[Docs]: Incomplete valid values of security policy of resource aws_apigatewayv2_domain_name

[nikpivkin]

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_domain_name

Description

The documentation says that the valid values for the security policy (security_policy argument) are TLS_1_2. But TLS_1_0 is also valid. See references.

References

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-domainname-domainnameconfiguration.html#cfn-apigatewayv2-domainname-domainnameconfiguration-securitypolicy
• https://awscli.amazonaws.com/v2/documentation/api/2.8.7/reference/apigatewayv2/create-domain-name.html

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

The resource code allows only TLS_1_2 for security_policy and REGIONAL for endpoint_type seemingly for good reason. If I allow these values, applying the configuration ends up failing anyway with the following server-side validation errors:

Error: creating API Gateway v2 Domain Name (tf-acc-test-9084719555279808942.example.com): operation error ApiGatewayV2: CreateDomainName, https response error StatusCode: 400, RequestID: c57f749a-7e7e-4e43-bb77-537ac13d27c7, BadRequestException: TLS_1_0 is not supported for APIGatewayV2 domainName.

Error: creating API Gateway v2 Domain Name (tf-acc-test-4160857730709957401.example.com): operation error ApiGatewayV2: CreateDomainName, https response error StatusCode: 400, RequestID: 9fce6f3b-f32f-48be-a37e-aa2c422c2b76, BadRequestException: EDGE endpoint type is not supported for APIGatewayV2 domainName.

From usability standpoint it's better to leave the provider-side validation as-is.

[nikpivkin]

@acwwat Is your API configured as private? Private APIs only support TLS 1.2.

[acwwat]

@acwwat Is your API configured as private? Private APIs only support TLS 1.2.

I was validating the changes via acceptance tests, and looking at the test case the aws_apigatewayv2_domain_name is not associated with any API resources. But it is associated with a public domain (zone) and cert.

[Jyots6914]

I will raise PR to update the documentation.