copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Importing Certificate and non-route53 host

Open chrisschaub opened this issue 1 year ago • 13 comments

I have followed the instructions here https://aws.github.io/copilot-cli/blogs/release-v118/#certificate-import, and they work. Is there any way to "annotate" the certificate import in the manifest for the app or env? Adding a host alias and cert using

copilot env init --import-cert-arns

is fine, but it does not seem to reflect in any manifest, sort of a one off to add a foreign cert? Maybe it does and I don't see it.

chrisschaub avatar Jan 11 '24 18:01 chrisschaub

Hello @chrisschaub

but it does not seem to reflect in any manifest

You can actually be reflected in your env manifest. Can you check this out? If not, what's your local binary version?

iamhopaul123 avatar Jan 11 '24 18:01 iamhopaul123

Thanks. So import the cert in the env, but don't specify any "alias" for this cert -- just use a cname to the default hosted zone since the cert will be there?

chrisschaub avatar Jan 11 '24 19:01 chrisschaub

so when you import a cert in the env, we won't make any substantial changes to the cert or hosted zone. You would need to configure them yourselves.

iamhopaul123 avatar Jan 11 '24 19:01 iamhopaul123

I had to manually add the non route-53 alias to the load balancer, can I specify an alias in the manifest as well? So far that has caused errors.

chrisschaub avatar Jan 11 '24 19:01 chrisschaub

yeah you can use specify the alias and the hostedzone so that Copilot would know which one to add the A-record to https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#http-alias

iamhopaul123 avatar Jan 11 '24 20:01 iamhopaul123

But what if it's not a hosted zone ? A foreign non-route53 cname?

chrisschaub avatar Jan 11 '24 20:01 chrisschaub

Then you would have to manage the record yourself...there's no way Copilot can manage non-aws resources.

iamhopaul123 avatar Jan 11 '24 20:01 iamhopaul123

I can manually add an alias to the load balancer. Why can't copilot do that?

On Thu, Jan 11, 2024, 3:28 PM Penghao He @.***> wrote:

Then you would have to manage the record yourself...there's no way Copilot can manage non-aws resources.

— Reply to this email directly, view it on GitHub https://github.com/aws/copilot-cli/issues/5603#issuecomment-1887912238, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZKZMDERNGGXZRWFVJGAXDYOBDNHAVCNFSM6AAAAABBW66YLKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBXHEYTEMRTHA . You are receiving this because you were mentioned.Message ID: @.***>

chrisschaub avatar Jan 11 '24 20:01 chrisschaub

I can manually add an alias to the load balancer. Why can't copilot do that?

That's exactly what Copilot would do - adding the alias to the ALB listener as a routing rule. It's just we normally also add A-record for the ALB but we won't do this part when you import a cert to an env.

iamhopaul123 avatar Jan 11 '24 20:01 iamhopaul123

I don't want copilot to "manage" non-aws resources. But if I specify a certificate that it can find in aws certificate manager, it should add it to the ALB. It looks like with additional_rules I can add an alias that is not in aws dns https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/? All I'm trying to do is:

  1. Add an additional certificate in a manifest that supports a non-aws domain.
  2. Add an "alias" in that ALB to support the non-aws domain.

I want all of this specified in the manifest, just in case the ALB gets re-created. Otherwise we'd have downtime.

On Thu, Jan 11, 2024 at 3:58 PM Penghao He @.***> wrote:

I can manually add an alias to the load balancer. Why can't copilot do that?

That's exactly what Copilot would do - adding the alias to the ALB listener as a routing rule. It's just we normally also add A-record for the ALB but we won't do this part when you import a cert to an env.

— Reply to this email directly, view it on GitHub https://github.com/aws/copilot-cli/issues/5603#issuecomment-1887950254, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZKZMBLQL6XWB52M74ZYWTYOBG7BAVCNFSM6AAAAABBW66YLKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBXHE2TAMRVGQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Christopher Schaub http://chris.schaub.com

chrisschaub avatar Jan 12 '24 14:01 chrisschaub

Hello @chrisschaub. The ALB won't get recreated. Assuming your alias, for example, some-domain-in-use.com is not in route53, all you would need to do is

  1. Specify the certificate you created and validated in your env manifest
  2. Run copilot env deploy to deploy the environment
  3. Specify some-domain-in-use.com in your service manifest
  4. Run copilot svc deploy to deploy the service

At this stage, some-domain-in-use.com is still in production because the domain points to some other existing infrastructure. The very last step, you would need to configure the record for some-domain-in-use.com externally to point to the ALB DNS name.

iamhopaul123 avatar Jan 12 '24 18:01 iamhopaul123

Where would you specify the domain in the service manifest?

chrisschaub avatar Jan 12 '24 18:01 chrisschaub

It is the http.alias, under the hood when there are imported certs for the env the svc is deployed to, we just add it to the ALB instead of writing any A-record.

iamhopaul123 avatar Jan 12 '24 18:01 iamhopaul123

This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.

github-actions[bot] avatar Mar 13 '24 00:03 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!

github-actions[bot] avatar Mar 28 '24 00:03 github-actions[bot]