SAM Deploy fails for Regional API Gateway while upgrading SecurityPolicy to TLS1.3

[gruthirappan-uturn]

Description:

We are trying to upgrade Region API Gateway security policy to TLS1.3 from TLS1.0 using Sam deploy with sam latest version.

Steps to reproduce:

We are using the below command and sam template to update the security policy.

Command - sam deploy "--stack-name", $StackName,
"--parameter-overrides", "Env=$Env", "EnvLower=$EnvLower",
"--capabilities", "CAPABILITY_NAMED_IAM",
"--no-fail-on-empty-changeset",
"--region", "us-east-1",

Type: AWS::Serverless::Api
Properties:
Name: XXXXXXXXXXXXX
StageName: !Ref Env
EndpointConfiguration: REGIONAL
TracingEnabled: true
SecurityPolicy: SecurityPolicy_TLS13_1_2_2021_06

Observed result:

Resource handler returned message: "Endpoint access mode is required for the specified security policy (Service: ApiGateway, Status Code: 400, Request ID: XXXXXXXXXXX) (SDK Attempt Count: 1)" (RequestToken: XXXXXXXXXXXXXXXXX, HandlerErrorCode: InvalidRequest)

Expected result:

We should be able to update the API Gateway to TLS version

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: Linux
2. sam --version: latest
3. AWS region: us-east-1

# Paste the output of `sam --info` here

Add --debug flag to command you are running

[reedham-aws]

I believe the error message you're getting from ApiGateway is correct here, you need to specify and EndpointAccessMode in your AWS::Serverless::Api as well:

The TLS version plus cipher suite for the REST API. When using enhanced security policies (those prefixed with SecurityPolicy), you must also set the EndpointAccessMode. (ref)

There is one issue here unfortunately, EndpointAccessMode is not yet supported for use with SAM CLI as it doesn't recognize the parameter yet. This should be fixed in v1.161.0 of SAM CLI. Sorry for the delay!

Edit: This should be open until the release of 1.161.0, for now open to track.