Closed ltskinner closed 4 years ago
jpswade
commented
4 years ago You can't really do anything with an arn without access to it's AWS account, but it could be considered sensitive in some circles.
Even though it is relatively safe, I'd like to figure out a way to avoid having it in the repo, so it could be set by the environment, as you will need a different SSL Cert per environment, if they use different domains.
jpswade
commented
4 years ago One idea was to try something like this:
option_settings:
aws:elb:listener:443:
SSLCertificateId: '`{"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "EB_ELB_ACM", "DefaultValue": "arn:aws:acm:us-east-2:1234567890123:certificate/####################################"}}`'
ListenerProtocol: HTTPS
InstancePort: 443But I'm not sure it works.
jpswade
commented
4 years ago The way I solved it was like this:
option_settings:
aws:elb:listener:443:
SSLCertificateId:
"Fn::GetOptionSetting":
Namespace: "aws:elasticbeanstalk:application:environment"
OptionName: "EB_ELB_ACM"
DefaultValue: {"Ref":"AWS::NoValue"}
ListenerProtocol: HTTPS
InstancePort: 443
dankhen
commented
4 years ago Thanks @jpswade! If you think this is broadly useful, you're welcome to submit a PR for a config file example under configuration-files/community-provided/security-configuration and I'm happy to merge it.
Closing this issue as it seems to have a solution.
ltskinner
commented
4 years ago @jpswade Thank you! I like this solution a lot
jpswade
commented
4 years ago @dankhen I submitted a PR some weeks ago, but it still remains unmerged, is there any reason for this? Thanks.
dankhen
commented
4 years ago @jpswade I apologize, just work load on our side. I'll work with you on the PR.
If not, is there a better way to get the config or the ARN to the elastic beanstalk instance?
I am referencing the template here
Thank you!