# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
description: |
  ### Document name - AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules

  ## What does this document do?
  This document removes all inbound and outbound rules from the default security group in an Amazon VPC. A default security group is defined as any security group whose name is `default`. If the security group ID passed to this automation document belongs to a non-default security group, this document does not perform any changes to the AWS account.

  ## Input Parameters
  * GroupId: (Required) The unique ID of the security group.
  * AutomationAssumeRole: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.

  ## Output Parameters
  * RemoveRulesAndVerify.Output - Success message or failure exception.

schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
parameters:
  GroupId:
    type: String
    description: (Required) The unique ID of the security group.
    allowedPattern: "sg-[a-z0-9]+$"
  AutomationAssumeRole:
    type: String
    description: (Required) The ARN of the role that allows Automation to perform the actions on your behalf.
    allowedPattern: '^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role/[\w+=,.@-]+$'

outputs:
  - RemoveRulesAndVerify.Output

mainSteps:
  - name: CheckDefaultSecurityGroup
    action: aws:assertAwsResourceProperty
    isCritical: True
    onFailure: Abort
    maxAttempts: 3
    timeoutSeconds: 20
    description: |
      ## CheckDefaultSecurityGroup
      Verifies that the security group name does match `default`. If the group name does match `default`, go to the next step: DescribeSecurityGroups.
    inputs:
      Service: ec2
      Api: DescribeSecurityGroups
      GroupIds:
        - "{{ GroupId }}"
      PropertySelector: "$.SecurityGroups[0].GroupName"
      DesiredValues:
        - "default"
    nextStep: RemoveRulesAndVerify

  - name: RemoveRulesAndVerify
    action: "aws:executeScript"
    isCritical: True
    onFailure: Abort
    maxAttempts: 3
    timeoutSeconds: 180
    isEnd: true
    description: |
      ## RemoveRulesAndVerify
      Removes all rules from the default security group.
      ## Outputs
      * Output: Success message or failure exception.
    inputs:
      Runtime: python3.8
      Handler: handler
      InputPayload:
        GroupId: "{{ GroupId }}"
      Script: |-
        import boto3
        from botocore.exceptions import ClientError
        from time import sleep


        ec2_client = boto3.client("ec2")


        def get_permissions(group_id):
            default_group = ec2_client.describe_security_groups(GroupIds=[group_id]).get("SecurityGroups")[0]
            return default_group.get("IpPermissions"), default_group.get("IpPermissionsEgress")


        def handler(event, context):
            group_id = event.get("GroupId")
            ingress_permissions, egress_permissions = get_permissions(group_id)

            if ingress_permissions:
                ec2_client.revoke_security_group_ingress(GroupId=group_id, IpPermissions=ingress_permissions)
            if egress_permissions:
                ec2_client.revoke_security_group_egress(GroupId=group_id, IpPermissions=egress_permissions)

            ingress_permissions, egress_permissions = get_permissions(group_id)
            if ingress_permissions or egress_permissions:
                raise Exception(f"VERIFICATION FAILED. SECURITY GROUP {group_id} NOT CLOSED.")

            return {
                "output": "Security group closed successfully."
            }
    outputs:
      - Name: Output
        Selector: $.Payload.output
        Type: String