From 66021f25c421948e62f2d81f30979769b9a4e6ca Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 23 Oct 2025 11:20:32 -0400 Subject: [PATCH 1/5] feat(opensearch): update TLS policy and add domain_name output - Changed the default TLS security policy for the OpenSearch domain to "Policy-Min-TLS-1-2-PFS-2023-10" for improved security. - Added a new output "domain_name" to expose the OpenSearch domain name. --- main.tf | 2 +- outputs.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 963e007..73096eb 100644 --- a/main.tf +++ b/main.tf @@ -179,7 +179,7 @@ resource "aws_opensearch_domain" "this" { custom_endpoint_certificate_arn = try(domain_endpoint_options.value.custom_endpoint_certificate_arn, null) custom_endpoint_enabled = try(domain_endpoint_options.value.custom_endpoint_enabled, null) enforce_https = try(domain_endpoint_options.value.enforce_https, true) - tls_security_policy = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-2019-07") + tls_security_policy = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-PFS-2023-10") } } diff --git a/outputs.tf b/outputs.tf index eb706de..0b29754 100644 --- a/outputs.tf +++ b/outputs.tf @@ -12,6 +12,11 @@ output "domain_id" { value = try(aws_opensearch_domain.this[0].domain_id, null) } +output "domain_name" { + description = "The name of the domain" + value = try(aws_opensearch_domain.this[0].domain_name, null) +} + output "domain_endpoint" { description = "Domain-specific endpoint used to submit index, search, and data upload requests" value = try(aws_opensearch_domain.this[0].endpoint, null) From 8551dc72b7132bda3d943cb2b556e98441aa00e5 Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 23 Oct 2025 11:23:28 -0400 Subject: [PATCH 2/5] chore: update docs --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ae38348..b0d1eee 100644 --- a/README.md +++ b/README.md @@ -241,6 +241,7 @@ No modules. | [domain\_endpoint\_v2](#output\_domain\_endpoint\_v2) | V2 domain endpoint that works with both IPv4 and IPv6 addresses, used to submit index, search, and data upload requests | | [domain\_endpoint\_v2\_hosted\_zone\_id](#output\_domain\_endpoint\_v2\_hosted\_zone\_id) | Dual stack hosted zone ID for the domain. | | [domain\_id](#output\_domain\_id) | The unique identifier for the domain | +| [domain\_name](#output\_domain\_name) | The name of the domain | | [outbound\_connections](#output\_outbound\_connections) | Map of outbound connections created and their attributes | | [package\_associations](#output\_package\_associations) | Map of package associations created and their attributes | | [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group | From fae1aff79ad42e11ec97e8e4397a4210125e1288 Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 23 Oct 2025 11:30:48 -0400 Subject: [PATCH 3/5] chore: update examples --- examples/complete/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index e5d300d..0b2a0f5 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -12,6 +12,11 @@ output "domain_id" { value = module.opensearch.domain_id } +output "domain_name" { + description = "The name of the domain" + value = module.opensearch.domain_name +} + output "domain_endpoint" { description = "Domain-specific endpoint used to submit index, search, and data upload requests" value = module.opensearch.domain_endpoint From c5c121d0e5b23ffcc5e896ddeb5bd467acf689ad Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 23 Oct 2025 11:43:45 -0400 Subject: [PATCH 4/5] fix: update default TLS policy to Policy-Min-TLS-1-2-PFS-2023-10 Updated the default value for `tls_security_policy` in domain endpoint options from "Policy-Min-TLS-1-2-2019-07" to "Policy-Min-TLS-1-2-PFS-2023-10" in variables, wrapper, and documentation. Also added `domain_name` output to the complete example README for consistency. --- README.md | 2 +- examples/complete/README.md | 1 + variables.tf | 2 +- wrappers/main.tf | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b0d1eee..ccb4349 100644 --- a/README.md +++ b/README.md @@ -204,7 +204,7 @@ No modules. | [create\_cloudwatch\_log\_resource\_policy](#input\_create\_cloudwatch\_log\_resource\_policy) | Determines whether a resource policy will be created for OpenSearch to log to CloudWatch | `bool` | `true` | no | | [create\_saml\_options](#input\_create\_saml\_options) | Determines whether SAML options will be created | `bool` | `false` | no | | [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no | -| [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | +| [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-PFS-2023-10"
}
| no | | [domain\_name](#input\_domain\_name) | Name of the domain | `string` | `""` | no | | [ebs\_options](#input\_ebs\_options) | Configuration block for EBS related options, may be required based on chosen [instance size](https://aws.amazon.com/elasticsearch-service/pricing/) | `any` | 
{
  "ebs_enabled": true,
  "volume_size": 64,
  "volume_type": "gp3"
}
| no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index f7709ed..2b33bc3 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -61,6 +61,7 @@ No inputs. | [domain\_dashboard\_endpoint](#output\_domain\_dashboard\_endpoint) | Domain-specific endpoint for Dashboard without https scheme | | [domain\_endpoint](#output\_domain\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests | | [domain\_id](#output\_domain\_id) | The unique identifier for the domain | +| [domain\_name](#output\_domain\_name) | The name of the domain | | [outbound\_connections](#output\_outbound\_connections) | Map of outbound connections created and their attributes | | [package\_associations](#output\_package\_associations) | Map of package associations created and their attributes | | [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group | diff --git a/variables.tf b/variables.tf index 3471c80..1142ebd 100644 --- a/variables.tf +++ b/variables.tf @@ -70,7 +70,7 @@ variable "domain_endpoint_options" { type = any default = { enforce_https = true - tls_security_policy = "Policy-Min-TLS-1-2-2019-07" + tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10" } } diff --git a/wrappers/main.tf b/wrappers/main.tf index 0f01f9f..3282384 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -34,7 +34,7 @@ module "wrapper" { create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) domain_endpoint_options = try(each.value.domain_endpoint_options, var.defaults.domain_endpoint_options, { enforce_https = true - tls_security_policy = "Policy-Min-TLS-1-2-2019-07" + tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10" }) domain_name = try(each.value.domain_name, var.defaults.domain_name, "") ebs_options = try(each.value.ebs_options, var.defaults.ebs_options, { From 9b4c04ee767527d44f70b2145499ee4f3f089746 Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 23 Oct 2025 11:46:15 -0400 Subject: [PATCH 5/5] fix(domain): update default TLS policy to 2019-07 Change the default value for `tls_security_policy` in domain endpoint options from "Policy-Min-TLS-1-2-PFS-2023-10" to "Policy-Min-TLS-1-2-2019-07" across documentation, variables, and module usage. This ensures compatibility with a broader range of clients and aligns with AWS recommended defaults. --- README.md | 2 +- main.tf | 2 +- variables.tf | 2 +- wrappers/main.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ccb4349..b0d1eee 100644 --- a/README.md +++ b/README.md @@ -204,7 +204,7 @@ No modules. | [create\_cloudwatch\_log\_resource\_policy](#input\_create\_cloudwatch\_log\_resource\_policy) | Determines whether a resource policy will be created for OpenSearch to log to CloudWatch | `bool` | `true` | no | | [create\_saml\_options](#input\_create\_saml\_options) | Determines whether SAML options will be created | `bool` | `false` | no | | [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no | -| [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-PFS-2023-10"
}
| no | +| [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | | [domain\_name](#input\_domain\_name) | Name of the domain | `string` | `""` | no | | [ebs\_options](#input\_ebs\_options) | Configuration block for EBS related options, may be required based on chosen [instance size](https://aws.amazon.com/elasticsearch-service/pricing/) | `any` | 
{
  "ebs_enabled": true,
  "volume_size": 64,
  "volume_type": "gp3"
}
| no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | diff --git a/main.tf b/main.tf index 73096eb..963e007 100644 --- a/main.tf +++ b/main.tf @@ -179,7 +179,7 @@ resource "aws_opensearch_domain" "this" { custom_endpoint_certificate_arn = try(domain_endpoint_options.value.custom_endpoint_certificate_arn, null) custom_endpoint_enabled = try(domain_endpoint_options.value.custom_endpoint_enabled, null) enforce_https = try(domain_endpoint_options.value.enforce_https, true) - tls_security_policy = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-PFS-2023-10") + tls_security_policy = try(domain_endpoint_options.value.tls_security_policy, "Policy-Min-TLS-1-2-2019-07") } } diff --git a/variables.tf b/variables.tf index 1142ebd..3471c80 100644 --- a/variables.tf +++ b/variables.tf @@ -70,7 +70,7 @@ variable "domain_endpoint_options" { type = any default = { enforce_https = true - tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10" + tls_security_policy = "Policy-Min-TLS-1-2-2019-07" } } diff --git a/wrappers/main.tf b/wrappers/main.tf index 3282384..0f01f9f 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -34,7 +34,7 @@ module "wrapper" { create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) domain_endpoint_options = try(each.value.domain_endpoint_options, var.defaults.domain_endpoint_options, { enforce_https = true - tls_security_policy = "Policy-Min-TLS-1-2-PFS-2023-10" + tls_security_policy = "Policy-Min-TLS-1-2-2019-07" }) domain_name = try(each.value.domain_name, var.defaults.domain_name, "") ebs_options = try(each.value.ebs_options, var.defaults.ebs_options, {