Import ACM certificate for NLB

[rmarops]

Is there (or will there be) a way to import an ACM certificate for a tls NLB ?

type: Load Balanced Web Service # type NLB

http: false
nlb:
  port: 443/tls
  target_port: 8000

added the following in copilot/environments/qa/manifest.yml

name: qa
type: Environment
observability: {container_insights: false}
http:
  public: # Apply an existing certificate to your public load balancer.
    certificates:
      - arn:aws:acm:us-east-1:...:certificate/...

@CaptainCarpensir this is somewhat of a side question for #5470

receiving error on deploy:
✘ Proposing infrastructure changes for stack ...
✘ execute svc deploy: deploy service ... to environment qa: deploy service: check if changeset is empty: create change set copilot-798f1274-0fb2-4ee3-b18c-3cf56aecdd61 for stack ...: ValidationError: Template format error: Unresolved resource dependencies [NLBCertValidatorAction] in the Resources block of the template
status code: 400, request id: eb0a08e9-cb51-4e11-99b4-01b5fb261750: describe change set copilot-798f1274-0fb2-4ee3-b18c-3cf56aecdd61 for stack ...: ChangeSetNotFound: ChangeSet [copilot-798f1274-0fb2-4ee3-b18c-3cf56aecdd61] does not exist
status code: 404, request id: 02a557c3-13c6-4376-8b49-b3f32f6b4e1a

[Lou1415926]

ohhh...yeah, nlb doesn't benefit from any of the http.public/private.certificates and cdn.certificates in environment manifest :( Importing certificates are not available for NLB yet. I've created a feature request to capture the ask.

I can help you with setting up nlb with TLS termination right now - without our native support. Before that, I wonder - do you happen to have an app-level domain? That is, did you run copilot app init with the flag --domain?

[rmarops]

No, so far I've never associated a domain with any of my apps. I dont think i'd want to have copilot manage a domain and I want to avoid recreating the app or env's. The feature request you created looks like it will solve that. Thanks.

[Lou1415926]

In this case, you can use either addons or CDK/YAML override to add a TLS listener yourself!

# Add an TLS listener.
- op: add
  path: /Resources/NLBListenerTLS
  value:
    Metadata: 
      'aws:copilot:description': 'An TLS listener on port `443` that forwards traffic to your tasks'
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref NetworkLoadBalancerTargetGroupTLS # NOTE: Refering the second resource we will add below.
          Type: forward
      LoadBalancerArn: !Ref PublicNetworkLoadBalancer
      Port: 443
      Protocol: TLS
      Certificates:
        - CertificateArn: <your certificate ARN>
      SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06 # NOTE: Or another SSL pollicy that you prefer.

# Add a target group for the TLS listener to route to
- op: add
  path: /Resources/NetworkLoadBalancerTargetGroupTLS 
  value:
    Metadata: 
      'aws:copilot:description': 'A target group to connect the network load balancer to your service'
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      # NOTE: configure these options if you want different values than the defaults: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html.
      # HealthyThresholdCount:
      # UnhealthyThresholdCount:
      # HealthCheckIntervalSeconds:
      # HealthCheckTimeoutSeconds:
      # HealthCheckPort:
      Port: 443 # NOTE: change to whatever port that your application listens to.
      Protocol: TCP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 60 
      TargetType: ip
      VpcId:
        Fn::ImportValue:
          !Sub "${AppName}-${EnvName}-VpcId"

# Add the service tasks into the target group
- op: add
  path: /Resources/Service/Properties/LoadBalancers/-
  value:
    ContainerName: <> # NOTE: name of your main container (same name as the service), or a sidecar.
    ContainerPort: 443 # NOTE: change to whatever port that your application listens to.
    TargetGroupArn: !Ref NetworkLoadBalancerTargetGroupTLS # NOTE: refering to the second resource that we added above.

[rmarops]

This is very helpful. Since the nlb definition is required to be there in manifest so that the override has something to patch I updated the manifest to:

http: false
# note the nlb config is being overriden by yamlpatch override
nlb:                   
  port: 80
  targetport: 80

Right now I'm looking at copilot svc package output after the override has been added and looks like it wants to add 2 load balancers listeners (also 2 target groups)

            LoadBalancers: 
                - ContainerName: datahub
                  ContainerPort: 80
                  TargetGroupArn: !Ref NLBTargetGroup
                - ContainerName: datahub # NOTE: name of your main container (same name as the service), or a sidecar.
                  ContainerPort: 80 # NOTE: change to whatever port that your application listens to.
                  TargetGroupArn: !Ref NetworkLoadBalancerTargetGroupTLS # NOTE: refering to the second resource that we added above.

This is my first crack at this, but I believe I need to look at adding some replace/delete op's.

[Lou1415926]

Forgot to send this yaml override doc over! It contains all the syntax details.

For example, You can try modifying the last chunk of override snippet that I gave:

- op: replace
  path: /Resources/Service/Properties/LoadBalancers/0
  value:
    ContainerName: <> # NOTE: name of your main container (same name as the service), or a sidecar.
    ContainerPort: 443 # NOTE: change to whatever port that your application listens to.
    TargetGroupArn: !Ref NetworkLoadBalancerTargetGroupTLS 

[rmarops]

ok great, thanks for the next level support