rspec/rules/S4423/python/how-to-fix-it/aws-cdk.adoc

== How to fix it in AWS CDK

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy

class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        DomainName(self, "example",
            domain_name="example.com",
            certificate=certificate,
            security_policy=SecurityPolicy.TLS_1_0 # Noncompliant
        )
----

By default, AWS's OpenSearch service `CfnDomains` enables TLS 1.0, a weak
cryptographic algorithm.

[source,python,diff-id=2,diff-type=noncompliant]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion

class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        CfnDomain(self, "example",
            version=EngineVersion.OPENSEARCH_1_3
        ) # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy

class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        DomainName(self, "example",
            domain_name="example.com",
            certificate=certificate,
            security_policy=SecurityPolicy.TLS_1_2
        )
----

[source,python,diff-id=2,diff-type=compliant]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        CfnDomain(self, "example",
            version=EngineVersion.OPENSEARCH_1_3
            domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(
                tls_security_policy="Policy-Min-TLS-1-2-2019-07"
            )
        )
----
=== How does this work?

include::../../common/fix/fix.adoc[]
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`== How to fix it in AWS CDK`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,python,diff-id=1,diff-type=noncompliant]`
			`----`
			`from aws_cdk.aws_apigateway import DomainName, SecurityPolicy`

			`class ExampleStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`DomainName(self, "example",`
			`domain_name="example.com",`
			`certificate=certificate,`
			`security_policy=SecurityPolicy.TLS_1_0 # Noncompliant`
			`)`
			`----`

			By default, AWS's OpenSearch service `CfnDomains` enables TLS 1.0, a weak
			`cryptographic algorithm.`

			`[source,python,diff-id=2,diff-type=noncompliant]`
			`----`
			`from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion`

			`class ExampleStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`CfnDomain(self, "example",`
			`version=EngineVersion.OPENSEARCH_1_3`
			`) # Noncompliant`
			`----`

			`==== Compliant solution`

			`[source,python,diff-id=1,diff-type=compliant]`
			`----`
			`from aws_cdk.aws_apigateway import DomainName, SecurityPolicy`

			`class ExampleStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`DomainName(self, "example",`
			`domain_name="example.com",`
			`certificate=certificate,`
			`security_policy=SecurityPolicy.TLS_1_2`
			`)`
			`----`

			`[source,python,diff-id=2,diff-type=compliant]`
			`----`
			`from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion`
			`class ExampleStack(Stack):`
			`def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:`
			`super().__init__(scope, construct_id, **kwargs)`
			`CfnDomain(self, "example",`
			`version=EngineVersion.OPENSEARCH_1_3`
			`domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(`
			`tls_security_policy="Policy-Min-TLS-1-2-2019-07"`
			`)`
			`)`
			`----`
			`=== How does this work?`

			`include::../../common/fix/fix.adoc[]`