Amazon Firewall Manager Audit Policy Compliance

arazzo: 1.0.1
info:
  title: Amazon Firewall Manager Audit Policy Compliance
  summary: Resolve a policy, enumerate member accounts, and pull compliance detail for a chosen account.
  description: >-
    Fetches a Firewall Manager policy to confirm it exists, lists the member
    accounts in the administrator account's AWS organization, and then retrieves
    detailed compliance information for a selected member account against that
    policy. Each step inlines its request so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: firewallManagerApi
  url: ../openapi/amazon-firewall-manager-openapi.yml
  type: openapi
workflows:
- workflowId: audit-policy-compliance
  summary: Pull compliance detail for a member account against a Firewall Manager policy.
  description: >-
    Confirms the policy exists, lists organization member accounts, and returns
    the compliance violators for a specific member account under the policy.
  inputs:
    type: object
    required:
    - policyId
    - memberAccountId
    properties:
      policyId:
        type: string
        description: The ID of the Firewall Manager policy to audit.
      memberAccountId:
        type: string
        description: The AWS account ID of the member account to evaluate.
      maxResults:
        type: integer
        description: Maximum number of member accounts to return.
  steps:
  - stepId: getPolicy
    description: >-
      Confirm the target policy exists before evaluating member account
      compliance against it.
    operationId: getPolicy
    parameters:
    - name: policyId
      in: path
      value: $inputs.policyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      policyName: $response.body#/Policy/PolicyName
      policyArn: $response.body#/PolicyArn
  - stepId: listMemberAccounts
    description: >-
      List the member accounts in the administrator account's AWS organization
      so the target member account can be confirmed as in scope.
    operationId: listMemberAccounts
    parameters:
    - name: maxResults
      in: query
      value: $inputs.maxResults
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberAccounts: $response.body#/MemberAccounts
      nextToken: $response.body#/NextToken
  - stepId: getComplianceDetail
    description: >-
      Retrieve detailed compliance information, including any violators, for the
      selected member account under the policy.
    operationId: getComplianceDetail
    parameters:
    - name: policyId
      in: path
      value: $inputs.policyId
    - name: memberAccountId
      in: path
      value: $inputs.memberAccountId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      policyComplianceDetail: $response.body#/PolicyComplianceDetail
  outputs:
    policyName: $steps.getPolicy.outputs.policyName
    memberAccounts: $steps.listMemberAccounts.outputs.memberAccounts
    policyComplianceDetail: $steps.getComplianceDetail.outputs.policyComplianceDetail