constructor()

in source/lib/ssmplaybook.ts [136:215]

• 67 lines of code
• 4 McCabe index (conditional complexity)

  constructor(scope: cdk.Construct, id: string, props: ITriggerProps) {
    super(scope, id);
    let illegalChars = /[\.]/g;

    // Event to Step Function
    // ----------------------
    // Create CWE rule
    // Create custom action

    let description = `Remediate ${props.securityStandard} ${props.controlId}`
    if (props.description) {
        description = props.description
    }

    let workflowStatusFilter = {
        "Status": [ "NEW" ]
    }
    let complianceStatusFilter = {
        "Status": [ "FAILED", "WARNING" ]
    }

    const stateMachine = sfn.StateMachine.fromStateMachineArn(this, 'orchestrator', props.targetArn);

    // Create an IAM role for Events to start the State Machine
    const eventsRole = new Role(this, 'EventsRuleRole', {
      assumedBy: new ServicePrincipal('events.amazonaws.com')
    });

    // Grant the start execution permission to the Events service
    stateMachine.grantStartExecution(eventsRole);

    // Create an event rule to trigger the step function
    const stateMachineTarget: events.IRuleTarget = {
      bind: () => ({
        id: '',
        arn: props.targetArn,
        role: eventsRole
      })
    };

    const enable_auto_remediation_param = new cdk.CfnParameter(this, 'AutoEnable', {
        description: "This will fully enable automated remediation for "+ props.securityStandard + ' ' + props.controlId,
        type: "String",
        allowedValues: ["ENABLED", "DISABLED"],
        default: "DISABLED"
    });

    enable_auto_remediation_param.overrideLogicalId(`${props.securityStandard}${props.controlId.replace(illegalChars, '')}AutoTrigger`)
    
    interface IPattern {
        source: any,
        detailType: any
        detail: any
    }
    let eventPattern: IPattern = {
        source: ["aws.securityhub"],
        detailType: ["Security Hub Findings - Imported"],
        detail: {
            findings: {
                // GeneratorId includes both standard and control/rule ID
                GeneratorId: [props.generatorId],
                Workflow: workflowStatusFilter,
                Compliance: complianceStatusFilter
            }
        }
    }

    let triggerPattern: events.EventPattern = eventPattern
    
    // Adding an automated even rule for the playbook
    const eventRule_auto = new events.Rule(this, 'AutoEventRule', {
        description: description + ' automatic remediation trigger event rule.',
        ruleName: `${props.securityStandard}_${props.controlId}_AutoTrigger`,
        targets: [stateMachineTarget],
        eventPattern: triggerPattern
    });
    
    const cfnEventRule_auto = eventRule_auto.node.defaultChild as events.CfnRule;
    cfnEventRule_auto.addPropertyOverride('State', enable_auto_remediation_param.valueAsString);
  }