From f51fa0fc97b9f7642e9f53c0d896161963b08439 Mon Sep 17 00:00:00 2001
From: Thomas Widhalm <thomas.widhalm@netways.de>
Date: Wed, 23 Oct 2024 13:27:10 +0200
Subject: [PATCH] Disable scanning for http connections without TLS

---
 molecule/elasticsearch_no-security/verify.yml | 6 +++---
 roles/elasticsearch/tasks/main.yml            | 4 +++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml
index 48919b23..67a0a6fe 100644
--- a/molecule/elasticsearch_no-security/verify.yml
+++ b/molecule/elasticsearch_no-security/verify.yml
@@ -1,5 +1,7 @@
 ---
-# This is an example playbook to execute Ansible tests.
+# kics-scan disable=2e8d4922-8362-4606-8c14-aa10466a1ce3
+# above command will disable scanning for `http` (without `s`)
+# connections
 
 - name: Verify
   hosts: all
@@ -9,7 +11,6 @@
   tasks:
 
 # Remember, this is the no-security scenario. So no https
-# kics-scan ignore-block
     - name: Health check
       ansible.builtin.uri:
         url: http://localhost:{{ elasticstack_elasticsearch_http_port }}/_cluster/health
@@ -23,7 +24,6 @@
       delay: 10
       when: groups[elasticstack_elasticsearch_group_name] | length > 1
 
-# kics-scan ignore-block
     - name: Node check
       ansible.builtin.uri:
         url: http://localhost:{{ elasticstack_elasticsearch_http_port }}/_cat/nodes
diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
index 9215875e..c248510c 100644
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@@ -1,4 +1,7 @@
 ---
+# kics-scan disable=2e8d4922-8362-4606-8c14-aa10466a1ce3
+# above command will disable scanning for `http` (without `s`)
+# connections
 
 - name: Check for versions
   ansible.builtin.fail:
@@ -244,7 +247,6 @@
     enabled: yes
   register: elasticsearch_freshstart
 
-# kics-scan ignore-block
 - name: Handle cluster setup without security
   when: not elasticsearch_security | bool
   block: