Custom Domain Name for WebSockets API with Serverless

6
votes

I'm managing a REST API for an app with Serverless and want to extend this setup with a WebSockets API in the same region. Everything should be handled with the same certificate, but different subdomains.

At first I created a new custom domain with sls create_domain --stage=.... Then I tried to add it to the new WebSockets stack, but ended with this error:

Error: Failed to find CloudFormation resources for ...

I found it on Github that this seems to be not supported by CloudFormation right now so Serverless does not support it.

So I tried to attach my stage to the custom domain name manually in the UI:

Mixing of REST APIs and HTTP APIs on the same domain name can only be accomplished through API Gateway's V2 DomainName interface. Currently, WebSocket APIs can only be attached to a domain name with other WebSocket APIs. This must also occur through API Gateway's V2 DomainName interface.

More confusion arises, as it's not even the same domain name in this case. The new domain name was sockets.<DOMAIN>.com and the existing one was api.<DOMAIN>.com. Or do different subdomains are falling into 'same domain name'?

Nevertheless I tried to create the custom domain again via the apigatewayv2 CLI:

aws apigatewayv2 create-domain-name --domain-name <DOMAIN> --domain-name-configurations file://domain-configuration.json --region eu-west-1

domain-configuration.json:

[
{
    "ApiGatewayDomainName": "<DOMAIN>",
    "CertificateArn": "arn:aws:acm:us-east-1:<ACCOUNT_ID>:certificate/<CERT_ID>",
    "CertificateName": "<DOMAIN>",
    "DomainNameStatus": "AVAILABLE",
    "EndpointType": "EDGE",
    "SecurityPolicy": "TLS_1_2"
}

]

But this results in the following error:

An error occurred (BadRequestException) when calling the CreateDomainName operation: Invalid certificate ARN: arn:aws:acm:us-east-1:924441585974:certificate/b88f0a3f-1393-4a16-a876-9830852b5207. Certificate must be in 'eu-west-1'.

My current state was that API Gateway only allows custom certificates to be located in us-east-1, so this error confuses me even more.

Summary: I'm completely stuck on how to get a custom domain name attached to my WebSocket API stage. I'm happy about every hint in the right direction!

3
amazon-web-serviceswebsocketaws-api-gatewayserverless-framework

3 Answers

8
votes

Found a solution with a custom CloudFormation resource template:

resources:
  Resources:
    WebSocketDomainName:
      Type: AWS::ApiGatewayV2::DomainName
      Properties:
        DomainName: <domain-name>
        DomainNameConfigurations:
          - EndpointType: 'REGIONAL'
            CertificateArn: <cert-arn>
    WebSocketMapping:
      Type: AWS::ApiGatewayV2::ApiMapping
      Properties:
        ApiId: <api-id>
        DomainName: !Ref WebSocketDomainName
        Stage: <stage-name>
    DNSRecord:
      Type: AWS::Route53::RecordSet
      Properties:
        HostedZoneName: <hosted-zone-name>.
        TTL: '900'
        ResourceRecords:
          - !GetAtt [ WebSocketDomainName, RegionalDomainName ]
        Name: <domain-name>
        Type: CNAME

Edit: Now working with serverless-domain-manager! 🎉

custom:
  customDomain:
    rest:
      domainName: rest.serverless.foo.com
      stage: ci
      basePath: api
      certificateName: '*.foo.com'
      createRoute53Record: true
      endpointType: 'regional'
      securityPolicy: tls_1_2
    http:
      domainName: http.serverless.foo.com
      stage: ci
      basePath: api
      certificateName: '*.foo.com'
      createRoute53Record: true
      endpointType: 'regional'
      securityPolicy: tls_1_2
    websocket:
      domainName: ws.serverless.foo.com
      stage: ci
      basePath: api
      certificateName: '*.foo.com'
      createRoute53Record: true
      endpointType: 'regional'
      securityPolicy: tls_1_2
4
votes

Thanks @tpschmidt for the helpful response! Just to add, in case you want a BasePathMapping for your websocket domain, add ApiMappingKey to the Cloudformation provided above. E.g.:

WebSocketMapping:
      Type: AWS::ApiGatewayV2::ApiMapping
      Properties:
        ApiId: <api-id>
        DomainName: !Ref WebSocketDomainName
        Stage: <stage-name>
        ApiMappingKey: <stage-name> #(e.g. prod)
0
votes

I had to make a couple of minor adjustments to have a Lambda in a private VPC with WebSockets support and a custom domain.

  1. The CertificateArn must be from ACM and cannot be a certificate uploaded to IAM.
  2. I used an A-record instead of a CNAME
WebSocketDomainName:
    Type: AWS::ApiGatewayV2::DomainName
    Properties:
        DomainName: !Ref DomainName
        DomainNameConfigurations:
            - EndpointType: REGIONAL
              CertificateArn: <your-certificate-arn>

# This maps /staging or /prod to just the domain name
WebSocketMapping:
    Type: AWS::ApiGatewayV2::ApiMapping
    Properties:
        ApiId: <your-api-id>
        DomainName: !Ref WebSocketDomainName
        Stage: <your-stage>

Route53DNS:
    Type: AWS::Route53::RecordSetGroup
    Properties:
        HostedZoneName: !Ref Route53HostedZone
        RecordSets:
            - Name: !Ref DomainName
              Type: A
              AliasTarget:
                  HostedZoneId: ZLY8HYME6SFDD # This means eu-west-1 ApiGateWay
                  DNSName:
                      !GetAtt [WebSocketDomainName, RegionalDomainName]

For your HostedZoneId check: https://docs.aws.amazon.com/general/latest/gr/apigateway.html