fix(searchable): enforce TLS 1.2 on OpenSearch domains (v1 transformer)

sarayev · sarayev · commit efc59a23a12d · 2026-04-10T08:15:25.000Z
diff --git a/packages/graphql-elasticsearch-transformer/src/__tests__/SearchableModelTransformer.test.ts b/packages/graphql-elasticsearch-transformer/src/__tests__/SearchableModelTransformer.test.ts
@@ -145,3 +145,35 @@ test('SearchableModelTransformer with external versioning', () => {
   expect(out.resolvers[expectedSearchResponseResolver]).toBeDefined();
   expect(out.resolvers[expectedSearchResponseResolver]).toMatchSnapshot();
 });
+
+describe('Elasticsearch domain TLS configuration', () => {
+  test('enforces HTTPS with TLS 1.2 on the Elasticsearch domain', () => {
+    const validSchema = `
+      type Post @model @searchable {
+        id: ID!
+        title: String!
+        createdAt: String
+        updatedAt: String
+      }
+    `;
+    const transformer = new GraphQLTransform({
+      transformers: [new DynamoDBModelTransformer(), new SearchableModelTransformer()],
+      featureFlags,
+    });
+    const out = transformer.transform(validSchema);
+    expect(out).toBeDefined();
+
+    const searchableStack = out.stacks['SearchableStack'];
+    expect(searchableStack).toBeDefined();
+    expect(searchableStack.Resources).toBeDefined();
+
+    const esDomain = searchableStack.Resources!['ElasticSearchDomain'];
+    expect(esDomain).toBeDefined();
+    expect(esDomain.Type).toEqual('AWS::Elasticsearch::Domain');
+
+    const domainEndpointOptions = esDomain.Properties.DomainEndpointOptions;
+    expect(domainEndpointOptions).toBeDefined();
+    expect(domainEndpointOptions.EnforceHTTPS).toBeUndefined();
+    expect(domainEndpointOptions.TLSSecurityPolicy).toBe('Policy-Min-TLS-1-2-2019-07');
+  });
+});
diff --git a/packages/graphql-elasticsearch-transformer/src/resources.ts b/packages/graphql-elasticsearch-transformer/src/resources.ts
@@ -494,6 +494,9 @@ export class ResourceFactory {
     return new Elasticsearch.Domain({
       DomainName: this.domainName(),
       ElasticsearchVersion: '6.2',
+      DomainEndpointOptions: {
+        TLSSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
+      },
       ElasticsearchClusterConfig: {
         ZoneAwarenessEnabled: false,
         InstanceCount: Fn.Ref(ResourceConstants.PARAMETERS.ElasticsearchInstanceCount),
@@ -504,7 +507,7 @@ export class ResourceFactory {
         VolumeType: 'gp2',
         VolumeSize: Fn.Ref(ResourceConstants.PARAMETERS.ElasticsearchEBSVolumeGB),
       },
-    });
+    } as any);
   }
 
   /**
