Add support for mTLS with certificates from third-party CAs in API Gateway

[emillg]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

API Gateway now supports mutual TLS with certificates from third-party CAs: https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-api-gateway-now-supports-mutual-tls-certificates-from-third-party-cas-and-acm-private-ca/

aws_api_gateway_domain_name already supports mutual_tls_authentication. The feature is to add support for certificates from third-party CAs.

New or Affected Resource(s)

• aws_api_gateway_domain_name

References

https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-api-gateway-now-supports-mutual-tls-certificates-from-third-party-cas-and-acm-private-ca/

• #0000

[HebertCL]

I stumbled on this couple days ago. It seems that domain validation configuration partially supports the usage of Private CA certificates, but Terraform resource is missing an extra parameter required to do so. While creating the api gateway domain name resource using a PCA ACM certificate, I kept receiving the below error:

error creating API Gateway v2 domain name: BadRequestException: Missing ownershipVerificationCertificate. To use an imported or private certificate for the domain name, ownershipVerificationCertificate is required.

After a bit of searching in the CFN Domain Name Configuration documentation, I found this ownershipVerificationCertificate field the error mentions is not available for Terraform.

I could gladly submit a PR to get this added.

[emillg]

@HebertCL Yes, that is the missing part to be added for both API Gateway v1 & v2. Would be appreciated if you can help!

[HebertCL]

I realized yesterday after adding my comment that while you're talking about api gateway I was using as reference api gateway v2. That shouldn't be a problem, I'll work on add the field for both. Hope to share a PR to add those shortly.

[PsypherPunk]

@HebertCL, are you still planning to raise a PR for these changes? I've had to implement this for a project so I think I'm largely ready but happy to hold off if you're good to go.

[HebertCL]

Hey @PsypherPunk! Apologies for the long silence here, I did good progress (got stuck trying to figure out some gotchas with acceptance tests), but then I realized I didn't need this in the project I was working on and got really busy getting that project done (which I still am busy unfortunately :( ).
Long story short, if you feel it's ready to submit, feel free to go ahead as I still would have to find the time to finish it.

[PsypherPunk]

This should be resolved in #21076.

@emillg, can you confirm whether this works for you?

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.