Certificate

Setting up the Certificate

Enhance the Makefile in the infrastructure git project with the following content:

.PHONY: app-prod-certificates
app-prod-certificates: guard-STAGE
	aws cloudformation deploy \
		--no-fail-on-empty-changeset \
		--template-file app-prod/certificates.yml \
		--stack-name certificates-$(STAGE) \
		--parameter-overrides Stage=$(STAGE) \
		--region $(AWS_REGION)	

Create a new cloudformation template in app-prod/certificates.yml and define the certificates in there:

---
AWSTemplateFormatVersion: 2010-09-09
Description: Certificates

Parameters:
  Stage:
    Type: String

Mappings:
  CertificateDomains:
    dev:
      Domain: app.dev.aws.myorg.com
    prod:
      Domain: app.prod.aws.myorg.com

Resources:
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName:
        'Fn::FindInMap': [ "CertificateDomains", !Ref Stage, "Domain" ]
      SubjectAlternativeNames:
        - 'Fn::Sub': ['*.${Domain}', { 'Domain': {'Fn::FindInMap': [ "CertificateDomains", !Ref Stage, "Domain" ]}}]
      ValidationMethod: DNS
Outputs:
  CertificateArn:
    Description: 'Certificate ARN.'
    Value: !Ref Certificate
    Export:
      Name: !Sub '${AWS::StackName}-CertificateArn'

Create the Cloudformation stack with the following command in the app-prod AWS account

AWS_PROFILE=myorg-app-prod make app-prod-certificates STAGE=prod

During the stack creation Cloudformation waits for the DNS validation to finish.
That’s why the command blocks and does not finish.
Leave this running in the terminal and go to the AWS Console.

Open the Certificate Manager and scroll to your certificate. This should have a Validation status of Pending validation.
Expand the certificate by clicking on the arrow. Expand the domain as well.
You should see a button Create record in Route53.
Click this button to create the records.
The validation should succeed after some minutes and the Cloudformation stack should succeed.

Certificate Manager