apigatewayv2 update-domain-name cannot update TLS version

[HaaLeo]

Describe the bug

When Running a command like

aws --debug  apigatewayv2 update-domain-name --profile myprofile --domain-name-configurations '[{    "ApiGatewayDomainName": "apiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "mycertArn",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]' --domain-name mydomainname.domain.com

the TLS version is not updated.

The behavior occurs for edge as well as regional APIs

Expected Behavior

The TLS version is updated to TLS_1_2

Current Behavior

The TLS version is not updated.

Reproduction Steps

aws --debug  apigatewayv2 update-domain-name --profile myprofile --domain-name-configurations '[{    "ApiGatewayDomainName": "apiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "mycertArn",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]' --domain-name mydomainname.domain.com

Possible Solution

No response

Additional Information/Context

The logs:

aws --debug  apigatewayv2 update-domain-name --profile myprofile --domain-name-configurations '[{    "ApiGatewayDomainName": "myApiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]' --domain-name myhostedZoneId
2022-09-09 11:51:48,235 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.7.26 Python/3.10.6 Darwin/21.6.0 source/x86_64
2022-09-09 11:51:48,235 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--debug', 'apigatewayv2', 'update-domain-name', '--profile', 'myprofile', '--domain-name-configurations', '[{    "ApiGatewayDomainName": "myApiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]', '--domain-name', 'myhostedZoneId']
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler >
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler >
2022-09-09 11:51:48,305 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler 
2022-09-09 11:51:48,306 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.7.26/libexec/lib/python3.10/site-packages/awscli/data/cli.json
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler 
2022-09-09 11:51:48,309 - MainThread - botocore.session - DEBUG - Setting config variable for profile to 'myprofile'
2022-09-09 11:51:48,310 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.7.26 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off
2022-09-09 11:51:48,310 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--debug', 'apigatewayv2', 'update-domain-name', '--profile', 'myprofile', '--domain-name-configurations', '[{    "ApiGatewayDomainName": "myApiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]', '--domain-name', 'myhostedZoneId']
2022-09-09 11:51:48,310 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,310 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,310 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,310 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,310 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,317 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2022-09-09 11:51:48,324 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2022-09-09 11:51:48,324 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,324 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 
2022-09-09 11:51:48,354 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.7.26/libexec/lib/python3.10/site-packages/awscli/botocore/data/apigatewayv2/2018-11-29/service-2.json
2022-09-09 11:51:48,366 - MainThread - botocore.hooks - DEBUG - Event building-command-table.apigatewayv2: calling handler 
2022-09-09 11:51:48,401 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('domain-name', ), ('domain-name-configurations', ), ('mutual-tls-authentication', )])
2022-09-09 11:51:48,401 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,401 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,401 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,401 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,447 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.7.26/libexec/lib/python3.10/site-packages/awscli/botocore/data/apigatewayv2/2018-11-29/paginators-1.json
2022-09-09 11:51:48,447 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,448 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,448 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,448 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,450 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.domain-name: calling handler 
2022-09-09 11:51:48,450 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,450 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'myhostedZoneId' for parameter "domain_name": 'myhostedZoneId'
2022-09-09 11:51:48,450 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.domain-name-configurations: calling handler 
2022-09-09 11:51:48,451 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.apigatewayv2.update-domain-name: calling handler 
2022-09-09 11:51:48,451 - MainThread - awscli.argprocess - DEBUG - Param domain_name_configurations looks like JSON, not considered for param shorthand.
2022-09-09 11:51:48,451 - MainThread - awscli.arguments - DEBUG - Unpacked value of ['[{    "ApiGatewayDomainName": "myApiId.execute-api.us-east-1.amazonaws.com",    "CertificateArn": "arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId",    "DomainNameStatus": "AVAILABLE",    "EndpointType": "REGIONAL",    "HostedZoneId": "myhostedzoneId",    "SecurityPolicy": "TLS_1_2"}]'] for parameter "domain_name_configurations": [OrderedDict([('ApiGatewayDomainName', 'myApiId.execute-api.us-east-1.amazonaws.com'), ('CertificateArn', 'arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId'), ('DomainNameStatus', 'AVAILABLE'), ('EndpointType', 'REGIONAL'), ('HostedZoneId', 'myhostedzoneId'), ('SecurityPolicy', 'TLS_1_2')])]
2022-09-09 11:51:48,452 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.mutual-tls-authentication: calling handler 
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.cli-input-json: calling handler 
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.cli-input-yaml: calling handler 
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.apigateway.update-domain-name.generate-cli-skeleton: calling handler 
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event calling-command.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event calling-command.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,453 - MainThread - botocore.hooks - DEBUG - Event calling-command.apigatewayv2.update-domain-name: calling handler >
2022-09-09 11:51:48,454 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2022-09-09 11:51:48,454 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2022-09-09 11:51:48,454 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2022-09-09 11:51:48,455 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2022-09-09 11:51:48,456 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2022-09-09 11:51:48,458 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.7.26/libexec/lib/python3.10/site-packages/awscli/botocore/data/endpoints.json
2022-09-09 11:51:48,470 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler 
2022-09-09 11:51:48,472 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.apigatewayv2: calling handler 
2022-09-09 11:51:48,475 - MainThread - botocore.endpoint - DEBUG - Setting apigateway timeout as (60, 60)
2022-09-09 11:51:48,476 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.apigatewayv2.UpdateDomainName: calling handler 
2022-09-09 11:51:48,477 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.apigatewayv2.UpdateDomainName: calling handler 
2022-09-09 11:51:48,477 - MainThread - botocore.hooks - DEBUG - Event before-call.apigatewayv2.UpdateDomainName: calling handler 
2022-09-09 11:51:48,477 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=UpdateDomainName) with params: {'url_path': '/v2/domainnames/myhostedZoneId', 'query_string': {}, 'method': 'PATCH', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.7.26 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off command/apigatewayv2.update-domain-name'}, 'body': b'{"domainNameConfigurations": [{"apiGatewayDomainName": "myApiId.execute-api.us-east-1.amazonaws.com", "certificateArn": "arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId", "domainNameStatus": "AVAILABLE", "endpointType": "REGIONAL", "hostedZoneId": "myhostedzoneId", "securityPolicy": "TLS_1_2"}]}', 'url': 'https://apigateway.us-east-1.amazonaws.com/v2/domainnames/myhostedZoneId', 'context': {'client_region': 'us-east-1', 'client_config': , 'has_streaming_input': False, 'auth_type': None}}
2022-09-09 11:51:48,477 - MainThread - botocore.hooks - DEBUG - Event request-created.apigatewayv2.UpdateDomainName: calling handler >
2022-09-09 11:51:48,478 - MainThread - botocore.hooks - DEBUG - Event choose-signer.apigatewayv2.UpdateDomainName: calling handler 
2022-09-09 11:51:48,479 - MainThread - botocore.credentials - DEBUG - Credentials for role retrieved from cache.
2022-09-09 11:51:48,479 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2022-09-09 10:36:47+00:00
2022-09-09 11:51:48,480 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2022-09-09 11:51:48,480 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
PATCH
/v2/domainnames/myhostedZoneId
content-type:application/json
host:apigateway.us-east-1.amazonaws.com
x-amz-date:20220909T095148Z
x-amz-security-token:mysecuritytoken
content-type;host;x-amz-date;x-amz-security-token
mysecuritytoken
2022-09-09 11:51:48,480 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20220909T095148Z
20220909/us-east-1/apigateway/aws4_request
0e5701de4b3ebbb6e72c4c596873448e922ac287b93e71fd2ee18d4e066c460e
2022-09-09 11:51:48,480 - MainThread - botocore.auth - DEBUG - Signature:
mysignature
2022-09-09 11:51:48,480 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PATCH, url=https://apigateway.us-east-1.amazonaws.com/v2/domainnames/myhostedZoneId, headers={'Content-Type': b'application/json', 'User-Agent': b'aws-cli/2.7.26 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off command/apigatewayv2.update-domain-name', 'X-Amz-Date': b'20220909T095148Z', 'X-Amz-Security-Token': b'mysecuritytoken', 'Authorization': b'AWS4-HMAC-SHA256 Credential=credentials/20220909/us-east-1/apigateway/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=mysignature', 'Content-Length': '337'}>
2022-09-09 11:51:48,480 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/Cellar/awscli/2.7.26/libexec/lib/python3.10/site-packages/awscli/botocore/cacert.pem
2022-09-09 11:51:48,481 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): apigateway.us-east-1.amazonaws.com:443
2022-09-09 11:51:49,655 - MainThread - urllib3.connectionpool - DEBUG - https://apigateway.us-east-1.amazonaws.com:443 "PATCH /v2/domainnames/myhostedZoneId HTTP/1.1" 200 586
2022-09-09 11:51:49,656 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Fri, 09 Sep 2022 09:51:49 GMT', 'Content-Type': 'application/json', 'Content-Length': '586', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'myrequestId', 'x-amzn-Remapped-x-amzn-RequestId': '472d8e70-fcce-4d00-a6ab-cde67bd2db99', 'Access-Control-Allow-Origin': '*', 'x-amzn-Remapped-Content-Length': '430', 'x-amzn-Remapped-Connection': 'keep-alive', 'x-amz-apigw-id': 'YL7sUGMnoAMF-0g=', 'Access-Control-Expose-Headers': 'x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date', 'X-Amzn-Trace-Id': 'Root=1-631b0cb5-796300c03b4083ed1376e68b', 'x-amzn-Remapped-Date': 'Fri, 09 Sep 2022 09:51:49 GMT'}
2022-09-09 11:51:49,656 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"domainName":"myhostedZoneId","domainNameConfigurations":[{"endpointType":"REGIONAL","certificateName":null,"certificateArn":"arn:aws:acm:us-east-1:myAccountId:certificate/mycertificateId","ownershipVerificationCertificateArn":null,"apiGatewayDomainName":"myApiId.execute-api.us-east-1.amazonaws.com","hostedZoneId":"myhostedzoneId","certificateUploadDate":null,"securityPolicy":"TLS_1_0","domainNameStatus":"AVAILABLE","domainNameStatusMessage":null}],"apiMappingSelectionExpression":"$request.basepath","tags":{},"mutualTlsAuthentication":null}'
2022-09-09 11:51:49,656 - MainThread - botocore.hooks - DEBUG - Event needs-retry.apigatewayv2.UpdateDomainName: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x1123db340>>
2022-09-09 11:51:49,656 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2022-09-09 11:51:49,656 - MainThread - botocore.hooks - DEBUG - Event after-call.apigatewayv2.UpdateDomainName: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x1123da860>>
2022-09-09 11:51:49,656 - MainThread - awscli.formatter - DEBUG - RequestId: myrequestId

CLI version used

aws-cli/2.7.26 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off

Environment details (OS name and version, etc.)

macOS monterey 12.5.1

[tim-finnigan]

Hi @HaaLeo thanks for reaching out. Per this documentation in the API Gateway developer guide it says to allow up to 60 minutes for the update to complete. Can you confirm that the TLS version was still not updated after that timeframe?

[sharmadhiraj86]

I want to contribute to this issue. So, can you please assign me this issue? It would be very helpful for my academics. @HaaLeo @tim-finnigan @greut @garnaat @mmcgrana

[HaaLeo]

@tim-finnigan I can confirm that also after the 60 minutes nothing changed. Also after I sent the CLI request and I navigate to that custom domain in the AWS console in the browser I cannot see any hint that changes are going on. When changing the TLS version in the browser I see a spinner and it says it is "modifying".

[tim-finnigan]

@HaaLeo are you using the same region in your console as you have configured with the AWS CLI? What is the status when you run get-domain-name? If this still isn't working then I recommend reaching out to AWS Support to help with issues that may relate to a specific account.

[tim-finnigan]

Since we haven't heard back here in over a month I'm going to close this issue. Please refer to the comment above if you're still experiencing the issue. Thanks!

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.