Skip to content

fix(searchable): enforce TLS 1.2 on Elasticsearch domains (v1 transformer)#3456

Merged
sarayev merged 2 commits into
release-api-plugin-stablefrom
category-api/opensearch-tls-1-2-v1-transformer
Apr 13, 2026
Merged

fix(searchable): enforce TLS 1.2 on Elasticsearch domains (v1 transformer)#3456
sarayev merged 2 commits into
release-api-plugin-stablefrom
category-api/opensearch-tls-1-2-v1-transformer

Conversation

@sarayev
Copy link
Copy Markdown
Contributor

@sarayev sarayev commented Apr 1, 2026

Description

The v1 graphql-elasticsearch-transformer creates Elasticsearch domains without any DomainEndpointOptions — no EnforceHTTPS, no TLSSecurityPolicy. AWS is deprecating TLS 1.0/1.1 support on April 20, 2026.

Adds DomainEndpointOptions with TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07 to the domain. Does NOT add EnforceHTTPS to avoid breaking customers currently using HTTP.

Uses as any cast because cloudform-types@4.2.0 lacks the DomainEndpointOptions type, but CloudFormation supports it.

Related: aws-amplify/amplify-cli#14329

Changes

  • packages/graphql-elasticsearch-transformer/src/resources.ts — Added DomainEndpointOptions with TLSSecurityPolicy to makeElasticsearchDomain()
  • packages/graphql-elasticsearch-transformer/src/__tests__/SearchableModelTransformer.test.ts — Added TLS 1.2 assertion test

CDK / CloudFormation Parameters Changed

AWS::Elasticsearch::DomainDomainEndpointOptions.TLSSecurityPolicy set to Policy-Min-TLS-1-2-2019-07 (previously no DomainEndpointOptions at all)

Validation

  • Unit tests: 7/7 pass
  • E2E: batch 406490ab — 69/82 passed, all 3 searchable tests passed, failures are pre-existing (auth/schema)
  • Companion V2 fix: category-api/opensearch-tls-1-2-support (PR against main)

Checklist

  • yarn test passes
  • Tests are changed or added
  • CDK/CloudFormation parameter changes called out
  • E2E test run linked

@sarayev sarayev force-pushed the category-api/opensearch-tls-1-2-v1-transformer branch from 9e8b233 to aa6574f Compare April 7, 2026 09:33
@sarayev sarayev force-pushed the category-api/opensearch-tls-1-2-v1-transformer branch from aa6574f to efc59a2 Compare April 10, 2026 08:15
@sarayev sarayev marked this pull request as ready for review April 10, 2026 15:46
@sarayev sarayev requested review from a team as code owners April 10, 2026 15:46
svidgen
svidgen approved these changes Apr 10, 2026
View reviewed changes
Comment thread packages/graphql-elasticsearch-transformer/src/resources.ts
VolumeSize: Fn.Ref(ResourceConstants.PARAMETERS.ElasticsearchEBSVolumeGB),
},
});
} as any);
Copy link
Copy Markdown
Member

@svidgen svidgen Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🫣

@sarayev sarayev merged commit e5c320f into release-api-plugin-stable Apr 13, 2026
6 of 7 checks passed
@sarayev sarayev deleted the category-api/opensearch-tls-1-2-v1-transformer branch April 13, 2026 08:30
@sarayev sarayev mentioned this pull request Apr 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svidgen svidgen svidgen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sarayev @svidgen