Please support ELB CertificateArn

[mfrawley]

Hi there, I have an issue that I cannot correctly configure the Certificate for my ELB because there's an implicit assumption that the Certificate and the stack will be in the same region. Would it be possible to add support for specifying the full certificate ARN? I was 95% finished setting up my app when I hit this and it's an absolutely blocker for me to continue using mu. Many thanks.

My setup: mu version 1.5.10 on macOS Catalina 10.15.3

Excerpt from my mu.yml:

environments:
  - name: dev
    loadbalancer:
      hostedzone: foo.bar
      name: analytics
      certificate: "arn:aws:acm:us-east-1:xxx:certificate/foo-bar"

Reminder: My mu stack is in eu-central-1 not us-east-1, and I cannot change this.

[karlskidmore]

@mfrawley Hi, Karl here (not from Stelligent).... I might be wrong, but I thought that ALB/ELB certificates were region specific anyway, so not a mu or cloudformation issue. i.e. you need to deploy a certificate in each region you deploy the stack. BTW, if you ever use the cloudfront-spa mu extension, note that certificates used by CloudFront must be defined in North Virginia region. Hope this helps.

[mfrawley]

Hi @karlskidmore, I'm quite certain that's not the case, as we have this setup for serverless and kubernetes apps, they all happily use certificates from another region in eu-central-1. This doesn't look like it would be a big code change either.

[karlskidmore]

https://aws.amazon.com/premiumsupport/knowledge-center/elb-ssl-tls-certificate-https/ "The ACM certificate wasn't requested in the same AWS Region as your load balancer or CloudFront distribution."

[mfrawley]

So just a reminder of the most important fact, this is already working for other apps in the same account (and region) which use cloudformation to deploy and use the same certificate. The certs were requested from eu-central-1 but exist in North Virginia. This was probably so they can also be used with CloudFront. Is there any remaining confusion about this?

[mfrawley]

I would propose to add a conditional like this as used elsewhere in the elb.yml:

      Certificates:
        - CertificateArn:
          - Fn::If:
            - HasElbCertArn
              - !Sub "${ElbCertArn}"
              - !Sub "arn:${AWS::Partition}:acm:${AWS::Region}:${AWS::AccountId}:certificate/${ElbCert}"

I apologize about the lack of clarity in my initial post, I should also make clear, this is not something I'm building for a 5 person startup but a mid-sized organization. I don't have the authority to dictate how our infrastructure is structured. I really like this project and would not mind contributing a PR if it helps to speed things along.

[mfrawley]

It seems this indeed doesn't work with ELBs, but only with domains associated with API gateways, which in turn are associated with Cloudfront..closing.