Closed ltskinner closed 4 years ago
You can't really do anything with an arn without access to it's AWS account, but it could be considered sensitive in some circles.
Even though it is relatively safe, I'd like to figure out a way to avoid having it in the repo, so it could be set by the environment, as you will need a different SSL Cert per environment, if they use different domains.
One idea was to try something like this:
option_settings:
aws:elb:listener:443:
SSLCertificateId: '`{"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "EB_ELB_ACM", "DefaultValue": "arn:aws:acm:us-east-2:1234567890123:certificate/####################################"}}`'
ListenerProtocol: HTTPS
InstancePort: 443
But I'm not sure it works.
The way I solved it was like this:
option_settings:
aws:elb:listener:443:
SSLCertificateId:
"Fn::GetOptionSetting":
Namespace: "aws:elasticbeanstalk:application:environment"
OptionName: "EB_ELB_ACM"
DefaultValue: {"Ref":"AWS::NoValue"}
ListenerProtocol: HTTPS
InstancePort: 443
Thanks @jpswade! If you think this is broadly useful, you're welcome to submit a PR for a config file example under configuration-files/community-provided/security-configuration and I'm happy to merge it.
Closing this issue as it seems to have a solution.
@jpswade Thank you! I like this solution a lot
@dankhen I submitted a PR some weeks ago, but it still remains unmerged, is there any reason for this? Thanks.
@jpswade I apologize, just work load on our side. I'll work with you on the PR.
If not, is there a better way to get the config or the ARN to the elastic beanstalk instance?
I am referencing the template here
Thank you!