Add opensearch

bridgecrewio · Nov 1, 2024 · 53bd489 · 53bd489
1 parent 2b03a6b
commit 53bd489
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml
@@ -51,6 +51,8 @@ definition:
         - aws_mwaa_environment
         - aws_neptune_cluster
         - aws_network_interface
+        - aws_opensearch_domain
+        - aws_opensearch_vpc_endpoint
         - aws_quicksight_vpc_connection
         - aws_rds_cluster
         - aws_redshift_cluster

diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml
@@ -38,6 +38,8 @@ pass:
   - "aws_security_group.pass_msk_connect"
   - "aws_security_group.pass_mwaa"
   - "aws_security_group.pass_neptune"
+  - "aws_security_group.pass_opensearch"
+  - "aws_security_group.pass_opensearch_vpc_endpoint"
   - "aws_security_group.pass_quicksight"
   - "aws_security_group.pass_rds"
   - "aws_security_group.pass_rds_cluster"

diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf
@@ -766,6 +766,46 @@ resource "aws_neptune_cluster" "pass_neptune" {
   vpc_security_group_ids = [aws_security_group.pass_neptune.id]
 }
 
+# OpenSearch Domain
+
+resource "aws_security_group" "pass_opensearch" {
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_opensearch_domain" "pass_opensearch" {
+  domain_name = "opensearch"
+  vpc_options {
+    security_group_ids = [aws_security_group.pass_opensearch.id]
+    subnet_ids         = ["aws_subnet.public_a.id"]
+  }
+}
+
+# OpenSearch VPC Endpoint
+
+resource "aws_security_group" "pass_opensearch_vpc_endpoint" {
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_opensearch_vpc_endpoint" "pass_opensearch_vpc_endpoint" {
+  domain_arn = aws_elasticsearch_domain.domain_1.arn
+  vpc_options {
+    security_group_ids = [aws_security_group.pass_opensearch_vpc_endpoint.id]
+    subnet_ids         = [aws_subnet.test.id, aws_subnet.test2.id]
+  }
+}
+
 # Quicksight
 
 resource "aws_security_group" "pass_quicksight" {