Fargate Cloudformation SSL


#1

Hello, I am going to be deploying my application in a few days here. I followed the RDS/Fargate tutorial, but it gives an HTTP endpoint. How would I go about adding HTTPS to make it more secure?


#2

… I don’t know, but it’s a great question and would also appreciate an AWS wizard’s help!


#3

These detailed instructions from jamesg on Slack worked perfectly for me. I’d think that most people would want to use HTTPS when communicating with their Prisma server on AWS Fargate, so it’s odd that HTTPS isn’t even mentioned in the Deploy Prisma to AWS Fargate tutorial.

https://prisma.slack.com/archives/CA491RJH0/p1551758298250800?thread_ts=1551675115.198000&cid=CA491RJH0

if i remember correctly this was roughly the process…

First you need an SSL certificate for your Prisma server public loadbalancer listener (the URL where you access the playground). The difficulty I experienced was that AWS woudn’t issue an SSL cert directly for the public loadbalancer listener URL. To get around this, you need to 1) create a separte custom domain name (with your DNS hosting provider, e.g. Route 53); 2) point this custom name to your public loadbalancer listener URL; 3) go to the Certificate Manager and create an SSL cert for the custom domain name; finally 4) in the cloudformation tempate, you need to associate the cert with the listener. This sounds like a lot, but each step is fairly straigtforward, especially if you have any experience with DNS.

More detail:

  1. Create a custom domain name, like: prisma.api.my-domain.com.

  2. In your domain hosting provider, point this new domain to your prisma server public loadbalaancer listener URL by creating an A record alias for your domain name with the value of your listener URL. For me this is configured in Route 53, so the process/requirements may be different for your hosting provider. In route 53 the alias option is a radio button in the A record configuration settings when you’re creating the new record. Interestingly Route 53 automatically added a prefix “dualstack” to the (listener) URL when i pasted in the value of the new A record alias. This was unexpected (although it works) - so don’t be surprised if this happens. Triple check everything here.

  3. In the Certificate Manager, create an SSL certificate for the custom domain you just created in 1 above following the instructions they provide. This must be done in the same region (e.g., us-east-1) as your prisma server. To expedite the process, choose DNS validation as the validation method. This requires adding an additional DNS validation C record per the validation instructions they provide. Not a huge deal if you’ve successfully added the A record. Once you add the DNS validation record to your host and complete the certificate request process in the Certificate Manger, the certificate should be issued in my experience within a few minutes.

Once you have a domain name pointing to the listener and a valid cert in the Certificate Manager, then you just need to associate the cert with your public loadbalancer listener in the Prisma Fargate cloudformation template by making a few edits.

AFTER the following in the template (“mysql” may be something else in your template if you’re using a different db):

DbConnector:
Type: String
Default: mysql

add this (substituting the full ARN of the certificate you created):

Certificate:
Type: String

Update with the certificate ARN from Certificate Manager, which must exist in the same region.

Default: “arn:aws:acm:us-east-1:YOUR-AWS-ACCOUNT-NUMBER:certificate/CERTIFICATE-NUMBER”

This part of the template should now look something like:

DbConnector:
Type: String
Default: mysql

Certificate:
Type: String

Update with the certificate ARN from Certificate Manager, which must exist in the same region.

Default: “arn:aws:acm:us-east-1:YOUR-AWS-ACCOUNT-NUMBER:certificate/CERTIFICATE-NUMBER”

Next, edit the PublicLoadBalancerListener section as follows (note the new “Certificates” array and new values for the Port and Protocol - everything else is the same):

PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn:
- PublicLoadBalancer
Properties:
DefaultActions:
- TargetGroupArn: !Ref ‘PrismaTargetGroup’
Type: ‘forward’
LoadBalancerArn: !Ref ‘PublicLoadBalancer’
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: !Ref Certificate

Now you should be able to update your Prisma server stack with the modified cf template and hopefully have a working HTTPS endpoint with a custom domain.