Upgrade to TLS 1.3

stevebux · stevebux · commit fce3be6a401a · 2026-03-24T13:33:44.000Z
diff --git a/infrastructure/terraform/components/api/api_gateway_domain.tf b/infrastructure/terraform/components/api/api_gateway_domain.tf
@@ -1,7 +1,7 @@
 resource "aws_api_gateway_domain_name" "main" {
   regional_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
   domain_name              = local.root_domain_name
-  security_policy          = "TLS_1_2"
+  security_policy          = "SecurityPolicy_TLS13_1_3_2025_09"
 
   endpoint_configuration {
     types = ["REGIONAL"]
diff --git a/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf b/infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf
@@ -1,11 +1,5 @@
-# AWS does not support updating the securityPolicy on an existing REST API from
-# TLS_1_0 to TLS_1_2 in-place. The policy must be set at creation time via the
-# x-amazon-apigateway-security-policy OpenAPI extension in the API body
-# (see spec.tmpl.json). This terraform_data resource forces recreation of the
-# aws_api_gateway_rest_api whenever the desired security policy changes, ensuring
-# the new API is always created with the correct TLS version.
 locals {
-  rest_api_security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
+  rest_api_security_policy      = "SecurityPolicy_TLS13_2025_EDGE"
   rest_api_endpoint_access_mode = "STRICT"
 }
 
