AWS Deployment doesn't use HTTPS -- Provide warning in the documentation

[BrandonALXEllisSS]

There's AWS resources to create a self-signed ACM certificate, but given that there's no domain name system set up and the ACM certificate isn't used, any connections to the reference architecture can't use https (despite the constant plethora of example links that do use https, i.e.

The admin console will be available at https://boundary-test-controller-<random_name>-<random_sha>.elb.us-east-1.amazonaws.com:9200

Please update the documentation to warn the user that he/she needs to set up HTTPS on their own behalf, or advise to use HTTP if just testing the architecture.

[omkensey]

It looks like if you change the tls_disable variable in the vars.tf from true to false, it pipes the cert to the instances through a provisioner and adds it to the Boundary config.

[jwieder]

That is true, however (at least in the aws config) setting tls_disable var to false results in further errors. Specifically, there are two hard-coded http paths; changing those results in further errors when using default EC2 hostname nomenclature, e.g.:

Error: error calling read scope: error performing client request during Read call: Get "https://boundary-test-control-rando-a12345c123a0d1.elb.us-east-1.amazonaws.com:9200/v1/scopes/global": x509: certificate is not valid for any names, but wanted to match boundary-test-control-rando-a12345c123a0d1.elb.us-east-1.amazonaws.com

EDIT: the latter may be specific to executing terraform in MacOS due to this: hashicorp/terraform#22193 (comment)

[omkensey]

Actually, looking at the TLS part of this, it looks like the cert we request is for a CN that's not a hostname. So let me poke around on this and I might cough up a PR later for either or both of you to test.

[jwieder]

Good catch. Looks like boundary.dev in the certs file.

…

On Thu, Oct 28, 2021, 10:16 Joe Thompson ***@***.***> wrote: Actually, looking at the TLS part of this, it looks like the cert we request is for a CN that's not a hostname. So let me poke around on this and I might cough up a PR later for either or both of you to test. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#52 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGSL5WK3M5OJNXMZOGZKTLUJFLLZANCNFSM5CGHISDA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[ddvdozuki]

Any update to this?