This message was deleted.
# general
s
This message was deleted.
i
c
Thanks, but I don't see where that shows certificate creation. It mentions it, but doesn't show how to create it in pulumi.
i
follow the link to the github repo in it
b
there's an example here for generating a cert with ACM: https://github.com/jaxxstorm/pulumi-examples/blob/master/typescript/aws/acm/index.ts
i
even better
c
so that works, but I think the cert body and private keys will be blank in the certificate. At least, I'm not able to get the certificate contents from that.
Which makes it difficult to inject into a container for instance.
Is there a way to translate this https://www.terraform.io/docs/providers/acme/index.html into pulumi?
b
what platform are you using? there's lots of ways to get certificates
c
aws
b
sorry, when you say container, what do you mean? ECS? EKS?
c
ECS
b
have you considered using the acm solution and referencing it in your load balancer? that's probably the easiest way
c
I have a nginx docker image being built in travis and pushed to ecr to be deployed into ecs.
the nginx container needs the cert that I'm trying to generate in pulumi, the at build time, inject into the container for deployment.
have you considered using the acm solution and referencing it in your load balancer? that's probably the easiest way
I have not, trying to keep things as close to our current setup as possible, and making the switch to docker and infra automation seems like a big change already.
b
we don't have an ACME provider at the moment, the ACM solution will indeed return the private key and certificate body: https://www.pulumi.com/docs/reference/pkg/aws/acm/certificate/#properties so you should be able to reference them in your docker container
i
iirc ACM will not let you generate an internet-facing DNS certificate and give you the private keys for it; they can only be used with ELB, Cloudfront, API gateway, etc - If you really want a DNS certificate that you can deploy directly to your container, you’d have to use LetsEncrypt or something like that
b
ah, TIL
i
i had this issue last year when I needed to deploy certs to Go servcies that were serving HTTP/2 directly on the Internet (ELB doesn’t support HTTP/2 end-to-end) and I ended up having to buy certs for those services
the other HTTP/1 services just used ACM certs as they’re integrated with ELBs
c
how did you solve it then?
oh, i see. purchasing certs.
i
yep.. used Digicert in that case, but these days i’d just use letsencrypt as long as you can deal with the 3 month auto-renewal process
c
or like you previously suggested, just use terminate the ssl at alb with acm?
i
that’s the simplest thing, though of course then you’re also paying for the load balancer
c
we're using it already, so it seems like it would it save us in that case.
At least in terms of complexity.
b
yeah if you can do down that path, I'd highly recommend it
c
I know I can right now, working at replacing our QA environments.
154 Views