---
inputType: "CA10__CaAwsAccount__c"
testData:
 - file: test-data.json
conditions:
  - status: "COMPLIANT"
    currentStateMessage: "The AWS account has a support role for managing incidents with AWS Support."
    check:
      AND:
        args:
          - RELATED_LIST_HAS:
              status: "COMPLIANT"
              relationshipName: "CA10__AWS_IAM_Policies__r"
          - RELATED_LIST_HAS:
              status: "COMPLIANT"
              relationshipName: "CA10__AWS_IAM_Role_Policy_Attachments__r"
  - status: "INCOMPLIANT"
    currentStateMessage: "The AWSSupportAccess IAM policy for managing incidents with AWS Support does not exist."
    remediationMessage: "Create the AWSSupportAccess IAM policy."
    check:
      RELATED_LIST_HAS:
          status: "INCOMPLIANT"
          relationshipName: "CA10__AWS_IAM_Policies__r"
  - status: "INCOMPLIANT"
    currentStateMessage: "The AWSSupportAccess IAM policy is not attached to any IAM role."
    remediationMessage: "Attach the AWSSupportAccess IAM policy to an IAM role dedicated to managing AWS Support incidents."
    check:
      RELATED_LIST_HAS:
          status: "INCOMPLIANT"
          relationshipName: "CA10__AWS_IAM_Role_Policy_Attachments__r"
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "There are no active IAM roles or IAM policies."
relatedLists:
  - relationshipName: "CA10__AWS_IAM_Policies__r"
    importExtracts:
    - file: /types/CA10__CaAwsIamPolicy__c/object.extracts.yaml
    conditions:
    - status: "COMPLIANT"
      currentStateMessage: "This is the AWSSupportAccess IAM policy."
      check:
        IS_EQUAL:
          left: 
            EXTRACT: "CA10__arn__c"
          right: 
            TEXT: arn:aws:iam::aws:policy/AWSSupportAccess
    otherwise:
      status: "INCOMPLIANT"
      currentStateMessage: "The AWSSupportAccess IAM policy is not found."
  - relationshipName: "CA10__AWS_IAM_Role_Policy_Attachments__r"
    importExtracts:
      - file: /types/CA10__CaAwsIamRolePolicyAttachment__c/object.extracts.yaml
    conditions:
      - status: "COMPLIANT"
        currentStateMessage: "An IAM role is attached to the AWSSupportAccess IAM policy."
        check:
         AND:
           args:
            - NOT_EMPTY_LOOKUP: "CA10__role__r"
            - NOT_EMPTY_LOOKUP: "CA10__policy__r"
            - IS_EQUAL:
                left:
                  EXTRACT: CA10__policyArn__c
                right:
                  TEXT: arn:aws:iam::aws:policy/AWSSupportAccess
    otherwise:
      status: "INCOMPLIANT"
      currentStateMessage: "No IAM role is attached to the AWSSupportAccess IAM policy."