[ecs-patterns] DNS not in Route53 but being required when adding certificate=cert in ecs_patterns.ApplicationLoadBalancedFargateService

[robbie1douglas]

❓ Adding Certificate when Creating ECS cluster with CDK with ecs_patterns.ApplicationLoadBalancedFargateService that is not on Route53

The Question

Hi,

I am trying to create and add an ACM cert when setting up an ECS cluster and ALB with CDK. It appears that when I add certificate=cert in the parameters for ecs_patterns.ApplicationLoadBalancedFargateService I am required to provide a Route53 domain zone, but our DNS is not in Route53. Can you help me out with this?

Here is what I have so far.

from aws_cdk import (core, aws_ec2 as ec2, aws_ecs as ecs,
                     aws_certificatemanager as certman,
                     aws_ecs_patterns as ecs_patterns,
                     aws_ecr as ecr)

from aws_cdk.core import Tags

class CdkTest2Stack(core.Stack):

    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        # Add tags
        Tags.of(self).add('Application', 'CdkTest2')
        Tags.of(self).add('Environment', 'Development')

        vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id="vpc-0123456789")
        cluster = ecs.Cluster(self, "ecs-cluster", vpc=vpc)
        cert = certman.Certificate(self, 'cert',
            domain_name='test-api.test.com',
            validation=certman.CertificateValidation.from_dns())
        ecrRepo = ecr.Repository.from_repository_name(self, "ecrRepo", "test-api")
        ecs_patterns.ApplicationLoadBalancedFargateService(self, "alb-fargate-service",
            cluster=cluster,            # Required
            cpu=512,                    # Default is 256
            desired_count=1,            # Default is 1
            task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_ecr_repository(ecrRepo)),
            memory_limit_mib=2048,      # Default is 512
            public_load_balancer=True,  # Default is False
            certificate=cert,
            domain_name='test-api.test.com',
            domain_zone='',
            enable_ecs_managed_tags=True,
            propagate_tags=ecs.PropagatedTagSource('TASK_DEFINITION'))

AWS Support response:

Hello,

Thank you for contacting AWS Premium Support. My name is Adarsh and I will be assisting you today.

I understand that you are try to create and add an ACM cert when setting up an ECS cluster and ALB with CDK. However, when you add the certificate in the parameters for "ecs_patterns.ApplicationLoadBalancedFargateService", you must also provide a Route53 domain zone but your DNS is not hosted on Route53.

I looked at the documentation for "ecs_patterns.ApplicationLoadBalancedFargateService" and found that the "domain_zone" does in fact have to be route53.

Unfortunately, this issue has to be brought up in GitHub Issues.

Please visit [1] and raise this issue there.

I apologize for the inconvenience this may cause.

If you have any questions please do not hesitate to let me know and I will be happy to help.

Thank you and have a wonderful day!

References:
[1] https://github.com/aws/aws-cdk/issues

Environment

• CDK CLI Version: 1.68.0 (build a6a3f46)
• Module Version: ?????
• Node.js Version: v12.19.0
• OS: OSX High Sierra
• Language (Version): Python 3.8.5

Thanks,
Robbie

[arpowers]

If you want to use domain zone's you'll need Route53, I do however believe it is possible to import an external cert but that is gonna be complicated.

iI our case we have several domains and manage the relevant ones in AWS. For example, darwin.so is our primary website but we use darwin.to and darwin.sh for API related stuff in AWS.

[robbie1douglas]

Thanks @arpowers for your reply.

We do this regularly with CloudFormation where we are creating an ACM cert that uses DNS validation of our domain ownership and reference that in the creation of our load balancer in the same CF template. I'm hoping that CDK has the same functionality, but I'm just not seeing it.

[lefb766]

I also got troubled by this recently. I don't want ApplicationLoadBalancedFargateService to update DNS records.

Here are examples of situations made impossible by this requirement:

• With an external DNS zone and a CNAME in it points to ALB (maybe the author's case)
• With a Route 53 zone but their records are managed by a different CF stack
• Additional verification is required after ALB setup and before DNS record change

I think this requirement is premature and it's not achieving something beneficial.

[hoegertn]

might be related to #11165

[NGL321]

Hey @Georev,

At the moment an ApplicationLoadBalancedFargateService using HTTPS protocol must reference both props to create the necessary records.
That said, after a quick review of the code I do not see any reason this couldn't be altered to allow for the desired functionality (although @SoManyHs or @MrArnoldPalmer will need to confirm). So I am marking this issue as a feature-request.

😸 😷

[robbie1douglas]

Thanks @NGL321

I'm putting this on the back burner. It would be a nice feature, but I think I'll try out deploying all the resources individually next time.

[juanb23]

This is something I am trying to accomplish as well. We have DNS managed on our side and are using ACM to issue certificates against those. I can reference my certificate by arn. But since we are forced to use route 53 to add the hostHeader condition we cannot use this pattern at the moment. Would be great to be able to use these patterns with existing resources as well as the ability to generate them when needed. I feel like there are many use cases in which this would occur.

[robbie1douglas]

I'm now getting back to this. Is there any progress or a well documented work around? Thanks for your efforts!

[esteban-uo]

+1

[TLadd]

I ran into this and ended up creating a hosted zone in route53 for just the subdomain I wanted to use for the load balancer. I think created an NS record in the dns service where the root domain is managed pointing to the amazon nameservers listed in that zone.

[ghost]

+1 on this. If a certificate is provided then a route53 domain should not be required. This check should be moved to the area of code where a certificate is being created if one is not provided.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.