Fix Terraform formatting and add TLS 1.2 compliance for HTTPS listener with no certificate

Co-Authored-By: Loren Yu <loren@navapbc.com>

Author: devin-ai-integration[bot]

infra/modules/service/load_balancer.tf

@@ -82,7 +82,7 @@ resource "aws_lb_listener_rule" "http_to_https_redirect" {
 
 resource "aws_lb_listener_rule" "app_http_forward" {
   count = var.certificate_arn == null ? 1 : 0
-  
+
   listener_arn = aws_lb_listener.alb_listener_http.arn
   priority     = 100
 
@@ -124,7 +124,11 @@ resource "aws_lb_listener" "alb_listener_https_no_cert" {
 
   load_balancer_arn = aws_lb.alb.arn
   port              = 443
-  protocol          = "HTTP" # Using HTTP protocol for fixed-response
+  protocol          = "HTTPS"
+  # Use a self-signed certificate for the 503 response
+  certificate_arn = module.domain.certificate_arn
+  # Use security policy that supports TLS 1.3 but requires at least TLS 1.2
+  ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
 
   default_action {
     type = "fixed-response"