#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#   OPENSEARCH_ENCRYPTED_AT_REST
#
# Description:
#   OpenSearchService domains must enforce server side encryption
#
# Reports on:
#   AWS::OpenSearchService::Domain
#
# Evaluates:
#   AWS CloudFormation
#
# Rule Parameters:
#   NA
#
# Scenarios:
# a) SKIP: when there is no OpenSearchService domain present
# b) SKIP: when metada has rule suppression for OPENSEARCH_ENCRYPTED_AT_REST
# c) FAIL: when OpenSearchService domain has server side encryption property is missing
# d) FAIL: when OpenSearchService domain has server side encryption set to false
# e) PASS: when OpenSearchService domain has server side encryption set to true

#
# Select all elasticsearch domains from incoming template
#
let elasticsearch_domains_encrypted = Resources.*[ Type == "AWS::OpenSearchService::Domain"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "OPENSEARCH_ENCRYPTED_AT_REST"
]

rule OPENSEARCH_ENCRYPTED_AT_REST when %elasticsearch_domains_encrypted !empty {
    %elasticsearch_domains_encrypted.Properties.EncryptionAtRestOptions.Enabled == true
        <<
            Violation: OpenSearchService domains must enforce server side encryption.
            Fix: Set EncryptionAtRestOptions.Enabled to true.
        >>
}