Try a different approach

stevebux · stevebux · commit c7e9df25f5b0 · 2026-03-24T10:25:06.000Z
diff --git a/infrastructure/terraform/components/api/api_gateway_rest_api.tf b/infrastructure/terraform/components/api/api_gateway_rest_api.tf
@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {
   body                         = local.openapi_spec
   description                  = "Suppliers API"
   disable_execute_api_endpoint = var.disable_gateway_execute_endpoint
+
+  lifecycle {
+    replace_triggered_by = [terraform_data.rest_api_security_policy]
+  }
 }
diff --git a/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf b/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf
@@ -1,15 +1,13 @@
-# Terraform does not yet support setting the securityPolicy on aws_api_gateway_rest_api
-# directly. This terraform_data resource works around that by calling the AWS CLI
-# to enforce TLS 1.2 on the REST API after it is created or replaced.
-resource "terraform_data" "rest_api_tls_policy" {
-  triggers_replace = [aws_api_gateway_rest_api.main.id]
+# AWS does not support updating the securityPolicy on an existing REST API from
+# TLS_1_0 to TLS_1_2 in-place. The policy must be set at creation time via the
+# x-amazon-apigateway-security-policy OpenAPI extension in the API body
+# (see spec.tmpl.json). This terraform_data resource forces recreation of the
+# aws_api_gateway_rest_api whenever the desired security policy changes, ensuring
+# the new API is always created with the correct TLS version.
+locals {
+  rest_api_security_policy = "TLS_1_2"
+}
 
-  provisioner "local-exec" {
-    command = <<-EOT
-      aws apigateway update-rest-api \
-        --region ${var.region} \
-        --rest-api-id ${aws_api_gateway_rest_api.main.id} \
-        --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2
-    EOT
-  }
+resource "terraform_data" "rest_api_security_policy" {
+  input = local.rest_api_security_policy
 }
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
@@ -7,6 +7,7 @@ locals {
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
+    TLS_VERSION                = local.rest_api_security_policy
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
diff --git a/infrastructure/terraform/components/api/resources/spec.tmpl.json b/infrastructure/terraform/components/api/resources/spec.tmpl.json
@@ -307,5 +307,6 @@
         }
       }
     }
-  }
+  },
+  "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }

Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {`
`3`	`3`	`body = local.openapi_spec`
`4`	`4`	`description = "Suppliers API"`
`5`	`5`	`disable_execute_api_endpoint = var.disable_gateway_execute_endpoint`
	`6`	`+`
	`7`	`+ lifecycle {`
	`8`	`+ replace_triggered_by = [terraform_data.rest_api_security_policy]`
	`9`	`+ }`
`6`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -307,5 +307,6 @@`
`307`	`307`	`}`
`308`	`308`	`}`
`309`	`309`	`}`
`310`		`- }`
	`310`	`+ },`
	`311`	`+ "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"`
`311`	`312`	`}`