Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Linked to AWS Parameter
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.

Resources:
  VPC1:
    Type: AWS::EC2::VPC
    Properties:
     CidrBlock: 10.40.0.0/16
     EnableDnsSupport: true
     EnableDnsHostnames: true
     Tags:
      - Key: Name
        Value: NATInstance-VPC1
  InternetGateway1:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: NATInstance-IGW1
  InternetGatewayAttachment1:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref InternetGateway1
      VpcId: !Ref VPC1

  RouteTable1:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC1
      Tags:
        - Key: Name
          Value: NATInstance-PublicRouteTable1
  DefaultRoute1:
    Type: AWS::EC2::Route
    DependsOn: InternetGatewayAttachment1
    Properties:
      RouteTableId: !Ref RouteTable1
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway1
  Subnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC1
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: 10.40.1.0/24
      Tags:
        - Key: Name
          Value: NATInstance-VPC1-Subnet1
  Subnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable1
      SubnetId: !Ref Subnet1

  RouteTable2:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC1
      Tags:
        - Key: Name
          Value: NATInstance-PrivateRouteTable1
  Subnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC1
      AvailabilityZone: !Select [ 0, !GetAZs '' ]
      CidrBlock: 10.40.2.0/24
      Tags:
        - Key: Name
          Value: NATInstance-VPC1-Subnet2
  Subnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable2
      SubnetId: !Ref Subnet2

  Instance1ENIEth0:
    Type: AWS::EC2::NetworkInterface
    Properties:
        SubnetId: !Ref Subnet1
        Description: Instance1 eth0
        GroupSet:
        - !Ref SG1
        PrivateIpAddress: 10.40.1.100
        Tags:
            - Key: Name
              Value: NAT-Instance eth0
  VPCEIP1:
      Type: AWS::EC2::EIP
      Properties:
          Domain: vpc
  VPCAssociateEIP1:
      Type: AWS::EC2::EIPAssociation
      Properties:
          AllocationId: !GetAtt VPCEIP1.AllocationId
          NetworkInterfaceId: !Ref Instance1ENIEth0

  Instance1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0ded5b0f6eeead568
      InstanceType: t2.micro
      KeyName: !Ref KeyName
      Tags:
        - Key: Name
          Value: NAT-Instance
      NetworkInterfaces:
        - NetworkInterfaceId: !Ref Instance1ENIEth0
          DeviceIndex: 0
      UserData:
        Fn::Base64: |
          #!/bin/bash
          hostname NAT-Instance
          yum -y install tcpdump iptraf

  Instance2:
    Type: AWS::EC2::Instance
    DependsOn: Instance1
    Properties:
      ImageId: ami-03b42693dc6a7dc35
      InstanceType: t2.micro
      KeyName: !Ref KeyName
      Tags:
        - Key: Name
          Value: Private-EC2-1
      NetworkInterfaces:
        - DeviceIndex: 0
          SubnetId: !Ref Subnet2
          GroupSet:
          - !Ref SG2
          PrivateIpAddress: 10.40.2.101
      UserData:
        Fn::Base64: |
          #!/bin/bash
          (
          echo "qwe123"
          echo "qwe123"
          ) | passwd --stdin root
          sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
          sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config
          service sshd restart
          hostnamectl --static set-hostname Private-EC2-1

  Instance3:
    Type: AWS::EC2::Instance
    DependsOn: Instance1
    Properties:
      ImageId: ami-03b42693dc6a7dc35
      InstanceType: t2.micro
      KeyName: !Ref KeyName
      Tags:
        - Key: Name
          Value: Private-EC2-2
      NetworkInterfaces:
        - DeviceIndex: 0
          SubnetId: !Ref Subnet2
          GroupSet:
          - !Ref SG2
          PrivateIpAddress: 10.40.2.102
      UserData:
        Fn::Base64: |
          #!/bin/bash
          (
          echo "qwe123"
          echo "qwe123"
          ) | passwd --stdin root
          sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
          sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config
          service sshd restart
          hostnamectl --static set-hostname Private-EC2-2

  SG1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC1
      GroupDescription: VPC1-NATInstance-SecurityGroup
      Tags:
      - Key : Name
        Value : VPC1-NATInstance-SecurityGroup
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: '80'
        ToPort: '80'
        CidrIp: 10.40.0.0/16
      - IpProtocol: tcp
        FromPort: '443'
        ToPort: '443'
        CidrIp: 10.40.0.0/16
      - IpProtocol: udp
        FromPort: '0'
        ToPort: '65535'
        CidrIp: 10.40.0.0/16
      - IpProtocol: icmp
        FromPort: -1
        ToPort: -1
        CidrIp: 0.0.0.0/0

  SG2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC1
      GroupDescription: VPC1-PrivateEC2-SecurityGroup
      Tags:
      - Key : Name
        Value : VPC1-PrivateEC2-SecurityGroup
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: '22'
        ToPort: '22'
        CidrIp: 10.40.0.0/0
      - IpProtocol: icmp
        FromPort: -1
        ToPort: -1
        CidrIp: 0.0.0.0/0