# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document Name - ASR-PCI_3.2.1_RDS.2
  ## What does this document do?
  This document disables public access to RDS instances by calling another SSM document

  ## Input Parameters
  * Finding: (Required) Security Hub finding details JSON
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Documentation Links
  * [PCI RDS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html#pcidss-rds-2)

  ## Troubleshooting
  * ModifyDBInstance isn't supported for a DB instance in a Multi-AZ DB Cluster.
    - This remediation will not work on an instance within a MySQL or PostgreSQL Multi-AZ Cluster due to limitations with the RDS API. 
schemaVersion: '0.3'
assumeRole: '{{AutomationAssumeRole}}'
outputs:
- 'Remediation.Output'
- 'ParseInput.AffectedObject'
parameters:
  Finding:
    type: 'StringMap'
    description: 'The input from the Orchestrator Step function for the PCI.RDS.2 finding'
  AutomationAssumeRole:
    type: 'String'
    description: '(Required) The ARN of the role that allows Automation to perform the actions on your behalf.'
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'
  RemediationRoleName:
    type: 'String'
    default: 'SO0111-DisablePublicAccessToRDSInstance'
    allowedPattern: '^[\w+=,.@-]+$'
mainSteps:
- name: 'ParseInput'
  action: 'aws:executeScript'
  inputs:
    InputPayload:
      Finding: '{{Finding}}'
      parse_id_pattern: '^arn:(?:aws|aws-cn|aws-us-gov):rds:(?:[a-z]{2}(?:-gov)?-[a-z]+-\d):\d{12}:db:((?!.*--.*)(?!.*-$)[a-z][a-z0-9-]{0,62})$'
      expected_control_id:
      - 'PCI.RDS.2'
    Runtime: 'python3.8'
    Handler: 'parse_event'
    Script: |-
      %%SCRIPT=common/parse_input.py%%
  outputs:
  - Name: 'DbiResourceId'
    Selector: '$.Payload.resource.Details.AwsRdsDbInstance.DbiResourceId'
    Type: 'String'
  - Name: 'AffectedObject'
    Selector: '$.Payload.object'
    Type: 'StringMap'
  - Name: 'FindingId'
    Selector: '$.Payload.finding.Id'
    Type: 'String'
  - Name: 'ProductArn'
    Selector: '$.Payload.finding.ProductArn'
    Type: 'String'
  - Name: 'RemediationRegion'
    Selector: '$.Payload.resource_region'
    Type: 'String'
  - Name: 'RemediationAccount'
    Selector: '$.Payload.account_id'
    Type: 'String'
- name: 'Remediation'
  action: 'aws:executeAutomation'
  inputs:
    DocumentName: 'ASR-DisablePublicAccessToRDSInstance'
    TargetLocations:
      - Accounts:
        - '{{ParseInput.RemediationAccount}}'
        Regions:
        - '{{ParseInput.RemediationRegion}}'
        ExecutionRoleName: '{{RemediationRoleName}}'
    RuntimeParameters:
      DbiResourceId: '{{ParseInput.DbiResourceId}}'
      AutomationAssumeRole: 'arn:{{global:AWS_PARTITION}}:iam::{{global:ACCOUNT_ID}}:role/{{RemediationRoleName}}'
- name: 'UpdateFinding'
  action: 'aws:executeAwsApi'
  inputs:
    Service: 'securityhub'
    Api: 'BatchUpdateFindings'
    FindingIdentifiers:
    - Id: '{{ParseInput.FindingId}}'
      ProductArn: '{{ParseInput.ProductArn}}'
    Note:
      Text: 'Disabled public access to RDS instance'
      UpdatedBy: 'ASR-PCI_3.2.1_RDS.2'
    Workflow:
      Status: 'RESOLVED'
  description: 'Update finding'
  isEnd: true