fix: update default TLS policy to Policy-Min-TLS-1-2-PFS-2023-10

RoseSecurity · RoseSecurity · commit c5c121d0e5b2 · 2025-10-23T11:43:45.000-04:00
Updated the default value for `tls_security_policy` in domain endpoint
options from "Policy-Min-TLS-1-2-2019-07" to
"Policy-Min-TLS-1-2-PFS-2023-10" in variables, wrapper, and documentation.
Also added `domain_name` output to the complete example README for
consistency.
diff --git a/README.md b/README.md
@@ -204,7 +204,7 @@ No modules.
 | <a name="input_create_cloudwatch_log_resource_policy"></a> [create\_cloudwatch\_log\_resource\_policy](#input\_create\_cloudwatch\_log\_resource\_policy) | Determines whether a resource policy will be created for OpenSearch to log to CloudWatch | `bool` | `true` | no |
 | <a name="input_create_saml_options"></a> [create\_saml\_options](#input\_create\_saml\_options) | Determines whether SAML options will be created | `bool` | `false` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
-| <a name="input_domain_endpoint_options"></a> [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | <pre>{<br/>  "enforce_https": true,<br/>  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"<br/>}</pre> | no |
+| <a name="input_domain_endpoint_options"></a> [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | <pre>{<br/>  "enforce_https": true,<br/>  "tls_security_policy": "Policy-Min-TLS-1-2-PFS-2023-10"<br/>}</pre> | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Name of the domain | `string` | `""` | no |
 | <a name="input_ebs_options"></a> [ebs\_options](#input\_ebs\_options) | Configuration block for EBS related options, may be required based on chosen [instance size](https://aws.amazon.com/elasticsearch-service/pricing/) | `any` | <pre>{<br/>  "ebs_enabled": true,<br/>  "volume_size": 64,<br/>  "volume_type": "gp3"<br/>}</pre> | no |
 | <a name="input_enable_access_policy"></a> [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no |
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -61,6 +61,7 @@ No inputs.
 | <a name="output_domain_dashboard_endpoint"></a> [domain\_dashboard\_endpoint](#output\_domain\_dashboard\_endpoint) | Domain-specific endpoint for Dashboard without https scheme |
 | <a name="output_domain_endpoint"></a> [domain\_endpoint](#output\_domain\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests |
 | <a name="output_domain_id"></a> [domain\_id](#output\_domain\_id) | The unique identifier for the domain |
+| <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | The name of the domain |
 | <a name="output_outbound_connections"></a> [outbound\_connections](#output\_outbound\_connections) | Map of outbound connections created and their attributes |
 | <a name="output_package_associations"></a> [package\_associations](#output\_package\_associations) | Map of package associations created and their attributes |
 | <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
diff --git a/variables.tf b/variables.tf
@@ -70,7 +70,7 @@ variable "domain_endpoint_options" {
   type        = any
   default = {
     enforce_https       = true
-    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+    tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10"
   }
 }
 
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -34,7 +34,7 @@ module "wrapper" {
   create_security_group                 = try(each.value.create_security_group, var.defaults.create_security_group, true)
   domain_endpoint_options = try(each.value.domain_endpoint_options, var.defaults.domain_endpoint_options, {
     enforce_https       = true
-    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+    tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10"
   })
   domain_name = try(each.value.domain_name, var.defaults.domain_name, "")
   ebs_options = try(each.value.ebs_options, var.defaults.ebs_options, {

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ variable "domain_endpoint_options" {`
`70`	`70`	`type = any`
`71`	`71`	`default = {`
`72`	`72`	`enforce_https = true`
`73`		`- tls_security_policy = "Policy-Min-TLS-1-2-2019-07"`
	`73`	`+ tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10"`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`