Another try

Author: stevebux

infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf

@@ -5,9 +5,13 @@
 # aws_api_gateway_rest_api whenever the desired security policy changes, ensuring
 # the new API is always created with the correct TLS version.
 locals {
-  rest_api_security_policy = "SecurityPolicy_TLS13_1_2_2021_06"
+  rest_api_security_policy      = "SecurityPolicy_TLS13_1_2_2021_06"
+  rest_api_endpoint_access_mode = "STRICT"
 }
 
 resource "terraform_data" "rest_api_security_policy" {
-  input = local.rest_api_security_policy
+  input = {
+    security_policy      = local.rest_api_security_policy
+    endpoint_access_mode = local.rest_api_endpoint_access_mode
+  }
 }

infrastructure/terraform/components/api/locals.tf

@@ -8,6 +8,7 @@ locals {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
     SECURITY_POLICY            = local.rest_api_security_policy
+    ENDPOINT_ACCESS_MODE       = local.rest_api_endpoint_access_mode
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -308,5 +308,6 @@
       }
     }
   },
+  "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
   "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }