I am trying to create a Cloudformation stack that can be provisioned by anybody (basically I want to share it either in the marketplace, or make it public in GitHub), which includes a set of EC2 instances behind an ALB (no autoscaling, but rather a fixed number of instances).
I want to create a single listener for the ALB listening on a non default port (let's say 9999) that uses HTTPS. In order to do this, ALB forces me to use an SSL certificate. I only care about the encryption, and not about the CA validation (because this is meant for internal traffic.)
What I would like to do, is to have encryption enabled between a client and a load balancer like: https://my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com:9999. This is a rest api, so I don't care about the browser pop up complaining about "Your connection is not private"
I can't rely on having a domain, since I want to share this template, I don't expect everybody to own a domain. I can think of 3 solutions, but I don't like any of these (and I don't even know if they will work):
Generate a self signed cert on the userdata script. Push this cert to ACM. Then use this cert from the ALB.
Downside: This will probably require to remove manually the cert, if the stack is destroyed, as the certificate was not created from cloudformation, but from ec2 bootstrap.Generate a self signed cert on the userdata script, but instead of pushing to ACM, install it on an ec2 alb (using something like haproxy/nginx).
Downside: We don't get the benefits of aws alb.- Have the end user to create a subdomain (myrestapi.example-domain.com) beforehand, and generate a cert with that domain from the cloudformation stack.
Downside: requires extra step from the user, plus touching their existing infrastructure.
