include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:

[source,terraform]
----
resource "aws_kinesis_stream" "sensitive_stream" {
    encryption_type = "NONE" # Sensitive
}
----

For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:

[source,terraform]
----
resource "aws_elasticache_replication_group" "example" {
    replication_group_id = "example"
    replication_group_description = "example"
    transit_encryption_enabled = false  # Sensitive
}
----

For https://aws.amazon.com/ecs/[Amazon ECS]:

[source,terraform]
----
resource "aws_ecs_task_definition" "ecs_task" {
  family = "service"
  container_definitions = file("task-definition.json")

  volume {
    name = "storage"
    efs_volume_configuration {
      file_system_id = aws_efs_file_system.fs.id
      transit_encryption = "DISABLED"  # Sensitive
    }
  }
}
----

For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:

[source,terraform]
----
resource "aws_elasticsearch_domain" "example" {
  domain_name = "example"
  domain_endpoint_options {
    enforce_https = false # Sensitive
  }
  node_to_node_encryption {
    enabled = false # Sensitive
  }
}
----

For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:

[source,terraform]
----
resource "aws_msk_cluster" "sensitive_data_cluster" {
    encryption_info {
        encryption_in_transit {
            client_broker = "TLS_PLAINTEXT" # Sensitive
            in_cluster = false # Sensitive
        }
    }
}
----

For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:

[source,terraform]
----
resource "aws_lb_listener" "front_load_balancer" {
  protocol = "HTTP" # Sensitive

  default_action {
    type = "redirect"

    redirect {
      protocol = "HTTP"
    }
  }
}
----

HTTP protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:

[source,terraform]
----
resource "google_compute_region_backend_service" "example" {
  name                            = "example-service"
  region                          = "us-central1"
  health_checks                   = [google_compute_region_health_check.region.id]
  connection_draining_timeout_sec = 10
  session_affinity                = "CLIENT_IP"
  load_balancing_scheme           = "EXTERNAL"
  protocol                        = "HTTP" # Sensitive
}
----

== Compliant Solution


For https://aws.amazon.com/kinesis/[AWS Kinesis] Data Streams server-side encryption:

[source,terraform]
----
resource "aws_kinesis_stream" "compliant_stream" {
    encryption_type = "KMS"
}
----

For https://aws.amazon.com/elasticache/[Amazon ElastiCache]:

[source,terraform]
----
resource "aws_elasticache_replication_group" "example" {
    replication_group_id = "example"
    replication_group_description = "example"
    transit_encryption_enabled = true
}
----

For https://aws.amazon.com/ecs/[Amazon ECS]:

[source,terraform]
----
resource "aws_ecs_task_definition" "ecs_task" {
  family = "service"
  container_definitions = file("task-definition.json")

  volume {
    name = "storage"
    efs_volume_configuration {
      file_system_id = aws_efs_file_system.fs.id
      transit_encryption = "ENABLED"
    }
  }
}
----

For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:

[source,terraform]
----
resource "aws_elasticsearch_domain" "example" {
  domain_name = "example"
  domain_endpoint_options {
    enforce_https = true
  }
  node_to_node_encryption {
    enabled = true
  }
}
----
  
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant:

[source,terraform]
----
resource "aws_msk_cluster" "sensitive_data_cluster" {
    encryption_info {
        encryption_in_transit {
            client_broker = "TLS"
            in_cluster = true
        }
    }
}
----

For https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html[AWS Load Balancer Listeners]:

[source,terraform]
----
resource "aws_lb_listener" "front_load_balancer" {
  protocol = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      protocol = "HTTPS"
    }
  }
}

----

HTTPS protocol is used for https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service[GCP Region Backend Services]:

[source,terraform]
----
resource "google_compute_region_backend_service" "example" {
  name                            = "example-service"
  region                          = "us-central1"
  health_checks                   = [google_compute_region_health_check.region.id]
  connection_draining_timeout_sec = 10
  session_affinity                = "CLIENT_IP"
  load_balancing_scheme           = "EXTERNAL"
  protocol                        = "HTTPS"
}
----

include::../exceptions.adoc[]


== See

include::../common/resources/documentation.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/standards-iac.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

 * Make sure allowing clear-text traffic is safe here.
 * Omitting "{argument_name}" enables clear-text protocols. Make sure it is safe here.


=== Highlighting

For ``aws_kinesis_stream``:

* Highlight the resource if `encryption_type` is missing or set to ``NONE``

For `aws_elasticache_replication_group`:

* Highlight `transit_encryption_enabled` if it is specified but has the wrong value
* Highlight resource if `transit_encryption_enabled` is not set

For `aws_ecs_task_definition`:

* Highlight `transit_encryption` if it is specified but has the wrong value
* Highlight `efs_volume_configuration` if it exists but does not contain `transit_encryption`

* For `aws_lb_listener`:
** For a `fixed-response` or `forward` action: Highlight the root `protocol` if it is set to `HTTP`
** For a `redirect` action: Highlight the root `protocol` if `default_action.redirect.protocol` is set as `HTTP`

For `aws_elasticsearch_domain`:

* Highlight `enabled` field from `node_to_node_encryption` if it is specified but has the wrong value
* Highlight `enforce_https` field from `domain_endpoint_options` if it is specified but has the wrong value
* Highlight resource if `node_to_node_encryption` is not specified at all

For `aws_msk_cluster`:

* Highlight `client_broker` if it is specified but does not contain `TLS`
* Highlight `in_cluster` if it is specified but is set to `false`

For `google_compute_region_backend_service`:

* Highlight `protocol` argument value when equals to `HTTP`


endif::env-github,rspecator-view[]