# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-AFSBP_1.0.0_RDS.7

  ## What does this document do?
  This document enables `Deletion Protection` on a given Amazon RDS cluster by calling another SSM document.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * Remediation.Output - The standard HTTP response from the ModifyDBCluster API.

  ## Documentation Links
  * [AFSBP RDS.7](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-7)

schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  Finding:
    type: StringMap
    description: The input from the Orchestrator Step function for the RDS.7 finding
  RemediationRoleName:
    type: String
    default: "SO0111-EnableRDSClusterDeletionProtection"
    allowedPattern: '^[\w+=,.@-]+$'

outputs:
  - Remediation.Output
  - ParseInput.AffectedObject
mainSteps:
  -
    name: ParseInput
    action: 'aws:executeScript'
    outputs:
      - Name: ResourceId
        Selector: $.Payload.details.AwsRdsDbCluster.DbClusterResourceId
        Type: String
      - Name: FindingId
        Selector: $.Payload.finding_id
        Type: String
      - Name: ProductArn
        Selector: $.Payload.product_arn
        Type: String
      - Name: AffectedObject
        Selector: $.Payload.object
        Type: StringMap
      - Name: RemediationRegion
        Selector: $.Payload.resource_region
        Type: String
      - Name: RemediationAccount
        Selector: $.Payload.account_id
        Type: String
    inputs:
      InputPayload:
        Finding: '{{Finding}}'
        parse_id_pattern: ''
        expected_control_id:
        - 'RDS.7'
      Runtime: python3.8
      Handler: parse_event
      Script: |-
        %%SCRIPT=common/parse_input.py%%

  -
    name: Remediation
    action: 'aws:executeAutomation'
    inputs:
      DocumentName: ASR-EnableRDSClusterDeletionProtection
      TargetLocations:
        - Accounts: [ '{{ParseInput.RemediationAccount}}' ]
          Regions: [ '{{ParseInput.RemediationRegion}}' ]
          ExecutionRoleName: '{{RemediationRoleName}}'
      RuntimeParameters:
        ClusterId: '{{ ParseInput.ResourceId }}'
        AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/{{RemediationRoleName}}'

  -
    name: UpdateFinding
    action: 'aws:executeAwsApi'
    inputs:
      Service: securityhub
      Api: BatchUpdateFindings
      FindingIdentifiers:
      - Id: '{{ParseInput.FindingId}}'
        ProductArn: '{{ParseInput.ProductArn}}'
      Note:
        Text: 'Deletion protection enabled on RDS DB cluster'
        UpdatedBy: 'ASR-AFSBP_1.0.0_RDS.7'
      Workflow:
        Status: 'RESOLVED'
    description: Update finding
    isEnd: true