github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/elasticsearch/domain.go (about) 1 package elasticsearch 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/elasticsearch" 5 "github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 ) 8 9 func getDomains(ctx parser.FileContext) (domains []elasticsearch.Domain) { 10 11 domainResources := ctx.GetResourcesByType("AWS::Elasticsearch::Domain", "AWS::OpenSearchService::Domain") 12 13 for _, r := range domainResources { 14 15 domain := elasticsearch.Domain{ 16 Metadata: r.Metadata(), 17 DomainName: r.GetStringProperty("DomainName"), 18 AccessPolicies: r.GetStringProperty("AccessPolicies"), 19 DedicatedMasterEnabled: r.GetBoolProperty("ElasticsearchClusterConfig.DedicatedMasterEnabled"), 20 VpcId: defsecTypes.String("", r.Metadata()), 21 LogPublishing: elasticsearch.LogPublishing{ 22 Metadata: r.Metadata(), 23 AuditEnabled: defsecTypes.BoolDefault(false, r.Metadata()), 24 CloudWatchLogGroupArn: defsecTypes.String("", r.Metadata()), 25 }, 26 TransitEncryption: elasticsearch.TransitEncryption{ 27 Metadata: r.Metadata(), 28 Enabled: defsecTypes.BoolDefault(false, r.Metadata()), 29 }, 30 AtRestEncryption: elasticsearch.AtRestEncryption{ 31 Metadata: r.Metadata(), 32 Enabled: defsecTypes.BoolDefault(false, r.Metadata()), 33 KmsKeyId: defsecTypes.String("", r.Metadata()), 34 }, 35 Endpoint: elasticsearch.Endpoint{ 36 Metadata: r.Metadata(), 37 EnforceHTTPS: defsecTypes.BoolDefault(false, r.Metadata()), 38 TLSPolicy: defsecTypes.StringDefault("Policy-Min-TLS-1-0-2019-07", r.Metadata()), 39 }, 40 ServiceSoftwareOptions: elasticsearch.ServiceSoftwareOptions{ 41 Metadata: r.Metadata(), 42 CurrentVersion: defsecTypes.String("", r.Metadata()), 43 NewVersion: defsecTypes.String("", r.Metadata()), 44 UpdateStatus: defsecTypes.String("", r.Metadata()), 45 UpdateAvailable: defsecTypes.Bool(false, r.Metadata()), 46 }, 47 } 48 49 if prop := r.GetProperty("LogPublishingOptions"); prop.IsNotNil() { 50 domain.LogPublishing = elasticsearch.LogPublishing{ 51 Metadata: prop.Metadata(), 52 AuditEnabled: prop.GetBoolProperty("AUDIT_LOGS.Enabled", false), 53 CloudWatchLogGroupArn: prop.GetStringProperty("CloudWatchLogsLogGroupArn"), 54 } 55 } 56 57 if prop := r.GetProperty("NodeToNodeEncryptionOptions"); prop.IsNotNil() { 58 domain.TransitEncryption = elasticsearch.TransitEncryption{ 59 Metadata: prop.Metadata(), 60 Enabled: prop.GetBoolProperty("Enabled", false), 61 } 62 } 63 64 if prop := r.GetProperty("EncryptionAtRestOptions"); prop.IsNotNil() { 65 domain.AtRestEncryption = elasticsearch.AtRestEncryption{ 66 Metadata: prop.Metadata(), 67 Enabled: prop.GetBoolProperty("Enabled", false), 68 KmsKeyId: prop.GetStringProperty("KmsKeyId"), 69 } 70 } 71 72 if prop := r.GetProperty("DomainEndpointOptions"); prop.IsNotNil() { 73 domain.Endpoint = elasticsearch.Endpoint{ 74 Metadata: prop.Metadata(), 75 EnforceHTTPS: prop.GetBoolProperty("EnforceHTTPS", false), 76 TLSPolicy: prop.GetStringProperty("TLSSecurityPolicy", "Policy-Min-TLS-1-0-2019-07"), 77 } 78 } 79 80 domains = append(domains, domain) 81 } 82 83 return domains 84 }