I have setup ECS with an ALB and a Route53 record. Now I want to switch to HTTPS. Afaik I can generate an ACM certificate provided by Amazon for my domain, right? Can someone point me in the direction of a pulumi code example on how to do this? All I could find in the docs were separate snippets that don't tell the whole story.

It’ll look something like this:

// Setup a certificate and attach it to the listener.
const certificate = new aws.acm.Certificate("certificate", {
    domainName: "<http://example.com|example.com>",
    validationMethod: "DNS",
});

const zone = pulumi.output(aws.route53.getZone({
    name: "<http://example.com|example.com>",
    privateZone: false,
}));

const validationRecord = new aws.route53.Record(`cert-validation-record`, {
    allowOverwrite: true,
    name: certificate.domainValidationOptions[0].resourceRecordName,
    records: [certificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 600,
    type: certificate.domainValidationOptions[0].resourceRecordType,
    zoneId: zone.zoneId,
});

const domainVerificationRecord = new aws.acm.CertificateValidation("cert-validation", {
    certificateArn: certificate.arn,
    validationRecordFqdns: [ validationRecord.fqdn ],
});

const serviceTargetGroup = new awsx.lb.ApplicationTargetGroup("service-tg", {
    vpc,
    loadBalancer: alb,
    port: 8000,
});

const serviceListener = serviceTargetGroup.createListener("service-listener", {
    vpc,
    loadBalancer: alb,
    certificateArn: certificate.arn,
    protocol: "HTTPS",
}, { dependsOn: [ domainVerificationRecord ]});

Thank you, I'll give it a try!

The aws-ts-static-website example might be a helpful reference too