rspec/rules/S4423/javascript/how-to-fix-it/aws-cdk.adoc

== How to fix it in AWS CDK

=== Code examples

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant
});
----

The resource `CfnDomain` uses a weak TLS security policy, by default.

[source,javascript,diff-id=2,diff-type=noncompliant]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
  },
}); // Noncompliant
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
import { aws_apigateway as agw } from 'aws-cdk-lib';
new agw.DomainName(this, 'Example', {
    certificate: certificate,
    domainName: domainName,
    securityPolicy: agw.SecurityPolicy.TLS_1_2,
});
----

[source,javascript,diff-id=2,diff-type=compliant]
----
import { aws_opensearchservice as os } from 'aws-cdk-lib';

new os.CfnDomain(this, 'Example', {
  domainEndpointOptions: {
    enforceHttps: true,
    tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',
  },
});
----

=== How does this work?

include::../../common/fix/fix.adoc[]
Modify S4423: Learn-As-You-Code Migration (#2097) Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2023-06-20 17:36:01 +02:00			`== How to fix it in AWS CDK`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`import { aws_apigateway as agw } from 'aws-cdk-lib';`
			`new agw.DomainName(this, 'Example', {`
			`certificate: certificate,`
			`domainName: domainName,`
			`securityPolicy: agw.SecurityPolicy.TLS_1_0, // Noncompliant`
			`});`
			`----`

			The resource `CfnDomain` uses a weak TLS security policy, by default.

			`[source,javascript,diff-id=2,diff-type=noncompliant]`
			`----`
			`import { aws_opensearchservice as os } from 'aws-cdk-lib';`

			`new os.CfnDomain(this, 'Example', {`
			`domainEndpointOptions: {`
			`enforceHttps: true,`
			`},`
			`}); // Noncompliant`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`import { aws_apigateway as agw } from 'aws-cdk-lib';`
			`new agw.DomainName(this, 'Example', {`
			`certificate: certificate,`
			`domainName: domainName,`
			`securityPolicy: agw.SecurityPolicy.TLS_1_2,`
			`});`
			`----`

			`[source,javascript,diff-id=2,diff-type=compliant]`
			`----`
			`import { aws_opensearchservice as os } from 'aws-cdk-lib';`

			`new os.CfnDomain(this, 'Example', {`
			`domainEndpointOptions: {`
			`enforceHttps: true,`
			`tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07',`
			`},`
			`});`
			`----`

			`=== How does this work?`

			`include::../../common/fix/fix.adoc[]`