{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "CFN template for deploying an EC2 instance with an admin password stored in Secrets Manager",
    "Parameters": {
        "AMI": {
            "Type": "AWS::EC2::Image::Id",
            "Description": "The EC2 AMI to use"
        }
    },
    "Resources": {
        "LocalAdminPassword": {
            "Type": "AWS::SecretsManager::Secret",
            "Properties": {
                "GenerateSecretString": {
                    "SecretStringTemplate": "{ \"Username\": \"Administrator\" }",
                    "GenerateStringKey": "Password",
                    "PasswordLength": 30,
                    "ExcludeCharacters": "\"@'$`"
                }
            }
        },
        "InstanceRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": {
                        "Effect": "Allow",
                        "Action": "sts:AssumeRole",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        }
                    }
                },
                "Policies": [
                    {
                        "PolicyName": "SecretsManager",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Action": [
                                        "secretsmanager:*SecretValue",
                                        "secretsmanager:UpdateSecretVersionStage",
                                        "secretsmanager:DescribeSecret"
                                    ],
                                    "Effect": "Allow",
                                    "Resource": {
                                        "Ref": "LocalAdminPassword"
                                    }
                                },
                                {
                                    "Action": "secretsmanager:GetRandomPassword",
                                    "Effect": "Allow",
                                    "Resource": "*"
                                }
                            ]
                        }
                    }
                ]
            }
        },
        "InstanceProfile": {
            "Type": "AWS::IAM::InstanceProfile",
            "Properties": {
                "Roles": [
                    {
                        "Ref": "InstanceRole"
                    }
                ]
            },
            "DependsOn": "InstanceRole"
        },
        "Instance": {
            "Type": "AWS::EC2::Instance",
            "Properties": {
                "ImageId": {
                    "Ref": "AMI"
                },
                "InstanceType": "t2.large",
                "IamInstanceProfile": {
                    "Ref": "InstanceProfile"
                },
                "UserData": {
                    "Fn::Base64": {
                        "Fn::Join": [
                            "\n",
                            [
                                "<powershell>",
                                "Import-Module AWSPowerShell",
                                {
                                    "Fn::Join": [
                                        "",
                                        [
                                            "$password = ((Get-SECSecretValue -SecretId '",
                                            {
                                                "Ref": "LocalAdminPassword"
                                            },
                                            "').SecretString | ConvertFrom-Json).Password"
                                        ]
                                    ]
                                },
                                "net.exe user Administrator $password",
                                "</powershell>"
                            ]
                        ]
                    }
                },
                "Tags": [
                    {
                        "Key": "LocalAdminSecretARN",
                        "Value": {
                            "Ref": "LocalAdminPassword"
                        }
                    }
                ]
            }
        }
    },
    "Outputs": {
        "InstanceId": {
            "Value": {
                "Ref": "Instance"
            }
        }
    }
}