LatestAMIIDx86
      UserData: 
        Fn::Base64: !Sub 
          - |
            #!/bin/bash -xe
            apt update
            apt upgrade -y
            apt install -y python-setuptools
            mkdir -p /opt/aws/bin
            wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz
            python3 -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-py3-latest.tar.gz
            ln -s /root/aws-cfn-bootstrap-latest/init/ubuntu/cfn-hup /etc/init.d/cfn-hup
            echo ${AWS::StackName} > /tmp/mcParamName.txt
            mkdir -p /usr/games/install
            cd /usr/games/install
            wget -O gameserverinstall.sh ${GameServer}
            chmod +x gameserverinstall.sh
            ./gameserverinstall.sh
            /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource mcC2Instance --region ${AWS::Region}
          - GameServer: !Ref GameServer

  mcPwordParameter:
    Type: AWS::SSM::Parameter
    Properties: 
      DataType: text
      Description: Parameter to store temp password randomly generated on initial stack creation
      Name: !Sub mcPalworldPW-${AWS::StackName}
      Tier: Standard
      Type: String
      Value: tempValue

  mcInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties: 
      Path: /service-role/
      Roles: 
        - !Ref mcGamingServerIamRole

  mcGamingServerIamRole:
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: IAM role to allow gaming EC2 server to update parameter with generated app password
      Path: /service-role/
      Policies: 
        - PolicyName: mcPersonalGamingServerIamRole
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: "ssm:PutParameter"
                Resource: !Sub 
                  - arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${paramName}
                  - paramName: !Ref mcPwordParameter

  mcControlApi:
    Type: 'AWS::ApiGateway::RestApi'
    Properties: 
      Description: "Primary API to control gaming server"
      Name: !Sub mcControlApi-${mcVPC}
      EndpointConfiguration: 
        Types:
          - REGIONAL
      FailOnWarnings: true

  mcCognitoAuthoriser:
    Type: 'AWS::ApiGateway::Authorizer'
    Properties: 
      IdentitySource: method.request.header.Authorization
      Name: mcCognitoAuthoriser
      ProviderARNs: 
        - !GetAtt mcCognitoUserPool.Arn
      RestApiId: !Ref mcControlApi
      Type: COGNITO_USER_POOLS

  mcControlApiDeployment:
    DependsOn: mcApiGetInfoGetMethod
    Type: 'AWS::ApiGateway::Deployment'
    Properties: 
      RestApiId: !Ref mcControlApi
      Description: Deployment of gaming control REST API
      StageName: prod

  mcControlApiResGetInfo:
    Type: 'AWS::ApiGateway::Resource'
    Properties: 
      ParentId: !GetAtt 
        - mcControlApi
        - RootResourceId
      PathPart: getinfo
      RestApiId: !Ref mcControlApi

  mcControlApiResResize:
    Type: 'AWS::ApiGateway::Resource'
    Properties: 
      ParentId: !GetAtt 
        - mcControlApi
        - RootResourceId
      PathPart: resize
      RestApiId: !Ref mcControlApi

  mcControlApiResStart:
    Type: 'AWS::ApiGateway::Resource'
    Properties: 
      ParentId: !GetAtt 
        - mcControlApi
        - RootResourceId
      PathPart: start
      RestApiId: !Ref mcControlApi

  mcControlApiResStop:
    Type: 'AWS::ApiGateway::Resource'
    Properties: 
      ParentId: !GetAtt 
        - mcControlApi
        - RootResourceId
      PathPart: stop
      RestApiId: !Ref mcControlApi

  mcApiGetInfoGetMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: COGNITO_USER_POOLS
      AuthorizerId: !Ref mcCognitoAuthoriser
      HttpMethod: GET
      Integration: 
          IntegrationHttpMethod: POST
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Origin : "'*'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_TEMPLATES
          RequestTemplates: 
            application/json : "{\r\n \"command\": \"getInfo\",\r\n \"mcTagName\": \"$input.params('mctagname')\",\r\n \"mcTagValue\": \"$input.params('mctagvalue')\"\r\n}"
          TimeoutInMillis: 15000
          Type: AWS
          Uri: !Sub
            - arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations
            - lambdaArn: !GetAtt mcStartStopLambda.Arn
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Origin : false
      OperationName: GetInfo
      RequestParameters: 
        method.request.querystring.mctagname : false
        method.request.querystring.mctagvalue : false
      ResourceId: !Ref mcControlApiResGetInfo
      RestApiId: !Ref mcControlApi

  mcApiGetInfoOptionsMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: NONE
      HttpMethod: OPTIONS
      Integration: 
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
                method.response.header.Access-Control-Allow-Origin : "'*'"
                method.response.header.Access-Control-Allow-Credentials : "'true'"
                method.response.header.Access-Control-Allow-Methods : "'GET,OPTIONS'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_MATCH
          RequestTemplates: 
            application/json : '{"statusCode": 200}'
          TimeoutInMillis: 15000
          Type: MOCK
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Headers : false
            method.response.header.Access-Control-Allow-Origin : false
            method.response.header.Access-Control-Allow-Credentials : false
            method.response.header.Access-Control-Allow-Methods : false
      OperationName: GetInfoOPTIONS
      ResourceId: !Ref mcControlApiResGetInfo
      RestApiId: !Ref mcControlApi

  mcApiStartGetMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: COGNITO_USER_POOLS
      AuthorizerId: !Ref mcCognitoAuthoriser
      HttpMethod: GET
      Integration: 
          IntegrationHttpMethod: POST
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Origin : "'*'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_TEMPLATES
          RequestTemplates: 
            application/json : "{\r\n \"command\": \"start\",\r\n \"mcTagName\": \"$input.params('mctagname')\",\r\n \"mcTagValue\": \"$input.params('mctagvalue')\"\r\n}"
          TimeoutInMillis: 15000
          Type: AWS
          Uri: !Sub
            - arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations
            - lambdaArn: !GetAtt mcStartStopLambda.Arn
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Origin : false
      OperationName: Start
      RequestParameters: 
        method.request.querystring.mctagname : false
        method.request.querystring.mctagvalue : false
      ResourceId: !Ref mcControlApiResStart
      RestApiId: !Ref mcControlApi

  mcApiStartOptionsMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: NONE
      HttpMethod: OPTIONS
      Integration: 
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
                method.response.header.Access-Control-Allow-Origin : "'*'"
                method.response.header.Access-Control-Allow-Credentials : "'true'"
                method.response.header.Access-Control-Allow-Methods : "'GET,OPTIONS'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_MATCH
          RequestTemplates: 
            application/json : '{"statusCode": 200}'
          TimeoutInMillis: 15000
          Type: MOCK
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Headers : false
            method.response.header.Access-Control-Allow-Origin : false
            method.response.header.Access-Control-Allow-Credentials : false
            method.response.header.Access-Control-Allow-Methods : false
      OperationName: StartOPTIONS
      ResourceId: !Ref mcControlApiResStart
      RestApiId: !Ref mcControlApi

  mcApiStopGetMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: COGNITO_USER_POOLS
      AuthorizerId: !Ref mcCognitoAuthoriser
      HttpMethod: GET
      Integration: 
          IntegrationHttpMethod: POST
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Origin : "'*'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_TEMPLATES
          RequestTemplates: 
            application/json : "{\r\n \"command\": \"stop\",\r\n \"mcTagName\": \"$input.params('mctagname')\",\r\n \"mcTagValue\": \"$input.params('mctagvalue')\"\r\n}"
          TimeoutInMillis: 15000
          Type: AWS
          Uri: !Sub
            - arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations
            - lambdaArn: !GetAtt mcStartStopLambda.Arn
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Origin : false
      OperationName: Stop
      RequestParameters: 
        method.request.querystring.mctagname : false
        method.request.querystring.mctagvalue : false
      ResourceId: !Ref mcControlApiResStop
      RestApiId: !Ref mcControlApi

  mcApiStopOptionsMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: NONE
      HttpMethod: OPTIONS
      Integration: 
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
                method.response.header.Access-Control-Allow-Origin : "'*'"
                method.response.header.Access-Control-Allow-Credentials : "'true'"
                method.response.header.Access-Control-Allow-Methods : "'GET,OPTIONS'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_MATCH
          RequestTemplates: 
            application/json : '{"statusCode": 200}'
          TimeoutInMillis: 15000
          Type: MOCK
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Headers : false
            method.response.header.Access-Control-Allow-Origin : false
            method.response.header.Access-Control-Allow-Credentials : false
            method.response.header.Access-Control-Allow-Methods : false
      OperationName: StopOPTIONS
      ResourceId: !Ref mcControlApiResStop
      RestApiId: !Ref mcControlApi

  mcApiResizeGetMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: COGNITO_USER_POOLS
      AuthorizerId: !Ref mcCognitoAuthoriser
      HttpMethod: GET
      Integration: 
          IntegrationHttpMethod: POST
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Origin : "'*'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_TEMPLATES
          RequestTemplates: 
            application/json : "{\r\n \"command\": \"reSize\",\r\n \"mcTagName\": \"$input.params('mctagname')\",\r\n \"mcTagValue\": \"$input.params('mctagvalue')\",\r\n \"reSizeType\": \"$input.params('resize')\"\r\n}"
          TimeoutInMillis: 15000
          Type: AWS
          Uri: !Sub
            - arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations
            - lambdaArn: !GetAtt mcStartStopLambda.Arn
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Origin : false
      OperationName: Resize
      RequestParameters: 
        method.request.querystring.mctagname : false
        method.request.querystring.mctagvalue : false
        method.request.querystring.resize : false
      ResourceId: !Ref mcControlApiResResize
      RestApiId: !Ref mcControlApi

  mcApiResizeOptionsMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties: 
      ApiKeyRequired: false
      AuthorizationType: NONE
      HttpMethod: OPTIONS
      Integration: 
          IntegrationResponses:
            - StatusCode: 200
              ResponseParameters: 
                method.response.header.Access-Control-Allow-Headers : "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
                method.response.header.Access-Control-Allow-Origin : "'*'"
                method.response.header.Access-Control-Allow-Credentials : "'true'"
                method.response.header.Access-Control-Allow-Methods : "'GET,OPTIONS'"
              ResponseTemplates: 
                application/json : ''
          PassthroughBehavior: WHEN_NO_MATCH
          RequestTemplates: 
            application/json : '{"statusCode": 200}'
          TimeoutInMillis: 15000
          Type: MOCK
      MethodResponses: 
        - StatusCode: 200
          ResponseModels: 
            application/json : 'Empty'
          ResponseParameters: 
            method.response.header.Access-Control-Allow-Headers : false
            method.response.header.Access-Control-Allow-Origin : false
            method.response.header.Access-Control-Allow-Credentials : false
            method.response.header.Access-Control-Allow-Methods : false
      OperationName: ResizeOPTIONS
      ResourceId: !Ref mcControlApiResResize
      RestApiId: !Ref mcControlApi

  mcStateMachineDNS:
    Type: 'AWS::StepFunctions::StateMachine'
    Properties:
      Definition:
        Comment: Step machine to update DNS while minimising Lambda execution runtime
        StartAt: getIpUpdateDNS
        States:
          getIpUpdateDNS:
            Type: Task
            Resource: '${mcUpdateDns}'
            Retry:
              - ErrorEquals:
                  - noIpFound
                IntervalSeconds: 3
                MaxAttempts: 10
                BackoffRate: 1
              - ErrorEquals:
                  - States.TaskFailed
                IntervalSeconds: 30
                MaxAttempts: 2
                BackoffRate: 2
              - ErrorEquals:
                  - States.ALL
                IntervalSeconds: 5
                MaxAttempts: 5
                BackoffRate: 2
            End: true
      DefinitionSubstitutions:
        mcUpdateDns: !GetAtt mcUpdateDnsLambda.Arn
      RoleArn: !GetAtt mcStateMachineIamRole.Arn
      StateMachineName: !Sub ${AWS::StackName}-mcStateMachine
      StateMachineType: STANDARD

  mcCognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties: 
      AdminCreateUserConfig: 
          AllowAdminCreateUserOnly: True
      AutoVerifiedAttributes: 
        - email
      DeviceConfiguration: 
          ChallengeRequiredOnNewDevice: True
          DeviceOnlyRememberedOnUserPrompt: True
      Policies: 
          PasswordPolicy: 
              MinimumLength: 8
              RequireLowercase: True
              RequireNumbers: True
              RequireSymbols: True
              RequireUppercase: True
              TemporaryPasswordValidityDays: 3
      Schema:
        - Name: email
          Required: true
      UsernameAttributes: 
        - email
      UsernameConfiguration: 
          CaseSensitive: false

  mcUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties: 
      Domain: !Join
        - ''
        - !Split
          - '.cloudfront.net'
          - !GetAtt mcCloudFront.DomainName
      UserPoolId: !Ref mcCognitoUserPool

  mcCognitoAppClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      AccessTokenValidity: 1
      IdTokenValidity: 1
      AllowedOAuthFlows: 
        - code
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes: 
        - openid
        - aws.cognito.signin.user.admin
      CallbackURLs: 
        - !Sub https://${mcCloudFront.DomainName}/signed_in.html     
      DefaultRedirectURI: !Sub https://${mcCloudFront.DomainName}/signed_in.html
      ExplicitAuthFlows: 
        - ALLOW_REFRESH_TOKEN_AUTH
        - ALLOW_USER_SRP_AUTH
        - ALLOW_CUSTOM_AUTH
      GenerateSecret: false
      LogoutURLs: 
        - !Sub https://${mcCloudFront.DomainName}/logout.html
      PreventUserExistenceErrors: ENABLED
      SupportedIdentityProviders: 
        - COGNITO
      UserPoolId: !Ref mcCognitoUserPool

  mcStateMachineIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: states.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: State machine execution role
      Path: /service-role/
      Policies:
        - PolicyName: mcStateMachineInline
          PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'lambda:InvokeFunction'
                  Resource:
                    - !GetAtt mcUpdateDnsLambda.Arn

  mcCustomResourceLambdaIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Role for custom resource to allow lambda function to execute
      Path: /service-role/
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: 'arn:aws:logs:*:*:*'
              - Effect: Allow
                Action:
                  - 's3:ListBucket'
                Resource:
                  - !GetAtt mcLambdaSourceFilesS3.Arn
                  - !GetAtt mcS3Bucket.Arn
                  - !GetAtt mcLoggingBucket.Arn
              - Effect: Allow
                Action:
                  - 's3:PutObject'
                  - 's3:DeleteObject'
                  - 's3:GetObject'
                Resource:
                  - !Sub
                    - ${bucket}/*
                    - bucket: !GetAtt mcLambdaSourceFilesS3.Arn
                  - !Sub
                    - ${bucket}/*
                    - bucket: !GetAtt mcS3Bucket.Arn
                  - !Sub
                    - ${bucket}/*
                    - bucket: !GetAtt mcLoggingBucket.Arn
          PolicyName: mcCustomResourceInline

  mcUpdateDnsLambdaIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Execution role for mcStartStop Lambda function
      Path: /service-role/
      Policies:
        - PolicyName: mcUpdateDnsInline
          PolicyDocument: 
            !Sub 
              - |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                        "Effect": "Allow",
                        "Action":[
                          "logs:CreateLogGroup",
                          "logs:CreateLogStream",
                          "logs:PutLogEvents"
                          ],
                        "Resource": "*"
                      },
                      {
                        "Effect": "Allow",
                        "Action": "route53:ChangeResourceRecordSets",
                        "Resource": "arn:aws:route53:::hostedzone/${hostedZone}"
                      },
                      {
                        "Effect": "Allow",
                        "Action":[
                          "ec2:DescribeInstances",
                          "ec2:DescribeTags"
                          ],
                        "Resource": "*"
                      }
                    ]
                  }
              - hostedZone: !Ref HostedZoneId          

  mcStartStopLambdaIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Execution role for mcStartStop Lambda function
      Path: /service-role/
      Policies:
        - PolicyName: mcStartStopInline
          PolicyDocument: 
            !Sub 
              - |
                  {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                        "Effect": "Allow",
                        "Action":[
                          "logs:CreateLogGroup",
                          "logs:CreateLogStream",
                          "logs:PutLogEvents"
                          ],
                        "Resource": "*"
                        },
                        {
                          "Effect": "Allow",
                          "Action": "states:StartExecution",
                          "Resource": "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${AWS::StackName}-mcStateMachine"
                        },
                        {
                        "Effect": "Allow",
                        "Action":[
                          "ec2:DescribeInstances",
                          "ec2:DescribeTags",
                          "ec2:DescribeInstanceTypes"
                          ],
                        "Resource": "*"
                        },
                        {
                        "Effect": "Allow",
                        "Action":[
                          "ec2:StartInstances",
                          "ec2:ModifyInstanceAttribute",
                          "ec2:StopInstances"
                          ],
                        "Resource": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*",
                        "Condition": {
                          "StringEquals": {
                            "ec2:ResourceTag/${tagname}": "${tagvalue}"
                          }
                        }
                      }
                    ]
                  }
              - tagname: !Ref IdTagName
                tagvalue: !Ref IdTagValue   

  mcBackupIamRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: backup.amazonaws.com
            Action: 'sts:AssumeRole'
      Description: Role for custom resource to allow lambda function to execute
      Path: /service-role/
      Policies:
        - PolicyName: mcBackupInline
          PolicyDocument:
            Version: 2012-10-17
            Statement: 
              - Effect: Allow
                Action:
                  - ec2:CreateTags
                  - ec2:DeleteSnapshot
                Resource: arn:aws:ec2:*::snapshot/*
              - Effect: Allow
                Action:
                  - ec2:CreateImage
                  - ec2:DeregisterImage
                Resource: "*"
              - Effect: Allow
                Action:
                  - ec2:CopyImage
                  - ec2:CopySnapshot
                Resource: "*"
              - Effect: Allow
                Action:
                  - ec2:CreateTags
                Resource: arn:aws:ec2:*:*:image/*
              - Effect: Allow
                Action:
                  - ec2:DescribeSnapshots
                  - ec2:DescribeTags
                  - ec2:DescribeImages
                  - ec2:DescribeInstances
                  - ec2:DescribeInstanceAttribute
                  - ec2:DescribeInstanceCreditSpecifications
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DescribeElasticGpus
                  - ec2:DescribeSpotInstanceRequests
                Resource: "*"
              - Effect: Allow
                Action:
                  - ec2:CreateSnapshot
                  - ec2:DeleteSnapshot
                  - ec2:DescribeVolumes
                  - ec2:DescribeSnapshots
                Resource:
                  - arn:aws:ec2:*::snapshot/*
                  - arn:aws:ec2:*:*:volume/*
              - Action:
                  - tag:GetResources
                Resource: "*"
                Effect: Allow
              - Effect: Allow
                Action:
                  - backup:DescribeBackupVault
                  - backup:CopyIntoBackupVault
                Resource: arn:aws:backup:*:*:backup-vault:*

  mcKmsKey:
      Type: AWS::KMS::Key
      Properties:
        Description: "Encryption key gaming server backups"
        EnableKeyRotation: True
        Enabled: True
        KeyPolicy:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                "AWS": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" }
              Action:
                - kms:*
              Resource: "*"

  mcBackupVault:
    Type: "AWS::Backup::BackupVault"
    Properties:
      BackupVaultName: !Sub "${AWS::StackName}-mcBackupVaultWithDailyBackups"
      EncryptionKeyArn: !GetAtt mcKmsKey.Arn

  mcBackupPlan:
    Type: "AWS::Backup::BackupPlan"
    Properties:
      BackupPlan:
        BackupPlanName: "mcBackupPlan"
        BackupPlanRule:
          - RuleName: "mcDailyBackups"
            TargetBackupVault: !Ref mcBackupVault
            ScheduleExpression: "cron(0 5 ? * * *)"
            Lifecycle: 
              DeleteAfterDays: 7

  TagBasedBackupSelection:
    Type: "AWS::Backup::BackupSelection"
    Properties:
      BackupSelection:
        SelectionName: "TagBasedBackupSelection"
        IamRoleArn: !GetAtt mcBackupIamRole.Arn
        ListOfTags:
          - ConditionType: "STRINGEQUALS"
            ConditionKey: !Ref IdTagName
            ConditionValue: !Ref IdTagValue
      BackupPlanId: !Ref mcBackupPlan

  mcCopyToS3Lambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: |
          import os
          import urllib.request
          from urllib.parse import urlparse
          import boto3
          import zipfile
          import cfnresponse
          def lambda_handler(event, context):
              s3 = boto3.resource('s3')
              properties = event['ResourceProperties']
              urls = properties['sourceUrls']
              bucket = properties['targetS3Bucket']
              if event['RequestType'] == 'Create':
                try:
                  for i in urls:
                    url = i.get('url')
                    urlPath = urlparse(url).path
                    fileName = os.path.basename(urlPath)
                    filePath = '/tmp/' + fileName
                    urllib.request.urlretrieve(url, filePath)
                    fileName = os.path.basename(filePath)
                    if i.get('zip'):
                      zipFileName = os.path.splitext(fileName)[0]+'.zip'
                      zipFilePath = '/tmp/' + zipFileName
                      arcName = i.get('filename')
                      zf = zipfile.ZipFile(zipFilePath, mode ='w')
                      zf.write(filePath, arcname=arcName)
                      zf.close()
                      fileName = zipFileName
                      filePath = zipFilePath
                    contentType = i.get('content-type')
                    if i.get('folder'): 
                      fileName = i.get('folder')+ '/' + fileName
                    s3.Object(bucket, fileName).put(Body=open(filePath, 'rb'),ContentType=contentType)
                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Success - files copied'})
                except Exception as e:
                  print(e)
                  cfnresponse.send(event, context, cfnresponse.FAILED, {'Response': 'Failed to copy files'})
              if event['RequestType'] == 'Delete':
                try:
                  s3bucket = s3.Bucket(bucket)
                  s3bucket.objects.delete()
                  cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Success- bucket emptied'})
                except Exception as e:
                  print(e)
                  cfnresponse.send(event, context, cfnresponse.FAILED, {'Response': 'Failed to empty bucket please clean up manually'})
              cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Update action not Supported.'})
      Description: Custom resource lambda to copy required code files from github to S3
      Role: !GetAtt mcCustomResourceLambdaIamRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.8
      Timeout: 10
  
  mcUpdateConfigLambda:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: |
          import boto3
          import cfnresponse
          def lambda_handler(event, context):
              s3 = boto3.client('s3')
              properties = event['ResourceProperties']
              configfile = properties['configfile']
              bucket = properties['S3Bucket']
              if event['RequestType'] == 'Create':
                  try:
                      with open('/tmp/configuration.js', 'wb') as f:
                          s3.download_fileobj(bucket, configfile, f)
                      f.close()
                      f = open('/tmp/configuration.js','rt')
                      configdata = f.read()
                      configdata = configdata.replace('REPLACE-WITH-CFURL', properties['cloudfrontURL'])
                      configdata = configdata.replace('REPLACE-WITH-COGNITO', properties['cognitoclientid'])
                      configdata = configdata.replace('REPLACE-WITH-COGDOMAIN', properties['cognitodomain'])
                      configdata = configdata.replace('REPLACE-WITH-APIURL', properties['apiurl'])
                      configdata = configdata.replace('REPLACE-WITH-IDTAGNAME', properties['idtagname'])
                      configdata = configdata.replace('REPLACE-WITH-IDTAGVALUE', properties['idtagvalue'])
                      configdata = configdata.replace('REPLACE-WITH-STACKNAME', properties['stackname'])
                      configdata = configdata.replace('REPLACE-WITH-POOLS-ID', properties['coguserpool'])
                      f.close()
                      f = open('/tmp/configuration.js','wt')
                      f.write(configdata)
                      f.close()
                      s3.put_object(Bucket=bucket,Key=configfile,Body=open('/tmp/configuration.js','rb'),ContentType="application/javascript")
                      cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Updated config file.'})
                  except Exception as e:
                      print(e)
                      cfnresponse.send(event, context, cfnresponse.FAILED, {'Response': 'Failed to copy files'})
              cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Update or Delete action not Supported.'})
      Description: Custom resource lambda to update config files on stack build complete
      Role: !GetAtt mcCustomResourceLambdaIamRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.8
      Timeout: 10

  mcgetSrcIpsLambda:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: |
          import json
          from urllib.request import urlopen
          import cfnresponse
          def lambda_handler(event, context):
              if event['RequestType'] == 'Create':
                  try:
                      ip_ranges = urlopen('https://ip-ranges.amazonaws.com/ip-ranges.json')
                      ip_ranges = json.loads(ip_ranges.read())['prefixes']
                      ec2instanceconnect_ips = [item['ip_prefix'] for item in ip_ranges if item["service"] == "EC2_INSTANCE_CONNECT" and item["region"] == event['ResourceProperties']['region']]
                      ec2instanceconnect_ips = ec2instanceconnect_ips[0]
                      responseData = {'srcip': ec2instanceconnect_ips}
                      cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)
                  except Exception as e:
                      print(e)
                      cfnresponse.send(event, context, cfnresponse.FAILED, {'Response': 'Failed to get source IP for EC2 instance connect though I am perplexed as to why','srcip':'0.0.0.0/0'})
              else:
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {'Response': 'Update or Delete action not Supported.'})         
      Description: Custom resource lambda to obtain source IP address range for EC2 Instance Connect in current region
      Role: !GetAtt mcCustomResourceLambdaIamRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.8
      Timeout: 10

  mcStartStopLambda:
    Type: 'AWS::Lambda::Function'
    DependsOn: mcCopyLambdaFiles
    Properties:
      Code:
        S3Bucket: !Ref mcLambdaSourceFilesS3
        S3Key: gaming_server_start_stop-v1_0.zip
      Description: Lambda function to control gaming server instances
      Environment:
        Variables:
          micro: t3a.micro
          small: t3a.small
          medium: t3a.medium
          large: t3a.large
          stepfunctionarn: !Sub 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${AWS::StackName}-mcStateMachine'
      Handler: lambda_function.lambda_handler
      MemorySize: 128
      PackageType: Zip
      Role: !GetAtt mcStartStopLambdaIamRole.Arn
      Runtime: python3.8
      Timeout: 10

  mcUpdateDnsLambda:
    Type: 'AWS::Lambda::Function'
    DependsOn: mcCopyLambdaFiles
    Properties:
      Code:
        S3Bucket: !Ref mcLambdaSourceFilesS3
        S3Key: mcUpdateDNS-v1_0.zip
      Description: Lambda to update DNS
      Handler: lambda_function.lambda_handler
      MemorySize: 128
      PackageType: Zip
      Role: !GetAtt mcUpdateDnsLambdaIamRole.Arn
      Runtime: python3.8
      Timeout: 10

  mcLambdaSourceFilesS3:
    Type: AWS::S3::Bucket
    Properties: 
      AccessControl: Private
      PublicAccessBlockConfiguration: 
          BlockPublicAcls: True
          BlockPublicPolicy: True
          IgnorePublicAcls: True
          RestrictPublicBuckets: True
      LoggingConfiguration: 
        DestinationBucketName: !Ref mcLoggingBucket
        LogFilePrefix: mcS3BucketLogs/

  mcS3Bucket:
    Type: AWS::S3::Bucket
    Properties: 
      AccessControl: Private
      PublicAccessBlockConfiguration: 
          BlockPublicAcls: True
          BlockPublicPolicy: True
          IgnorePublicAcls: True
          RestrictPublicBuckets: True
      LoggingConfiguration: 
        DestinationBucketName: !Ref mcLoggingBucket
        LogFilePrefix: mcS3BucketLogs/

  mcS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: !Ref mcS3Bucket
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource: !Sub
              - 'arn:aws:s3:::${mcS3Bucket}/*'
              - mcS3Bucket: !Ref mcS3Bucket
            Principal: 
              AWS: !Sub
                - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessiId}'
                - OriginAccessiId: !Ref mcOriginAccessId

  mcLoggingBucket:
    Type: AWS::S3::Bucket
    Properties: 
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
      AccessControl: LogDeliveryWrite
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred

  mcOriginAccessId:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties: 
      CloudFrontOriginAccessIdentityConfig: 
        Comment: Origin Access ID for front end control site

  mcCloudFront:
    Type: AWS::CloudFront::Distribution
    DependsOn: mcCopyFrontEndFiles
    Properties: 
      DistributionConfig: 
        Comment: Gaming server control centre
        DefaultCacheBehavior: 
          AllowedMethods: 
            - GET
            - HEAD
            - OPTIONS
          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
          TargetOriginId: mcCloudFrontS3OriginID
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        Enabled: True
        HttpVersion: http2
        IPV6Enabled: true
        Logging: 
          Bucket: !GetAtt mcLoggingBucket.DomainName
          IncludeCookies: True
          Prefix: mcCloudFrontLogs/
        Origins: 
            - DomainName: !Sub ${mcS3Bucket}.s3.${AWS::Region}.amazonaws.com 
              Id: mcCloudFrontS3OriginID
              S3OriginConfig: 
                OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${mcOriginAccessId}
        PriceClass: PriceClass_100
        ViewerCertificate: 
            CloudFrontDefaultCertificate: True


  mcStartStopLambdaPermissionGetInfo:
    Type: AWS::Lambda::Permission
    Properties: 
      Action: lambda:InvokeFunction 
      FunctionName: !GetAtt mcStartStopLambda.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${mcControlApi}/*/GET/getinfo


  mcStartStopLambdaPermissionStart:
    Type: AWS::Lambda::Permission
    Properties: 
      Action: lambda:InvokeFunction 
      FunctionName: !GetAtt mcStartStopLambda.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${mcControlApi}/*/GET/start

  mcStartStopLambdaPermissionStop:
    Type: AWS::Lambda::Permission
    Properties: 
      Action: lambda:InvokeFunction 
      FunctionName: !GetAtt mcStartStopLambda.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${mcControlApi}/*/GET/stop


  mcStartStopLambdaPermissionResize:
    Type: AWS::Lambda::Permission
    Properties: 
      Action: lambda:InvokeFunction 
      FunctionName: !GetAtt mcStartStopLambda.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${mcControlApi}/*/GET/resize

  mcSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      Tags:
        - Key: Name
          Value: CF Gaming server Security Group
      GroupDescription: Enable HTTP access via port 80 locked down to the load balancer
      VpcId: !Ref mcVPC
      
  mcSecurityGroupIngressTCP:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: hasTCP
    Properties:
      Description: Rule to allow gaming clients connect to your game server over TCP IPv4
      GroupId: !Ref mcSecurityGroup
      IpProtocol: TCP
      FromPort: !Ref GamingTCPTrafficPortStart
      ToPort: !Ref GamingTCPTrafficPortEnd
      CidrIp: 0.0.0.0/0
      
  mcSecurityGroupIngressUDP:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: hasUDP
    Properties:
      Description: Rule to allow gaming clients connect to your game server over UDP IPv4
      GroupId: !Ref mcSecurityGroup
      IpProtocol: UDP
      FromPort: !Ref GamingUDPTrafficPortStart
      ToPort: !Ref GamingUDPTrafficPortEnd
      CidrIp: 0.0.0.0/0

  mcSecurityGroupIngressEC2Connect:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Rule to allow EC2 Instance Connect to SSH into instance
      GroupId: !Ref mcSecurityGroup
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: !GetAtt mcGetInstanceConnectIps.srcip
      
  mcInternetGateway:
    Type: 'AWS::EC2::InternetGateway'
    Properties:
      Tags:
        - Key: Name
          Value: CF Gamine Server IG
  
  mcRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      Tags:
        - Key: Name
          Value: CF Gaming Server Route Table
      VpcId: !Ref mcVPC
  
  mcRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref mcInternetGateway
      RouteTableId: !Ref mcRouteTable
  
  mcSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      Tags:
        - Key: Name
          Value: CF Gaming Server Subnet
      CidrBlock: 10.0.0.0/24
      MapPublicIpOnLaunch: 'true'
      VpcId: !Ref mcVPC
  
  mcVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      Tags:
        - Key: Name
          Value: Palworld Gaming Server VPC
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: 'true'
      EnableDnsSupport: 'true'
  
  mcIgAttachment:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref mcVPC
      InternetGatewayId: !Ref mcInternetGateway
  
  mcRouteTblAttach:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      RouteTableId: !Ref mcRouteTable
      SubnetId: !Ref mcSubnet

  mcBedTime:
    Type: AWS::Events::Rule
    Properties: 
      Description: Rule to shutdown server at certain time every day
      ScheduleExpression: !Join
        - ''
        - - 'cron('
          - !If
            - ShutdownTimeHoursIsNull
            - '0'
            - !Ref ShutdownTimeMins
          - ' '
          - !If
            - ShutdownTimeHoursIsNull
            - '0'
            - !Ref ShutdownTimeHours
          - ' * * ? *)'
      State: !If
        - ShutdownTimeHoursIsNull
        - DISABLED
        - ENABLED
      Targets: 
        -   Arn: !GetAtt mcStartStopLambda.Arn
            Id: mcStartStopLambdaFunction
            Input: !Sub
              - '{ "command": "stop", "mcTagName": "${idtagname}", "mcTagValue": "${idtagvalue}" }'
              - idtagname: !Ref IdTagName
                idtagvalue: !Ref IdTagValue

  mcBedTimeLambdaPermission: 
    Type: AWS::Lambda::Permission
    Properties: 
      FunctionName: !Ref mcStartStopLambda
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt mcBedTime.Arn

  mcCopyFrontEndFiles:
    Type: Custom::WebFileCopy 
    Properties:
      ServiceToken: !GetAtt mcCopyToS3Lambda.Arn
      targetS3Bucket: !Ref mcS3Bucket
      sourceUrls:
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/styles.css
          content-type: text/css
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/index.html
          content-type: text/html
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/signed_in.html
          content-type: text/html
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/logout.html
          content-type: text/html
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/js/config.js
          content-type: application/javascript
          folder: js
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/FrontEnd/js/index.js
          content-type: application/javascript
          folder: js

  mcCopyLambdaFiles:
    Type: Custom::WebFileCopy
    Properties:
      ServiceToken: !GetAtt mcCopyToS3Lambda.Arn
      targetS3Bucket: !Ref mcLambdaSourceFilesS3
      sourceUrls:
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/Lambda/mcUpdateDNS-v1_0.py
          content-type: application/zip
          zip: True
          filename: lambda_function.py
        - url: https://raw.githubusercontent.com/Wondro/personal-game-server-manager/main/Lambda/gaming_server_start_stop-v1_0.py    
          content-type: application/zip
          zip: True
          filename: lambda_function.py

  mcUpdateConfig:
    Type: Custom::UpdateFileInS3
    Properties:
      ServiceToken: !GetAtt mcUpdateConfigLambda.Arn
      configfile: js/config.js
      S3Bucket: !Ref mcS3Bucket
      cloudfrontURL: !Sub https://${mcCloudFront.DomainName}
      cognitoclientid: !Ref mcCognitoAppClient
      cognitodomain: !Sub ${mcUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com
      apiurl: !Sub https://${mcControlApi}.execute-api.${AWS::Region}.amazonaws.com/prod/
      idtagname: !Ref IdTagName
      idtagvalue: !Ref IdTagValue
      stackname: !Ref AWS::StackName
      coguserpool: !Ref mcCognitoUserPool

  mcGetInstanceConnectIps: 
    Type: Custom::GetSourceIps
    Properties:
      ServiceToken: !GetAtt mcgetSrcIpsLambda.Arn
      region: !Ref AWS::Region

Outputs:
  mcControlApiUrl:
    Description: This is the URL for the API to control your gaming server instances
    Value: !Sub https://${mcControlApi}.execute-api.${AWS::Region}.amazonaws.com/prod/
  
  mcPublicIp:
    Description: This is the public IP for your gaming server, you will need to run a "start" command to associate your domain name with it (if you selected one)
    Value: !GetAtt mcEC2Instance.PublicIp

  mcCognitoUserPoolId:
    Description: Unique user pool ID for the people you want to be able to control your server
    Value: !Ref mcCognitoUserPool
  
  mcCloudfrontUrl:
    Description: The default domain of your control website.  Note you can update this to be a CNAME of your custom domain. 
    Value: !Sub https://${mcCloudFront.DomainName}

  mcS3Bucket:
    Description: The name of the created S3 bucket
    Value: !GetAtt mcS3Bucket.Arn
  
  mcTagName:
    Description: Tag name used.  This should not have been changed, and should be mcServerFinder
    Value: !Ref IdTagName

  mcTagValue:
    Description: Tag value selected to identify servers to be controlled by web app
    Value: !Ref IdTagValue

  mcCognitoDomainName:
    Description: The domain name for the Cognito hosted UI
    Value: !Sub ${mcUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com

  mcCognitoClientID:
    Description: The clientID for the Cognito user pool
    Value: !Ref mcCognitoAppClient