NHSDigital · stevebux · Mar 23, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 2, 2026
@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {
   body                         = local.openapi_spec
   description                  = "Suppliers API"
   disable_execute_api_endpoint = var.disable_gateway_execute_endpoint
+
+  lifecycle {
+    replace_triggered_by = [terraform_data.rest_api_security_policy]
+  }
 }
@@ -0,0 +1,11 @@
+locals {
+  rest_api_security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
+  rest_api_endpoint_access_mode = "STRICT"
+}
+
+resource "terraform_data" "rest_api_security_policy" {
+  input = {
+    security_policy      = local.rest_api_security_policy
+    endpoint_access_mode = local.rest_api_endpoint_access_mode
+  }
+}
@@ -7,6 +7,8 @@ locals {
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
+    SECURITY_POLICY            = local.rest_api_security_policy
+    ENDPOINT_ACCESS_MODE       = local.rest_api_endpoint_access_mode
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn

@@ -307,5 +307,7 @@
         }
       }
     }
-  }
+  },
+  "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
+  "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -307,5 +307,7 @@ @@
             }
           }
         }
-      }
+      },
+      "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
+      "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
     }