# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 --- schemaVersion: "0.3" description: | ### Document name - AWSConfigRemediation-EnableRDSClusterDeletionProtection ## What does this document do? This document enables `Deletion Protection` on a given Amazon RDS cluster using the [ModifyDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html) API. Please note, AWS Config is required to be enabled in this region for this document to work as it requires the resource ID recorded by the AWS Config service. ## Input Parameters * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. * ClusterId: (Required) Resource ID of the Amazon RDS cluster. ## Output Parameters * EnableRDSClusterDeletionProtection.ModifyDBClusterResponse: The standard HTTP response from the ModifyDBCluster API. assumeRole: "{{ AutomationAssumeRole }}" parameters: AutomationAssumeRole: type: String description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf. allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$' ClusterId: type: String description: (Required) Amazon RDS cluster resourceId for which deletion protection needs to be enabled. allowedPattern: ^[a-zA-Z0-9-]{1,35}$ outputs: - EnableRDSClusterDeletionProtection.ModifyDBClusterResponse mainSteps: - name: GetRDSClusterIdentifer action: "aws:executeAwsApi" description: | ## GetRDSClusterIdentifer Accepts the resource ID of the Amazon RDS Cluster as input and returns the cluster name. ## Outputs * DbClusterIdentifier: The ID of the DB cluster for which the input parameter matches DbClusterResourceId element from the output of the DescribeDBClusters API call. timeoutSeconds: 600 isEnd: false inputs: Service: config Api: GetResourceConfigHistory resourceId: "{{ ClusterId }}" resourceType: "AWS::RDS::DBCluster" limit: 1 outputs: - Name: DbClusterIdentifier Selector: $.configurationItems[0].resourceName Type: String - name: VerifyDBClusterStatus action: "aws:assertAwsResourceProperty" timeoutSeconds: 600 isEnd: false description: | ## VerifyDBClusterStatus Verifies if the DB Cluster status is available before enabling cluster deletion protection. inputs: Service: rds Api: DescribeDBClusters DBClusterIdentifier: "{{ GetRDSClusterIdentifer.DbClusterIdentifier }}" PropertySelector: "$.DBClusters[0].Status" DesiredValues: - "available" - name: EnableRDSClusterDeletionProtection action: "aws:executeAwsApi" description: | ## EnableRDSClusterDeletionProtection Enables deletion protection on the Amazon RDS Cluster. ## Outputs * ModifyDBClusterResponse: The standard HTTP response from the ModifyDBCluster API. timeoutSeconds: 600 isEnd: false inputs: Service: rds Api: ModifyDBCluster DBClusterIdentifier: "{{ GetRDSClusterIdentifer.DbClusterIdentifier }}" DeletionProtection: True outputs: - Name: ModifyDBClusterResponse Selector: $ Type: StringMap - name: VerifyDBClusterModification action: "aws:assertAwsResourceProperty" description: | ## VerifyDBClusterModification Verifies that deletion protection has been enabled for the given Amazon RDS database cluster. timeoutSeconds: 600 isEnd: true inputs: Service: rds Api: DescribeDBClusters DBClusterIdentifier: "{{ GetRDSClusterIdentifer.DbClusterIdentifier }}" PropertySelector: "$.DBClusters[0].DeletionProtection" DesiredValues: - "True"