apachedeploymentamazon-elastic-beanstalkconfigebextensions

AWS Elastic Beanstalk .ebextensions File creation not working (apache config)


Following the instructions at https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-php.html I've been trying to add my SSL certificate to allow for https for my single instance environment.

I've spent a ridiculous amount of time on this and it's driving me crazy.

My important findings are:

I was testing by SSHing onto the EC2 instance after redeploying and checking /etc/httpd/conf.d/.

I'm running on the platform: PHP 7.4 running on 64bit Amazon Linux 2/3.1.2

This is the first time I am working with SSL certificates as well as AWS so any help would be much appreciated.

https-instance.config:

packages:
  yum:
    mod_ssl: []

files:
  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      1
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      2
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      3
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN RSA PRIVATE KEY-----
      1
      -----END RSA PRIVATE KEY-----

  "/etc/httpd/conf.d/ssl.conf":
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        SSLEngine on
        SSLCertificateFile "/etc/pki/tls/certs/server.crt"
        SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLSessionTickets Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / http://localhost:80/ retry=0
        ProxyPassReverse / http://localhost:80/
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early
      </VirtualHost>

https-instance-single.config (not important for this issue)

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0


Solution

  • To create / modify any file or execute any script post deployment, do the following (I already answered a similar question about modifying nginx configuration on deployment here). Same applies for your apache configuration.

    You need to create files in /tmp then mv them to their final location using a script.

    The following applies for an Amazon Linux 2 environment:

    Source: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html

    Scripts are executed from subfolders in .platform that you have to place at the root of your project, like so:

    ~/your-app/
    |-- Procfile
    |-- readme.md
    |-- .ebextensions/
    |   |-- 01_write_some_files.config        
    `-- .platform/
        |-- hooks
            `-- postdeploy
                `-- 01_move_some_files.sh        # Executed post deployment
    

    01_write_some_files.config

    Create a .config file at the root of .ebextensions.

    1. Create your files in /tmp:
    files:
      /tmp/someFolder/server.crt:
         mode: "000644"
         owner: root
         group: root
         content: |
           # your file content
    
      /tmp/someFolder/server.key:
         mode: "000644"
         owner: root
         group: root
         content: |
           # your file content
    
      # Do the same for all your files
    

    01_move_some_files.sh

    Create a small script in .platform/hooks/postdeploy and change permissions to 755.

    #!/usr/bin/bash
    
    # Move the files you created in /tmp into the desired directories. 
    sudo mv /tmp/someFolder/server.crt /etc/pki/tls/certs/server.crt
    
    # other bash commands