#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#  ELASTICSEARCH_LOGS_TO_CLOUDWATCH
#
# Description:
#   Checks if Amazon OpenSearch Service (OpenSearch Service) domains are
#   configured to send logs to Amazon CloudWatch Logs.
#
# Reports on:
#   AWS::Elasticsearch::Domain
#
# Evaluates:
#   AWS CloudFormation
#
# Rule Parameters:
#   NA
#
# Scenarios:
# a) SKIP: when there is no elasticsearch domain present
# b) SKIP: when metadata has rule suppression for ELASTICSEARCH_LOGS_TO_CLOUDWATCH
# c) FAIL: when Elasticsearch domain does not have LogPublishingOptions or Enabled parameter is set to false for all available keys
# d) PASS: when Elasticsearch domain has LogPublishingOptions with Enabled parameter is set to true on one key

#
# Select all Elasticsearch domains from incoming template
#
let elasticsearch_domains_logs_cloudwatch = Resources.*[ Type == "AWS::Elasticsearch::Domain"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_LOGS_TO_CLOUDWATCH"
]

rule ELASTICSEARCH_LOGS_TO_CLOUDWATCH when %elasticsearch_domains_logs_cloudwatch !empty {

    %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions EXISTS
    %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled == true OR
    %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled == true OR
    %elasticsearch_domains_logs_cloudwatch.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled == true
        <<
            Violation: Elasticsearch domain must have logging configured to send logs to CloudWatch Logs.
            Fix: Set a LogPublishingOptions object to have the property "Enabled" parameter set to true for keys "ES_APPLICATION_LOGS", "SEARCH_SLOW_LOGS", or "INDEX_SLOW_LOGS".
        >>
}