Amazon API Gateway now supports mutual TLS authentication

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon API Gateway now supports mutual TLS (mTLS) authentication.

New or Affected Resource(s)

• aws_api_gateway_domain_name
• aws_apigatewayv2_api
• aws_apigatewayv2_domain_name

Potential Terraform Configuration

resource "aws_api_gateway_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_api" "example" {
  disable_execute_api_endpoint = true
}

References

Announcement.
Blog post.
Developer Guide (HTTP APIs).
Developer Guide (REST APIs).

Requires AWS SDK v1.34.26:

• Update module aws/aws-sdk-go to v1.34.26 #15123

[archenroot]

S3 isn't really a private key management tool in AWS world, but ok, let it be optional access key protocol, we should support both KMS CMK which is filled with key material or CloudHSM, which is the most secure way on AWS to secure private keys as per my knowledge.

[ewbankkit]

@archenroot Currently the underlying AWS API only support trust stores in S3:

An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version. To update the truststore, you must have permissions to access the S3 object.

[archenroot]

@ewbankkit - any estimation when initial support will be available with terraform release? we are currently driving whole infra via terraform but if this support is to late, we will falback to cloudformation for time being before it gets stabilized for prod use. Thx for any even very gross estimation...

[ewbankkit]

@archenroot We are currently having problems with the testing of the functionality with ACMPCA issued certificates: https://forums.aws.amazon.com/thread.jspa?threadID=328610&tstart=0.

[albernazj93]

To anyone waiting for the Mutual TLS Authentication in Terraform. You could add the following as a post-action after your Terraform deployment.

It will enable the Mutual TLS Authentication in your Custom Domain:
aws apigateway update-domain-name --domain-name {your-custom-domain-name} --patch-operations "op='replace',path='/mutualTlsAuthentication/truststoreUri',value='s3://{your-s3-bucket-name}/{your-pem-file-name}.pem'" --region {your-region}

[oschvr]

godsend @albernazj93

[matt-mercer]

@albernazj93 @oschvr
you may also want to disable the default endpoint

rest api
aws apigateway update-rest-api --rest-api-id {your-api-id} --patch-operations op=replace,path=/disableExecuteApiEndpoint,value='true' --region {your-region}

v2 api
aws apigatewayv2 update-api --api-id {your-api-id} --disable-execute-api-endpoint --region {your-region}

and then deploy

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-disable-default-endpoint.html

[keefmarshall]

Just dropping a note to say that the API Gateway mTLS feature seems to work with self-signed certs/CAs now, it no longer appears to require AWS/ACM-issued certs, which appears to have been an issue a month or two back looking through the posts here - does that make it a bit easier to test/support this feature in Terraform? I'm talking about the trust store CA certs, that is, anyway...

[ewbankkit]

@keefmarshall Thanks for the note. I have reworked the 2 PRs' acceptance tests to better fit with existing tests and they are now in queue for review/merge.

[bflad]

Support for mutual TLS authentication in the aws_api_gateway_domain_name resource has been merged and will release with version 3.24.0 of the Terraform AWS Provider, later this week. Thank you to @ewbankkit for these various implementations.

Support for disabling the execution API in the aws_api_gateway_rest_api resource can be tracked in #15959, although it will also be finished very shortly as well. 😉

[ghost]

This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!