From 9cf9baad5eca3790d7c0b351e0a6966a3ee4f881 Mon Sep 17 00:00:00 2001
From: "k.goto" <24818752+go-to-k@users.noreply.github.com>
Date: Tue, 9 Jan 2024 08:08:22 +0900
Subject: [PATCH] feat(opensearchservice): TLS security policy for TLS 1.3 and
 perfect forward secrecy (#28583)

This PR supports new TLS security policy 'Policy-Min-TLS-1-2-PFS-2023-10' for TLS 1.3 and perfect forward secrecy.

The description from [CLI reference](https://docs.aws.amazon.com/cli/latest/reference/opensearch/update-domain-config.html):

> Policy-Min-TLS-1-2-PFS-2023-10: TLS security policy that supports TLS version 1.2 to TLS version 1.3 with perfect forward secrecy cipher suites

- Release notes
  - https://aws.amazon.com/jp/about-aws/whats-new/2024/01/amazon-opensearch-service-tls-1-3-perfect-forward-secrecy/
- CloudFormation
  - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-domainendpointoptions.html#cfn-opensearchservice-domain-domainendpointoptions-tlssecuritypolicy

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts
index 154f849647ea1..81e94e80bb9b2 100644
--- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts
+++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts
@@ -281,7 +281,9 @@ export enum TLSSecurityPolicy {
   /** Cipher suite TLS 1.0 */
   TLS_1_0 = 'Policy-Min-TLS-1-0-2019-07',
   /** Cipher suite TLS 1.2 */
-  TLS_1_2 = 'Policy-Min-TLS-1-2-2019-07'
+  TLS_1_2 = 'Policy-Min-TLS-1-2-2019-07',
+  /** Cipher suite TLS 1.2 to 1.3 with perfect forward secrecy (PFS) */
+  TLS_1_2_PFS = 'Policy-Min-TLS-1-2-PFS-2023-10',
 }
 
 /**