### # OPENSEARCH_APPLICATION_LOGGING_ENABLED tests ### --- - name: Empty, SKIP input: {} expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: SKIP - name: Scenario a) No resources, SKIP input: Resources: {} expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: SKIP - name: Scenario b) Rule suppressed, SKIP input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Metadata: guard: SuppressedRules: - "OPENSEARCH_APPLICATION_LOGGING_ENABLED" expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: SKIP - name: Scenario c) OpenSearchService Domain resources are missing LogPublishingOptions.ES_APPLICATION_LOGS.Enabled or LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: {} expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario c) OpenSearchService Domain resources are missing LogPublishingOptions.ES_APPLICATION_LOGS.Enabled or LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: {} expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario c) OpenSearchService Domain resources are missing LogPublishingOptions.ES_APPLICATION_LOGS.Enabled or LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: {} expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario c) OpenSearchService Domain resources are missing LogPublishingOptions.ES_APPLICATION_LOGS.Enabled or LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: true expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario c) OpenSearchService Domain resources are missing LogPublishingOptions.ES_APPLICATION_LOGS.Enabled or LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-audit-logs" expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario d) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.Enabled set to a value other than true, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: false expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario d) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.Enabled set to a value other than true, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: "false" expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario e) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn set to a value other than a string or struct, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: true CloudWatchLogsLogGroupArn: 123 expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario e) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn set to a value other than a string or struct, FAIL input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: true CloudWatchLogsLogGroupArn: [] expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: FAIL - name: Scenario f) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.Enabled set to true and LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn set to a string or struct value, PASS input: Resources: OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: true CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/opensearchservice/domains/es-audit-logs" expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: PASS - name: Scenario g) OpenSearchService Domain resources have LogPublishingOptions.ES_APPLICATION_LOGS.Enabled set to true and LogPublishingOptions.ES_APPLICATION_LOGS.CloudWatchLogsLogGroupArn set to a string or struct value, PASS input: Resources: LogGroup: Type: "AWS::Logs::LogGroup" OpenSearchDomain: Type: "AWS::OpenSearchService::Domain" Properties: LogPublishingOptions: ES_APPLICATION_LOGS: Enabled: true CloudWatchLogsLogGroupArn: Fn::GetAtt: [LogGroup, Arn] expectations: rules: OPENSEARCH_APPLICATION_LOGGING_ENABLED: PASS