fix(domain): update default TLS policy to 2019-07

Change the default value for `tls_security_policy` in domain endpoint
options from "Policy-Min-TLS-1-2-PFS-2023-10" to
"Policy-Min-TLS-1-2-2019-07" across documentation, variables, and
module usage. This ensures compatibility with a broader range of
clients and aligns with AWS recommended defaults.

Author: RoseSecurity

README.md

@@ -204,7 +204,7 @@ No modules.
 | <a name="input_create_cloudwatch_log_resource_policy"></a> [create\_cloudwatch\_log\_resource\_policy](#input\_create\_cloudwatch\_log\_resource\_policy) | Determines whether a resource policy will be created for OpenSearch to log to CloudWatch | `bool` | `true` | no |
 | <a name="input_create_saml_options"></a> [create\_saml\_options](#input\_create\_saml\_options) | Determines whether SAML options will be created | `bool` | `false` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
-| <a name="input_domain_endpoint_options"></a> [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | <pre>{<br/>  "enforce_https": true,<br/>  "tls_security_policy": "Policy-Min-TLS-1-2-PFS-2023-10"<br/>}</pre> | no |
+| <a name="input_domain_endpoint_options"></a> [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | <pre>{<br/>  "enforce_https": true,<br/>  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"<br/>}</pre> | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Name of the domain | `string` | `""` | no |
 | <a name="input_ebs_options"></a> [ebs\_options](#input\_ebs\_options) | Configuration block for EBS related options, may be required based on chosen [instance size](https://aws.amazon.com/elasticsearch-service/pricing/) | `any` | <pre>{<br/>  "ebs_enabled": true,<br/>  "volume_size": 64,<br/>  "volume_type": "gp3"<br/>}</pre> | no |
 | <a name="input_enable_access_policy"></a> [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no |

main.tf

@@ -179,7 +179,7 @@ resource "aws_opensearch_domain" "this" {
       custom_endpoint_certificate_arn = try(domain_endpoint_options.value.custom_endpoint_certificate_arn, null)
       custom_endpoint_enabled         = try(domain_endpoint_options.value.custom_endpoint_enabled, null)
       enforce_https                   = try(domain_endpoint_options.value.enforce_https, true)
-      tls_security_policy             = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-PFS-2023-10")
+      tls_security_policy             = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-2019-07")
     }
   }
 

variables.tf

@@ -70,7 +70,7 @@ variable "domain_endpoint_options" {
   type        = any
   default = {
     enforce_https       = true
-    tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10"
+    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
   }
 }
 

wrappers/main.tf

@@ -34,7 +34,7 @@ module "wrapper" {
   create_security_group                 = try(each.value.create_security_group, var.defaults.create_security_group, true)
   domain_endpoint_options = try(each.value.domain_endpoint_options, var.defaults.domain_endpoint_options, {
     enforce_https       = true
-    tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10"
+    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
   })
   domain_name = try(each.value.domain_name, var.defaults.domain_name, "")
   ebs_options = try(each.value.ebs_options, var.defaults.ebs_options, {