DEV Community

AWS Community Builders profile image Walid BATTOU
Walid BATTOU for AWS Community Builders

Posted on • Originally published at linkedin.com

Edge API Gateway Custom Domain with SAM: certificate in us-east-1 when using another region

#aws #serverless #apigateway #awssam

Purpose?

I want to deploy an edge-optimized API Gateway with a custom domain name.

The tool to build it?

My infrastructure background led me to CloudFormation when I started on AWS. Where some developers can start with SST, ServerlessFramework, or CDK.
In the serverless world, I use SAM (Serverless Application Model).

Problem?

To deploy an Edge API Gateway, it's mandatory to generate a certificate in us-east-1.
The problem with CloudFormation is that resources in one stack are deployed in a single region. We are not able to set another region for a specific resource.
Example: Create a Certificate with ACM (AWS Certificat Manager) in us-east-1.

How to solve it?

From this statement, we have multiple options to choose from:

  1. To create a dedicated stack for the certificate in us-east-1, and use the certificate in our main stack, for me in eu-west-1.
  2. To create a unique stack (in eu-west-1) and use CloudFormation custom resources to handle certificate creation in us-east-1.

To learn more about CloudFormation custom resources, you can check out this workshop.

Why the first option?

I chose the first option for simplicity and maintainability. Custom resources expand CloudFormation but I love to keep things simple. That means not creating too many resources via custom resources.

I will use custom resources in my solution to "GET" some values (not creating anything).

Stack

Prerequisites:

  • Having your Route53 zone in the same AWS Account.

Architecture
Image description

Let's go and Build !!!

1/ As you can see in the diagram above, the first step is to create the "certificate.yaml" file.

To create an ACM certificate on AWS with DNS as DomainValidationOptions, we need to provide the DomainName and the HostedZoneId. CloudFormation does not get the HostedZoneId dynamically.

I made a custom resource for a dynamic approach, not hardcoded. AWS should provide the support of DomainName only.
Image description

To get the ARN of this certificate from the other stack I store it in a ParameterStore.

 CertificateARN:
    Type: "AWS::SSM::Parameter"
    Properties:
      Name: !Ref ACMCertificate
      Type: "String"
      Value: !Ref Certificate
Enter fullscreen mode Exit fullscreen mode

2/ Deploy the main stack with the template named "template.yaml".
Now we need to deploy the main stack, our EDGE API Gateway. We need to get the certificate we created in Step 1 and the HostedZoneId for our domain. To do this we will create a second custom resource.
Image description

The stack described in this article is available on my GitHub if you want to test or reuse it.

Top comments (0)

Read next

vkazulkin profile image

Data API for Amazon Aurora Serverless v2 with AWS SDK for Java - Part 5 Basic cold and warm starts measurements

Vadym Kazulkin -

sidrasaleem296 profile image

How to Master Multi Region Architectures in AWS

Sidra Saleem -

somilgupta profile image

RAG Application using AWS Bedrock and LangChain

Somil Gupta -

indika_wimalasuriya profile image

Observability Maturity Model for AWS

Indika_Wimalasuriya -