-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Gateway Custom Domain Names #783
Comments
The Route53 record would be:
|
Feature request: Domain:
IPv6: true Which creates an |
@hoegertn @timoschilling Thanks. We should probably use |
I imagine most users want to have a single domain mapped to a single API. If that's the case, then leaving it as a single |
@timoschilling Are you referring to the scenario where you specify REGIONAL, then create your own CloudFront Distribution using IPv6 and point Route53 at that CF Distro? IPv6 aside, we should aim to cover the common use case of self-managed CF Distros. The main question to answer here is: does that only have ramifications for Domain Name/Route53 (e.g Route53 now needs to point at your CF Distro with your CF Distro pointing at your API endpoint) or does it affect other areas of your API? If it's just Route53, we can add add a |
How would the certificate validation work? Can we get the cloudformation output from Certificate resource and add to Route53 or using email is a better option to implement on this flow? |
Would love domain on SAM. I'm also curious as to how certificate validation would be handled since that's the biggest issue with AWS at the moment because of how hard it is to automate. |
It's been a while since I've done cert creation via CFN. Does the stack stay in CREATING process until you approve the email regarding certificate creation? Email was the only method I was aware of for validation. Any solution needs to also work for other DNS providers. |
AFAIK it does stay in creating for up to 24 hours. |
Some additional (likely less common) scenarios:
Proposal summary: We can allow Domain to also accept an Array for specifying multiple Domains. To point a Domain at additional APIs, the user specifies Note that we may choose not to support these cases on the initial release of Custom Domain Name support, but want to leave the syntax open to allow for it in the future. # Single Domain pointing at multiple APIs
SingleDomainApi1:
Type: AWS::Serverless::Api
Properties:
...
Domain:
DomainName: example.com
Route53:
EvaluateTargetHealth: true
EndpointConfiguration: REGIONAL
Certificate: arn:...
BasePathMappings:
- BasePath: /api
Stage: ''
- BasePath: /api
Stage: ''
# Feels odd because this will add a mapping of the Domain
# (which we're configuring under Api1) to point to Api2
# This is probably the simplest implementation in terms
# of development, and while a little odd, is the smallest
# amount of additional work required by end user
Api: !Ref SingleDomainApi2
SingleDomainApi2:
Type: AWS::Serverless::Api
Properties:
...
# Multiple Domains pointing at single API
MultipleDomainsApi:
Type: AWS::Serverless::Api
Properties:
...
# Domain: [example.com, foobar.example.com]
Domain:
- DomainName: example.com
Route53:
EvaluateTargetHealth: true
EndpointConfiguration: REGIONAL
Certificate: arn:...
BasePathMappings:
- BasePath: /api
Stage: ''
- DomainName: foo.example.com
...
# Multiple Domains pointing at multiple APIs
MultiDomainMultiApi1:
Type: AWS::Serverless::Api
Properties:
...
Domain:
- DomainName: example.com
Route53:
EvaluateTargetHealth: true
EndpointConfiguration: REGIONAL
Certificate: arn:...
BasePathMappings:
- BasePath: /api
Stage: ''
- BasePath: /api
Stage: ''
Api: !Ref MultiDomainMultiApi2
- DomainName: foo.example.com
... # Specify multiple BasePathMappings similar to above
MultiDomainMultiApi2:
Type: AWS::Serverless::Api
Properties:
... |
@deleugpn I was hoping we'd be able to simply just add a CNAME to Route53 within the same template and that would complete the validation process and let the stack creation complete. Have you tried this/will this not work? |
If adding DNS validation is viable, we should accept an Object for the Certificate:
CertificateArn: !Ref ...
ValidationMethod: EMAIL|DNS # Default: {Route53 == true ? DNS : EMAIL} Specifying |
Another use case that should be considered and tested: I have a production environment and N dev/test environments. I don't want to provision a custom domain for my dev/test environments. The way we make this work in Stackery is to allow users to pass in the domain as a parameter. We then check the value of the parameter, and if it matches a specific value ( This is an important bit of functionality for larger teams and organizations that need custom domains for prod but don't want to deal with the complexity and governance overhead of maintaining custom domains for all sorts of other environments. |
@txase are you referring to |
Yes, that's the largest part of it. But it also requires specifying a sentinel value to test against (e.g. |
@brettstack it's about whether you're taking a certificate as parameter or trying to create it within the template. It's not about the Route 53 Domain. |
@txase is it not enough for us to just add |
I see, the Certificate CFN resource doesn't allow returning the values required to configure the DNS https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#aws-resource-certificatemanager-certificate-return-values so we can't do it within the same template. |
@brettstack AFAIK, you can't specify a Domain: !If
- CreateCustomDomainCondition
- !Ref CustomDomainParameter
- !Ref AWS::NoValue But how does SAM then turn that into |
@deleugpn We will definitely allow specifying an existing Certificate via a parameter but I also think the automatic certificate creation workflow is very useful for users, even if it requires them to perform some manual verification step. |
@brettstack Those issues + PRs that you referenced are for conditions on Resources, not individual properties of resources. SAM still does not evaluate conditions, it will just more intelligently pass them on to CFN. I'd be cautious about putting conditions in individual properties; putting conditions on resources is what will soon be supported. |
Ahh, I thought #755 added conditions for Events. Either way, I think it's fine adding it to a property like this. This property is just a nested form of a resource; it doesn't modify the properties of the API. |
Sorry, that name is a little misleading. It adds conditions to event resources, not to the event property itself. |
Updated proposal to include a simple |
@danielclariondoor I agree, this is super annoying. Not sure how they can close this without a resolution beyond this hacky workaround |
@deleugpn @danielclariondoor @onionhammer Take a look at this #192 (comment) , the trick is to use !Ref Api.Stage. Hope this helps! |
We are finalizing the design for this feature. Some things to note -
How can you track the progress? |
This seems limiting though when used in a microservice architecture. I currently have several API Services that are independent SAM deployments - one per service (each service composed of several Lambdas representing API resources). I am trying to build the Custom Domain as a "core" resource deployed via CloudFormation. I then add BasePathMapping to each SAM template for the individual services I deploy. Core.yaml
Certificates.yaml
SAM Service #1: Identity API
SAM Service #2: Chat Service
This gives me the flexibility to grow my service API foot print organically over time, deploying additional microservices, and not having to go back and touch the Custom Domain itself. I can plug additional services into it. It also allows me to avoid having a single API Gateway for the entire API surface area - just because SAM doesn't support BasePathMappings in a loosely coupled manor. I know I can achieve this by using AWS::ApiGateway::RestApi coupled with AWS::ApiGateway::BasePathMapping but this breaks Please don't couple the only way to handle BasePathMappings and AWS::Serverless by only supporting BasePathMappings on a CustomDomain that is attached to your AWS::Serverless::Api resource - that doesn't scale at all. It also doesn't make any sense for other services to depend on an unrelated service resource in order to access it's CustomDomain that you need to ride under. |
@scionwest Thanks for your template and I was in the exact same scenario (one existing domain name and gradually increasing API). Have you tried to reference Stage according to this (#313 (comment))? My |
@pagpires I tried that originally but it broke the |
how can you reference the regionalDomainName from the generated resource domainName if that name is coupled with generated sha |
I've got the same use case as @scionwest - I want to define a custom domain name (api.mysite.url), and deploy multiple APIs to it (e.g. https://api.mysite.url/apimodule1/, https://api.mysite.url/apimodule2/). These extra APIs would be defined in different SAM templates. This can be managed with AWS::ApiGatewayV2 resources, but doing it via SAM seems problematic, because I can't provide a pre-defined I can't even define an explicit |
Most of the work has been completed (for some time) on Custom Domains. It seems like there is one outstanding issue #1131, could be others I missed. Given Custom Domains has been shipped, I am going to close this. If there are missing features or bugs outstanding, please create a new issue (if one hasn't been created yet). This helps us keep track of work without having to read long threads and extract different issues/requests after the fact. We do look at Github Reactions to help us understand what the community is asking for, so please add reactions to any you feel are important. |
It seems this is still not supported, correct? |
@twasink & @babaMar I've been able to get around these issues using the following: First I create the certificate that I need to use for my APIs custom domain. This assumes you have a Route 53 Hosted Zone exported in Cloud Formation for importing. If I'm running in prod then the cert is for https://api.productname.com. Otherwise it is prefixed with the environment like https://api-dev.productname.com certificates.yaml
Then I create the API Gateway custom domain with my cert and specify the endpoint as Regional. api-gateway-domain
Next I deploy a SAM template containing an API Gateway and a Lambda. This API Gateway will only ever be used by this Lambda. If I need more Lambdas for different micro-services (such as a Task API to go with this Project API) then I would deploy a whole new SAM template with a dedicated Lambda and API Gateway. project-api-sam.yaml
Finally I marry the API Gateways together using a dedicated CloudFormation template that maps the base mappings. Now each Microservice can have it's own API Gateway and series of Lambdas while I use a single API domain. project-api-gateway.yaml
With this I am able to use I have a complete example if you'd like to browse the repository: https://github.com/focusmark/home. It links to each of the repositories for core infrastructure (logging/iam), auth (cognito/oauth), project & tasks (micro-service APIs) and DNS (for mapping API Gateways to BasePathMappings). If you use GoDaddy as your Domain provider there is also a custom resource for assigning your GoDaddy nameservers to Route 53 so you can manage your DNS in AWS. |
SAM Input:
CloudFormation Output:
Related Issues
The text was updated successfully, but these errors were encountered: