# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-AFSBP_1.0.0_CloudFormation.1

  ## What does this document do?
  This document configures an SNS topic for notifications from a CloudFormation stack by calling another document.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * Remediation.Output

  ## Documentation Links
  * [AFSBP v1.0.0 CloudFormation.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-cloudformation-1)
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
  AutomationAssumeRole:
    type: 'String'
    description: '(Required) The ARN of the role that allows Automation to perform the actions on your behalf.'
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  Finding:
    type: 'StringMap'
    description: 'The input from the Orchestrator Step function for the CloudFormation.1 finding'
outputs:
- 'ParseInput.AffectedObject'
- 'Remediation.Output'
mainSteps:
- name: 'ParseInput'
  action: 'aws:executeScript'
  outputs:
    - Name: 'FindingId'
      Selector: '$.Payload.finding.Id'
      Type: 'String'
    - Name: 'ProductArn'
      Selector: '$.Payload.finding.ProductArn'
      Type: 'String'
    - Name: 'AffectedObject'
      Selector: '$.Payload.object'
      Type: 'StringMap'
    - Name: 'StackArn'
      Selector: '$.Payload.resource_id'
      Type: 'String'
    - Name: 'RemediationRegion'
      Selector: '$.Payload.resource_region'
      Type: 'String'
    - Name: 'RemediationAccount'
      Selector: '$.Payload.account_id'
      Type: 'String'
  inputs:
    InputPayload:
      Finding: '{{Finding}}'
      parse_id_pattern: '^(arn:(?:aws|aws-us-gov|aws-cn):cloudformation:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:stack/[a-zA-Z][a-zA-Z0-9-]{0,127}/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12})$'
      expected_control_id:
      - 'CloudFormation.1'
    Runtime: 'python3.8'
    Handler: 'parse_event'
    Script: |-
      %%SCRIPT=common/parse_input.py%%
- name: 'Remediation'
  action: 'aws:executeAutomation'
  isEnd: false
  inputs:
    DocumentName: 'ASR-ConfigureSNSTopicForStack'
    TargetLocations:
    - Accounts: ['{{ ParseInput.RemediationAccount }}']
      Regions: ['{{ ParseInput.RemediationRegion }}']
      ExecutionRoleName: 'SO0111-ConfigureSNSTopicForStack'
    RuntimeParameters:
      AutomationAssumeRole: 'arn:{{ global:AWS_PARTITION }}:iam::{{ global:ACCOUNT_ID }}:role/SO0111-ConfigureSNSTopicForStack'
      StackArn: '{{ ParseInput.StackArn }}'
- name: 'UpdateFinding'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'securityhub'
    Api: 'BatchUpdateFindings'
    FindingIdentifiers:
    - Id: '{{ ParseInput.FindingId }}'
      ProductArn: '{{ ParseInput.ProductArn }}'
    Note:
      Text: 'Configured SNS topic for notifications'
      UpdatedBy: 'ASR-AFSBP_1.0.0_CloudFormation.1'
    Workflow:
      Status: 'RESOLVED'
  isEnd: true