π§ AWS OpenSearch Domain is not encrypted with the latest TLS policy - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
Test Results π’β
Generated at: 2025-12-27T12:02:06.504732392Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 299 | βοΈ extract('CA10__endpointOptionsEnforceHttps__c') == 'false' | βοΈ null |
| π’ | test3 | βοΈ 399 | βοΈ setOfText(['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']).contains(extract('CA10__endpointOptionsTlsSecurityPolicy__c')) | βοΈ null |
| π’ | test4 | βοΈ 499 | βοΈ extract('CA10__endpointOptionsEnforceHttps__c') == 'true' | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/opensearch/domain-tls-policy/policy.yaml | 9A50D8306178E0266DD1F76DC5E2D4D6 |
| Open | /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml | EDB8130055B469782D142C6C256723B0 |
| Open | /ce/ca/aws/opensearch/domain-tls-policy/test-data.json | 839C9C9C9905C167169D704417BDF836 |
| Open | /types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml | 0D5B1BE6E92CCF38D456A62B74D84E17 |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/aws/opensearch/domain-tls-policy/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsElasticsearchDomain__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml"
conditions:
- status: "UNDETERMINED"
currentStateMessage: "The Enforce HTTPS endpoint option is not populated in the CMDB."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10__endpointOptionsEnforceHttps__c"
- status: "INCOMPLIANT"
currentStateMessage: "The Enforce HTTPS endpoint option is not enabled."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__endpointOptionsEnforceHttps__c"
right:
TEXT: "false"
- status: "INCOMPLIANT"
currentStateMessage: "The OpenSearch Domain is using an outdated TLS security policy."
remediationMessage: "Update the Domain to the latest TLS security policy."
check:
CONTAINS:
arg:
SET:
itemType: "TEXT"
items:
- "Policy-Min-TLS-1-0-2019-07"
- "Policy-Min-TLS-1-2-2019-07"
search:
EXTRACT: "CA10__endpointOptionsTlsSecurityPolicy__c"
- status: "COMPLIANT"
currentStateMessage: "The OpenSearch domain enforces HTTPS and uses the latest TLS 1.2 security policy."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__endpointOptionsEnforceHttps__c"
right:
TEXT: "true"
otherwise:
status: "UNDETERMINED"
currentStateMessage: "Unexpected values in the fields."