rspec/rules/S4423/terraform/how-to-fix-it/aws-api-gateway.adoc

== How to fix it in AWS API Gateway

=== Code examples

These code samples illustrate how to fix this issue in both APIGateway and
ApiGatewayV2.

==== Noncompliant code example

[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "aws_api_gateway_domain_name" "example" {
  domain_name = "api.example.com"
  security_policy = "TLS_1_0" # Noncompliant
}
----

The ApiGatewayV2 uses a weak TLS version by default:

[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "aws_apigatewayv2_domain_name" "example" {
  domain_name = "api.example.com"
  domain_name_configuration {} # Noncompliant
}
----


==== Compliant solution

[source,terraform,diff-id=1,diff-type=compliant]
----
resource "aws_api_gateway_domain_name" "example" {
  domain_name = "api.example.com"
  security_policy = "TLS_1_2"
}
----

[source,terraform,diff-id=2,diff-type=compliant]
----
resource "aws_apigatewayv2_domain_name" "example" {
  domain_name = "api.example.com"
  domain_name_configuration {
    security_policy = "TLS_1_2"
  }
}
----

=== How does this work?

include::../../common/fix/fix.adoc[]