Describe the bug

Amazon OpenSearch Service updated the default 'TLSSecurityPolicy' to 'Policy-Min-TLS-1-2-2019-07'. However, CDK for OpenSearch domain resources still sets default policy to 'Policy-Min-TLS-1-0-2019-07' if 'TLSSecurityPolicy' field in DomainEndpointOptions is not specified
Ref Code link: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts#L2008
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts#L292

Owing to this discrepancy, when domain is created without specifying 'TLSSecurityPolicy' field in DomainEndpointOptions, currently, TLS policy 'Policy-Min-TLS-1-0-2019-07' is set by CDK and domain gets created with older TLS security policy.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

While creating OpenSearch domain resource, if the 'TLSSecurityPolicy' in DomainEndpointOptions is specified, it should be set via CDK as well. However, if 'TLSSecurityPolicy' field is NOT specified, it should NOT be set by CDK i.e. remove the default value.

Current Behavior

If customer does not specify 'TLSSecurityPolicy' option in DomainEndpointOptions, CDK sets the parameter with default value as 'Policy-Min-TLS-1-0-2019-07'.

Reproduction Steps

Create OpenSearch domain via CDK using following code snippet of a stack:

import { Construct } from 'constructs';
import { Domain, EngineVersion } from 'aws-cdk-lib/aws-opensearchservice';
import { DeploymentStack, DeploymentStackProps } from '@amzn/pipelines';

export interface TestStackProps extends DeploymentStackProps {
    readonly region: string;
    readonly airportCode: string;
    readonly accountId: string;
}

export class TestStack extends DeploymentStack {

    constructor(scope: Construct, props: TestStackProps) {
        super(scope, createStackId(), props);

        new Domain(this, 'TestDomain', {
            version: EngineVersion.OPENSEARCH_2_5,
        });

    }
}

const createStackId = (): string => {
    return `TestStack`;
};

This will create a domain with 'Policy-Min-TLS-1-0-2019-07' TLSSecurityPolicy. Following is the resource section in CFN template it generated:

Resources:
  TestDomainEA41AC19:
    Type: AWS::OpenSearchService::Domain
    Properties:
      ClusterConfig:
        DedicatedMasterEnabled: false
        InstanceCount: 1
        InstanceType: r5.large.search
        ZoneAwarenessEnabled: false
      DomainEndpointOptions:
        EnforceHTTPS: false
        TLSSecurityPolicy: Policy-Min-TLS-1-0-2019-07
      EBSOptions:
        EBSEnabled: true
        VolumeSize: 10
        VolumeType: gp2
      EncryptionAtRestOptions:
        Enabled: false
      EngineVersion: OpenSearch_2.5
      LogPublishingOptions: {}
      NodeToNodeEncryptionOptions:
        Enabled: false
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain

The TLSSecurityPolicy in DomainEndpointOptions should not be set to 'Policy-Min-TLS-1-0-2019-07'

Possible Solution

Remove the Default TLS policy in CDK as the OpenSearch service itself sets the default policy to 'Policy-Min-TLS-1-2-2019-07'.

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

[email protected]

AWS CDK CLI version

1.203.0

Node.js Version

v14.20.1

OS

LINUX 5.10.237-211.948.amzn2int.x86_64

Language

TypeScript

Language Version

No response

Other information

No response