Discrepancy in ACM setup commands

[trungie]

Hi everyone,

I’m working through the Reference Architecture in the Network and DNS > Setup DNS > ACM section - https://docs.cloudposse.com/layers/network/dns-setup/#acm

The guide shows five separate ACM commands, but the workflow shows only one command.

stacks/workflows/network.yaml:

deploy/acm:
description: Provision AWS Certificate Manager for custom and ad-hoc requests.
steps:
- command: terraform deploy acm -s core-euc1-auto

Questions:

1. Is the workflow intentionally simplified to handle only one certificate request?
2. If not, should I update the workflow file to include the additional ACM commands exactly as shown in the docs?

[trungie]

Further to that, running the first command i see the following error: atmos terraform deploy acm -s plat-euc1-sandbox

Could not find the component 'acm' in the stack 'plat-euc1-dev'.
Check that all the context variables are correctly defined in the stack manifests.
Are the component and stack names correct? Did you forget an import?

[milldr]

@trungie I see the mistake! There is an indentation error in each plat network stack file

# stacks/orgs/acme/plat/sandbox/us-east-1/network.yaml
components:
  terraform:
...


acm: # < ------ this line is missing indentation
      metadata:
        inherits:
          - acm/defaults
      vars:
        domain_name: use1.dev.plat.acme.com
        zone_name: dev.plat.acme.com

It should be

# stacks/orgs/acme/plat/sandbox/us-east-1/network.yaml
components:
  terraform:
...

    acm:
      metadata:
        inherits:
          - acm/defaults
      vars:
        domain_name: use1.dev.plat.acme.com
        zone_name: dev.plat.acme.com

And the same for the other plat stacks.

[trungie]

In our reference architecture project the acm part is completely missing.

Is the domain_name and zone_name supposed to be sandbox instead of dev for the sandbox stack org?

Should it be?

# stacks/orgs/acme/plat/sandbox/us-east-1/network.yaml
    acm:
      metadata:
        inherits:
          - acm/defaults
      vars:
        domain_name: use1.sandbox.plat.acme.com
        zone_name: sandbox.plat.acme.com

[milldr]

The guide shows the correct steps:
https://docs.cloudposse.com/layers/network/dns-setup/#acm

I'm not sure why your workflow would show only 1 command. You should have 1 step for each account that has a service domain.

That is each of core-auto, plat-sandbox, plat-dev, plat-staging, and plat-prod. Each of these should have acm imported in the default:

f.e.

# stacks/orgs/acme/plat/sandbox/us-east-1/network.yaml
import:
  - orgs/acme/plat/sandbox/_defaults
  - mixins/region/us-east-1
  - catalog/vpc
  - catalog/vpc-flow-logs-bucket
  - catalog/acm #    <---------- this line
  - catalog/tgw/spoke
  - catalog/bastion

components:
  terraform:

And the workflow should have them all:

# stacks/workflows/network.yaml
workflows:
...

  deploy/acm:
    description: Provision AWS Certificate Manager for custom and ad-hoc requests.
    steps:
      - command: terraform deploy acm -s core-use1-auto
      - command: terraform deploy acm -s plat-use1-sandbox
      - command: terraform deploy acm -s plat-use1-dev
      - command: terraform deploy acm -s plat-use1-staging
      - command: terraform deploy acm -s plat-use1-prod

Is the workflow intentionally simplified to handle only one certificate request?

No this is not intentional.

If not, should I update the workflow file to include the additional ACM commands exactly as shown in the docs?

Yes please check your stack files and workflow

[milldr]

@trungie I realized I've made a mistake with my answer. We have a slightly different implementation between the ECS and EKS flavors of the reference architecture. What I said above refers to the EKS implementation, and our documentation includes both flavors merged together.

The ECS requirements from ACM are slightly different. In ECS implementation the network workflow deploy/acm does intentionally only have 1 stack, since with ECS, the ACM certs will be deployed as part of the ECS layer instead.

You should see this as part of the ecs workflow:

# stacks/workflows/ecs.yaml
workflows:
...
  deploy/ecs-acm:
    description: |
      This workflow deploys ACM for platform ECS Cluster ALBs
    steps:
      - command: terraform deploy ecs/platform/acm -s plat-use1-sandbox
      - command: terraform deploy ecs/platform/acm -s plat-use1-dev
      - command: terraform deploy ecs/platform/acm -s plat-use1-staging
      - command: terraform deploy ecs/platform/acm -s plat-use1-prod

This will deploy the necessary certificates for ECS service domains.

Plus, in the stack files (plat-sandbox,dev,staging,prod), you should see:

# stacks/orgs/acme/plat/dev/us-east-1/ecs.yaml
import:
  - orgs/acme/plat/dev/_defaults
  - mixins/region/us-east-1
  - catalog/ecs/clusters/dev #<------- includes default values for ACM as related to ECS
  - catalog/ecs-services/echo-server

components:
  terraform:
    ecs/platform/acm: #<------- Sets the stack specific service domain
      vars:
        domain_name: use1.dev.plat.acme.com
        zone_name: dev.plat.acme.com

Therefore, you do not need acm in stacks/orgs/acme/plat/{sandbox,dev,staging,prod}/us-east-1/network.yaml!