Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add an example of setting up HTTPS on ApplicationLoadBalancedFargateService

See original GitHub issue

An example showing the recommended way of enabling HTTPS on an ApplicationLoadBalancedFargateService.

Use Case

I am having issues enabling HTTPS in my ApplicationLoadBalancedFargateService. I have been digging many issues and StackOverflow issues and trying to wrap my head around all the possible configurations. Should I add certificate to the service directly? Then I need to set up domains. Should I create an entirely new ApplicationLoadBalancer? Should I add a listener for 443 in the loadBalancer property?

There is no clear path and the documentation is somewhat inconsistent as to how to do it.

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:10
Comments:18 (3 by maintainers)

Top GitHub Comments

6reactions

sprightbotcommented, Aug 24, 2021

If you wanted to add a certificate to this pattern, you first need to create a certificate construct in the constructor:

    const cert = new Certificate(this, "MyCertificate", {
      domainName: 'example.com',
      subjectAlternativeNames: ['*.example.com'],
      validation: CertificateValidation.fromDns(),
    });

Then in the properties of the ecs pattern add the certificate and redirectHTTP (optional, but recommended) properties.

new ecs_patterns.ApplicationLoadBalancedFargateService(this, "MyFargateService", {
      cluster: cluster, // Required
      cpu: 256, // Default is 256
      desiredCount: 1, // Default is 1
      taskImageOptions: { image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample") },
      memoryLimitMiB: 512, // Default is 512
      publicLoadBalancer: true, // Default is false 
      certificate: cert,
      redirectHTTP: true,
    });

Thats it!

In this example, I’m not using an AWS hosted zone, so when this deploys the certificate will be stuck in a pending state. You will need to goto AWS Certificate Manager, open the certificate and copy and paste the CNAME to your DNS provider.

If you wanted to add an AWS Hosted zone, you can create one by adding the following construct to the constructor:

const hostedzone = new PublicHostedZone(this, "myHostedZone", {
      zoneName: 'example.org',
    });

Then in AWS Certificate manager, open the certificate and there’s a blue button that you click that will create the record for you. Don’t forget to delegate to your hosted zone from your DNS provider or else you’ll be in the pending waiting room.

Hope this helps!

3reactions

sprightbotcommented, Feb 19, 2022

Nice! You’re almost there. For the HTTPS piece you need to make the certificate and attach it to the service and cloudfront. Note that Cloudfront is based in us-east-1, so your certificate for cloudfront must be in us-east-1. (You can also make a crossZoneDNS cert… search for DnsValidatedCertificate in the @aws-cdk/aws-certificatemanager library)

Assuming that you’re creating this in us-east-1, you can first create your cert:

const cert = new Certificate(this, "MyCertificate", {
   domainName: 'mycoolservice.com',
   subjectAlternativeNames: ['*.mycoolservice.com'],
   validation: CertificateValidation.fromDns(),
 });

Then on your ApplicationLoadBalancedFargateService add the certificate property. Then add the certificate and domainName property to your cloud front. Also make sure to add allowedMethods and viewerProtocolPolicy otherwise cloudfront won’t forward your requests on.

const cloudFront = new Distribution(this, "CloudFrontDistribution", {
      defaultBehavior: {
        origin: new LoadBalancerV2Origin(app.loadBalancer),
      certificate: cert,
      domainName: ['mycoolservice.com'],
      allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
      viewerProtocolPolicy: ViewerProtocolPolicy.ALLOW_ALL,
      },
    });

That should get you set up on whatever domain name you pick. Make sure you have the proper delegation/own the zone, and if the zone is hosted by google, or some other provider, that you can add the certificate validation CNAME, otherwise cloudformation will hang forever (3 hrs, but feels like forever). Recommend creating the route53 hostedZone in aws and then let certificate manager create the records for you. Then all you need to do is delegate to that hosted zone and you’re good to go.

Also I was able to find an example write up which is pretty similar to this here: https://enlear.academy/aws-cdk-a-beginners-guide-with-examples-424c600ac409

The big difference i see here is that they terminate ssl at cloud front. Doing the above terminates at the ALB. Not sure how important that is to ya, but /shrug.