CCM-14114: set TLS version on Rest API to be 1.2, to match domain name (#491)

Co-authored-by: Mark Slowey <113013138+masl2@users.noreply.github.com>
Co-authored-by: Francisco Videira <francisco.videira@nhs.net>

Author: 3 people

infrastructure/terraform/components/api/api_gateway_rest_api.tf

@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {
   body                         = local.openapi_spec
   description                  = "Suppliers API"
   disable_execute_api_endpoint = var.disable_gateway_execute_endpoint
+
+  lifecycle {
+    replace_triggered_by = [terraform_data.rest_api_security_policy]
+  }
 }

infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf

@@ -0,0 +1,11 @@
+locals {
+  rest_api_security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
+  rest_api_endpoint_access_mode = "STRICT"
+}
+
+resource "terraform_data" "rest_api_security_policy" {
+  input = {
+    security_policy      = local.rest_api_security_policy
+    endpoint_access_mode = local.rest_api_endpoint_access_mode
+  }
+}

infrastructure/terraform/components/api/locals.tf

@@ -7,6 +7,8 @@ locals {
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
+    SECURITY_POLICY            = local.rest_api_security_policy
+    ENDPOINT_ACCESS_MODE       = local.rest_api_endpoint_access_mode
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -307,5 +307,7 @@
         }
       }
     }
-  }
+  },
+  "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
+  "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }