let opensearch_domains = Resources.*[
	Type == "AWS::OpenSearchService::Domain"
]

rule es_encrypted_storage when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			EncryptionAtRestOptions exists <<EncryptionAtRestOptions is not configured. (i.e. disabled)>>
			when EncryptionAtRestOptions exists {
				EncryptionAtRestOptions {
					Enabled == true <<Encryption at rest is disabled.>>
				}
			}
		}
	}
}

rule es_encrypted_intransit when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			NodeToNodeEncryptionOptions exists <<NodeToNodeEncryptionOptions is not configured. (i.e. disabled)>>
			when NodeToNodeEncryptionOptions exists {
				NodeToNodeEncryptionOptions {
					Enabled == true <<Encryption in transit is disabled.>>
				}
			}
		}
	}
}

rule es_require_https when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			DomainEndpointOptions exists <<DomainEndpointOptions is not configured. (i.e. disabled)>>
			when DomainEndpointOptions exists {
				DomainEndpointOptions {
					EnforceHTTPS exists <<EnforceHTTPS is not configured. (i.e. disabled)>>
					when EnforceHTTPS exists {
						EnforceHTTPS == true <<Enforce HTTPS is disabled.>>
					}
				}
			}
		}
	}
}

rule es_cognito_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			CognitoOptions exists <<CognitoOptions is not configured. (i.e. disabled)>>
			when CognitoOptions exists {
				CognitoOptions {
					Enabled == true <<Cognito is disabled.>>
				}
			}
		}
	}
}

rule es_internal_user_database when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			AdvancedSecurityOptions exists <<AdvancedSecurityOptions is not configured. (i.e. disabled)>>
			when AdvancedSecurityOptions exists {
				AdvancedSecurityOptions {
					InternalUserDatabaseEnabled exists <<InternalUserDatabaseEnabled is not configured. (i.e. disabled)>>
					when InternalUserDatabaseEnabled exists {
						InternalUserDatabaseEnabled == true <<Internal user database is disabled.>>
					}
				}
			}
		}
	}
}

rule es_logging_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
			when LogPublishingOptions exists {
				LogPublishingOptions {
					SEARCH_SLOW_LOGS exists <<SEARCH_SLOW_LOGS is not configured. (i.e. disabled)>>
					ES_APPLICATION_LOGS exists <<ES_APPLICATION_LOGS is not configured. (i.e. disabled)>>
					INDEX_SLOW_LOGS exists << INDEX_SLOW_LOGS is not configured. (i.e. disabled)>>

					when SEARCH_SLOW_LOGS exists
					ES_APPLICATION_LOGS exists
					INDEX_SLOW_LOGS exists {
						SEARCH_SLOW_LOGS {
							Enabled == true <<SEARCH_SLOW_LOGS is disabled.>>
						}
						ES_APPLICATION_LOGS {
							Enabled == true <<ES_APPLICATION_LOGS is disabled.>>
						}
						INDEX_SLOW_LOGS {
							Enabled == true <<INDEX_SLOW_LOGS is disabled.>>
						}
					}
				}
			}
		}
	}
}

rule es_audit_logging_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
			when LogPublishingOptions exists {
				LogPublishingOptions {
					AUDIT_LOGS exists <<AUDIT_LOGS is not configured. (i.e. disabled)>>

					when AUDIT_LOGS exists {
						AUDIT_LOGS {
							Enabled == true <<AUDIT_LOGS is disabled.>>
						}
					}
				}
			}
		}
	}
}

rule es_in_vpc when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			VPCOptions exists <<VPCOptions is not configured. (i.e. disabled)>>
		}
	}
}

rule es_least_3_nodes when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			ClusterConfig exists <<ClusterConfig is not configured. (Instance count defaults to 1)>>
			when ClusterConfig exists {
				ClusterConfig {
					InstanceCount exists <<InstanceCount is not configured. (Defaults to 1)>>
					when InstanceCount exists {
						InstanceCount >= 3 <<InstanceCount is less than 3.>>
					}
				}
			}
		}
	}
}