# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
schemaVersion: '0.3'
description: |
  ### Document Name - ASR-AFSBP_1.0.RDS.8

  ## What does this document do?
  This document enables `Deletion Protection` on a given Amazon RDS cluster by calling another SSM document.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf.
  * RemediationRoleName: (Optional) The name of the role that allows Automation to remediate the finding on your behalf.

  ## Documentation Links
  * [AFSBP RDS.8](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-rds-8)
assumeRole: '{{AutomationAssumeRole}}'
outputs:
- 'Remediation.Output'
- 'ParseInput.AffectedObject'
parameters:
  Finding:
    type: 'StringMap'
    description: 'The input from the Orchestrator Step function for the RDS.8 finding'
  AutomationAssumeRole:
    type: 'String'
    description: '(Required) The ARN of the role that allows Automation to perform the actions on your behalf.'
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  RemediationRoleName:
    type: 'String'
    default: 'SO0111-EnableRDSInstanceDeletionProtection'
    allowedPattern: '^[\w+=,.@-]+$'
mainSteps:
- name: 'ParseInput'
  action: 'aws:executeScript'
  inputs:
    InputPayload:
      Finding: '{{Finding}}'
      parse_id_pattern: ''
      expected_control_id:
      - 'RDS.8'
    Runtime: 'python3.8'
    Handler: 'parse_event'
    Script: |-
      %%SCRIPT=common/parse_input.py%%
  outputs:
  - Name: 'DbInstanceResourceId'
    Selector: '$.Payload.details.AwsRdsDbInstance.DbiResourceId'
    Type: 'String'
  - Name: 'AffectedObject'
    Selector: '$.Payload.object'
    Type: 'StringMap'
  - Name: 'FindingId'
    Selector: '$.Payload.finding.Id'
    Type: 'String'
  - Name: 'ProductArn'
    Selector: '$.Payload.finding.ProductArn'
    Type: 'String'
  - Name: 'RemediationRegion'
    Selector: '$.Payload.resource_region'
    Type: 'String'
  - Name: 'RemediationAccount'
    Selector: '$.Payload.account_id'
    Type: 'String'
- name: 'Remediation'
  action: 'aws:executeAutomation'
  inputs:
    DocumentName: 'ASR-EnableRDSInstanceDeletionProtection'
    TargetLocations:
      - Accounts:
        - '{{ParseInput.RemediationAccount}}'
        Regions:
        - '{{ParseInput.RemediationRegion}}'
        ExecutionRoleName: '{{RemediationRoleName}}'
    RuntimeParameters:
      DbInstanceResourceId: '{{ParseInput.DbInstanceResourceId}}'
      ApplyImmediately: true
      AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/{{RemediationRoleName}}'
- name: 'UpdateFinding'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'securityhub'
    Api: 'BatchUpdateFindings'
    FindingIdentifiers:
    - Id: '{{ParseInput.FindingId}}'
      ProductArn: '{{ParseInput.ProductArn}}'
    Note:
      Text: 'Enabled deletion protection on RDS instance'
      UpdatedBy: 'ASR-AFSBP_1.0.0_RDS.8'
    Workflow:
      Status: 'RESOLVED'
  description: 'Update finding'
  isEnd: true