#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#   OPENSEARCH_HTTPS_REQUIRED
#
# Description:
#   OpenSearchService domains are configured to require HTTPS with a minimum TLS version of TLSv1.2
#
# Reports on:
#   AWS::OpenSearchService::Domain
#
# Evaluates:
#   AWS CloudFormation
#
# Rule Parameters:
#   NA
#
# Scenarios:
# a) SKIP: when there are no OpenSearchService Domain Resources 
# b) SKIP: when metadata has rule suppression for OPENSEARCH_HTTPS_REQUIRED
# c) FAIL: when OpenSearchService Domain Resources are missing DomainEndpointOptions.EnforceHTTPS
# d) FAIL: when OpenSearchService Domain Resources are missing DomainEndpointOptions.TLSSecurityPolicy
# e) FAIL: when OpenSearchService Domain Resources have DomainEndpointOptions.EnforceHTTPS set to a value other than true 
# f) FAIL: when OpenSearchService Domain Resources have DomainEndpointOptions.TLSSecurityPolicy set to a value other than 'Policy-Min-TLS-1-2-2019-07'
# g) PASS: when OpenSearchService Domain Resources have DomainEndpointOptions.EnforceHTTPS set to true and 
#          DomainEndpointOptions.TLSSecurityPolicy set to 'Policy-Min-TLS-1-2-2019-07'

#
# Select all OpenSearchService domains from incoming template
#
let opensearch_https_required = Resources.*[ Type == "AWS::OpenSearchService::Domain"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "OPENSEARCH_HTTPS_REQUIRED"
]

rule OPENSEARCH_HTTPS_REQUIRED when %opensearch_https_required !empty {
    %opensearch_https_required.Properties { 
        DomainEndpointOptions exists
        DomainEndpointOptions is_struct

        DomainEndpointOptions {
            EnforceHTTPS exists
            EnforceHTTPS == true
                <<
                    Violation: OpenSearchService domains are configured to require HTTPS with a minimum TLS version of TLSv1.2
                    Fix: In DomainEndpointOptions, set EnforceHTTPS to true and TLSSecurityPolicy to 'Policy-Min-TLS-1-2-2019-07'
                >>
            TLSSecurityPolicy exists
            TLSSecurityPolicy in [ "Policy-Min-TLS-1-2-2019-07" ]
                <<
                    Violation: OpenSearchService domains are configured to require HTTPS with a minimum TLS version of TLSv1.2
                    Fix: In DomainEndpointOptions, set EnforceHTTPS to true and TLSSecurityPolicy to 'Policy-Min-TLS-1-2-2019-07'
                >>
        }
    }
}