# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASRRemediation-AFSBP_RDS.6

  ## What does this document do?
  This document enables `Enhanced Monitoring` on a given Amazon RDS instance by calling another SSM document.

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * VerifyRemediation.Output - The standard HTTP response from the ModifyDBInstance API.
schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  Finding:
    type: StringMap
    description: The input from Step function for RDS7 finding

outputs:
  - VerifyRemediation.Output
  - ParseInput.AffectedObject
mainSteps:
  -
    name: ParseInput
    action: 'aws:executeScript'
    outputs:
      - Name: ResourceId
        Selector: $.Payload.resource_id
        Type: String
      - Name: FindingId
        Selector: $.Payload.finding_id
        Type: String
      - Name: ProductArn
        Selector: $.Payload.product_arn
        Type: String
      - Name: AffectedObject
        Selector: $.Payload.object
        Type: StringMap
    inputs:
      InputPayload:
        Finding: '{{Finding}}'

      Runtime: python3.8
      Handler: parse_event
      Script: |-
        %%SCRIPT=common/parse_input.py%%
    isEnd: false
  -
    name: GetMonitoringRoleArn
    action: aws:executeAwsApi
    description: |
      ## GetRole API to get EnhancedMonitoring IAM role ARN
    timeoutSeconds: 600
    isEnd: false
    inputs:
      Service: iam
      Api: GetRole
      RoleName: 'SO0111-ASR-RDSEnhancedMonitoring'
    outputs:
    - Name: Arn
      Selector: $.Role.Arn
      Type: String

  -
    name: ExecRemediation
    action: 'aws:executeAutomation'
    isEnd: false
    inputs:
      DocumentName: AWSConfigRemediation-EnableEnhancedMonitoringOnRDSInstance
      RuntimeParameters:
        ResourceId: '{{ ParseInput.ResourceId }}'
        MonitoringRoleArn: '{{GetMonitoringRoleArn.Arn}}'
        AutomationAssumeRole: '{{ AutomationAssumeRole }}'

  -
    name: VerifyRemediation
    action: 'aws:executeScript'
    outputs:
      - Name: Output
        Selector: $.Payload.response
        Type: StringMap
    inputs:
      InputPayload:
        remediation_output: '{{ExecRemediation.Output}}'
      Runtime: python3.8
      Handler: verify_remediation
      Script: |-
        import json

        def verify_remediation(event, context):
          remediation_output = json.loads(event['remediation_output'][0])

          if remediation_output.get('DBInstance').get('MonitoringInterval', 0) > 0:
            return {
              "response": {
                "message": "Enhanced Monitoring enabled on database " + remediation_output['DBInstance']['DBInstanceIdentifier'],
                "status": "Success"
              }
            }

  -
    name: UpdateFinding
    action: 'aws:executeAwsApi'
    inputs:
      Service: securityhub
      Api: BatchUpdateFindings
      FindingIdentifiers:
      - Id: '{{ParseInput.FindingId}}'
        ProductArn: '{{ParseInput.ProductArn}}'
      Note:
        Text: 'Deletion protection enabled on RDS DB cluster'
        UpdatedBy: 'ASRRemediation-AFSBP_RDS.7'
      Workflow:
        Status: 'RESOLVED'
    description: Update finding
    isEnd: true