#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#   ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
#
# Description:
#   Elasticsearch domains must enforce Node-to-Node Encryption
#
# Reports on:
#   AWS::Elasticsearch::Domain
#
# Evaluates:
#   AWS CloudFormation
#
# Rule Parameters:
#   NA
#
# Scenarios:
# a) SKIP: when there is no elasticsearch domain present
# b) SKIP: when metada has rule suppression for ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
# c) FAIL: when Elasticsearch domain has Node-to-Node encryption property missing
# d) FAIL: when Elasticsearch domain has Node-to-Node encryption set to false
# e) PASS: when Elasticsearch domain has Node-to-Node encryption set to true

#
# Select all elasticsearch domains from incoming template
#
let elasticsearch_node_to_node_encryption_check = Resources.*[ Type == "AWS::Elasticsearch::Domain"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK"
]

rule ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK when %elasticsearch_node_to_node_encryption_check !empty {
    %elasticsearch_node_to_node_encryption_check.Properties.NodeToNodeEncryptionOptions.Enabled == true
        <<
            Violation: Elasticsearch domains must enforce Node-to-Node Encryption.
            Fix: Set the NodeToNodeEncryptionOptions.Enabled parameter to true.
        >>
}