Secure Connections to AI Workload Dashboards with AWS ACM

Question

Pulumi · Accepted Answer

To secure connections to AI workload dashboards hosted on AWS, you will need an SSL/TLS certificate for your domain. AWS Certificate Manager (ACM) simplifies the management and deployment of these certificates. ACM will allow you to request a certificate, complete the necessary domain validation, and then attach it to resources like Elastic Load Balancers or API Gateways which can route traffic to your dashboards.

Here's a step-by-step guide on how you'll do this with Pulumi:

1. **Request a Certificate**: Use ACM to request a new SSL/TLS certificate for your desired domain name.
2. **Validate the Certificate**: Prove ownership of the domain by adding a CNAME record to your DNS configuration as specified by ACM.
3. **Attach the Certificate**: Once validated, attach the certificate to your load balancer or another AWS resource that is serving your dashboard.

Below is a Pulumi program that demonstrates these steps:

```python
import pulumi
import pulumi_aws as aws

# Replace these variables with your domain details.
DOMAIN_NAME = "your-dashboard-domain.com"
ALTERNATE_DOMAIN_NAMES = ["dashboard", "api"]

# Step 1: Request a new SSL/TLS certificate for your domain.
certificate = aws.acm.Certificate("certificate",
    domain_name=DOMAIN_NAME,
    validation_method="DNS",
    subject_alternative_names=ALTERNATE_DOMAIN_NAMES
)

# Step 2: Validate the certificate.
# Note: The `certificate_domain_validation_options` attribute will contain the
# details you'll use to create a CNAME record for domain validation. This process
# can be automated with Pulumi by integrating with Route53 or another DNS provider.
# For the purposes of this example, this will be a manual process.
validation_record = aws.route53.Record("validationRecord",
    zone_id="Z2FDTNDATAQYW2",  # Replace with your hosted zone ID
    name=certificate.domain_validation_options[0].resource_record_name,
    type=certificate.domain_validation_options[0].resource_record_type,
    records=[certificate.domain_validation_options[0].resource_record_value],
    ttl=600
)

certificate_validation = aws.acm.CertificateValidation("certificateValidation",
    certificate_arn=certificate.arn,
    validation_record_fqdns=[validation_record.fqdn]
)

# Step 3: Attach the certificate to an AWS load balancer to secure traffic.
# This assumes that you have an existing load balancer configured. If not, you will
# need to create one with `aws.lb.LoadBalancer` and possibly other related resources.

# Placeholder for your load balancer's ARN.
load_balancer_arn = "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188"

# Attach the certificate to a Listener.
listener = aws.lb.Listener("listener",
    load_balancer_arn=load_balancer_arn,
    port=443,
    protocol="HTTPS",
    ssl_policy="ELBSecurityPolicy-2016-08",
    certificate_arn=certificate_validation.certificate_arn,
    default_action=[{
        "type": "forward",
        "target_group_arn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067"
    }]
)

# The URL for your secured dashboard.
dashboard_url = pulumi.Output.concat("https://", DOMAIN_NAME)

# Export the URL, which can be used to access the secured AI workload dashboard.
pulumi.export('dashboard_url', dashboard_url)
```

In this program, we:

- Request an SSL/TLS certificate for our domain via `aws.acm.Certificate`.
- Create a DNS record to complete certificate validation (here using AWS Route 53) using `aws.route53.Record`.
- Validate the ACM certificate with `aws.acm.CertificateValidation`.
- Attach the validated certificate to an HTTPS listener on an AWS load balancer using `aws.lb.Listener`.

After running the program with `pulumi up`, Pulumi performs the deployment and outputs the `dashboard_url` which you can use to securely access your AI workload dashboard.

Please replace placeholder values like `DOMAIN_NAME`, `ALTERNATE_DOMAIN_NAMES`, `load_balancer_arn`, and the Route53 `zone_id` with actual values from your setup.

The listener is set up to listen on port 443, which is the standard port for HTTPS traffic, securing the connection with SSL/TLS.

Remember, the domain validation step is crucial and needs to be completed before the certificate can be used. After running the code, check the ACM console to see the CNAME details you'll need to add to your DNS. The `validation_record` resource in the code automates this for Route 53 managed domains. If you're using another DNS provider, you'll have to add the CNAME records manually. The `certificateValidation` resource makes sure the certificate is only marked as valid after the DNS records are in place.

Ensure that you have AWS access with the necessary permissions to handle ACM, Route 53, and Elastic Load Balancing resources. Also, confirm that Pulumi is set up and configured to use your AWS credentials.