resource/api_gateway_domain_name: Add support for security_policy

Fixes: #9100

aws/resource_aws_api_gateway_domain_name.go

@@ -61,6 +61,16 @@ func resourceAwsApiGatewayDomainName() *schema.Resource {
 				ForceNew: true,
 			},
 
+			"security_policy": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					apigateway.SecurityPolicyTls10,
+					apigateway.SecurityPolicyTls12,
+				}, true),
+			},
+
 			"certificate_arn": {
 				Type:          schema.TypeString,
 				Optional:      true,
@@ -173,6 +183,10 @@ func resourceAwsApiGatewayDomainNameCreate(d *schema.ResourceData, meta interfac
 		params.RegionalCertificateName = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("security_policy"); ok && v.(string) != "" {
+		params.SecurityPolicy = aws.String(v.(string))
+	}
+
 	domainName, err := conn.CreateDomainName(params)
 	if err != nil {
 		return fmt.Errorf("Error creating API Gateway Domain Name: %s", err)
@@ -208,6 +222,7 @@ func resourceAwsApiGatewayDomainNameRead(d *schema.ResourceData, meta interface{
 	d.Set("cloudfront_domain_name", domainName.DistributionDomainName)
 	d.Set("cloudfront_zone_id", cloudFrontRoute53ZoneID)
 	d.Set("domain_name", domainName.DomainName)
+	d.Set("security_policy", domainName.SecurityPolicy)
 
 	if err := d.Set("endpoint_configuration", flattenApiGatewayEndpointConfiguration(domainName.EndpointConfiguration)); err != nil {
 		return fmt.Errorf("error setting endpoint_configuration: %s", err)
@@ -256,6 +271,14 @@ func resourceAwsApiGatewayDomainNameUpdateOperations(d *schema.ResourceData) []*
 		})
 	}
 
+	if d.HasChange("security_policy") {
+		operations = append(operations, &apigateway.PatchOperation{
+			Op:    aws.String("replace"),
+			Path:  aws.String("/securityPolicy"),
+			Value: aws.String(d.Get("security_policy").(string)),
+		})
+	}
+
 	if d.HasChange("endpoint_configuration.0.types") {
 		// The domain name must have an endpoint type.
 		// If attempting to remove the configuration, do nothing.

aws/resource_aws_api_gateway_domain_name_test.go

@@ -45,6 +45,7 @@ func TestAccAWSAPIGatewayDomainName_CertificateArn(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "cloudfront_domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "cloudfront_zone_id", "Z2FDTNDATAQYW2"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name", rName),
+					resource.TestCheckResourceAttr(resourceName, "security_policy", "TLS_1_2"),
 				),
 			},
 		},
@@ -293,6 +294,7 @@ func testAccAWSAPIGatewayDomainNameConfig_CertificateArn(domainName, certificate
 resource "aws_api_gateway_domain_name" "test" {
   domain_name     = "%s"
   certificate_arn = "%s"
+  security_policy = "TLS_1_2"
 
   endpoint_configuration {
     types = ["EDGE"]

website/docs/r/api_gateway_domain_name.html.markdown

@@ -148,6 +148,7 @@ The following arguments are supported:
 
 * `domain_name` - (Required) The fully-qualified domain name to register
 * `endpoint_configuration` - (Optional) Configuration block defining API endpoint information including type. Defined below.
+* `security_policy` - (Optional) The Transport Layer Security (TLS) version + cipher suite for this DomainName. The valid values are `TLS_1_0` and `TLS_1_2`.
 
 When referencing an AWS-managed certificate, the following arguments are supported: