[toomuchtodo]

I just spoke with someone today who argued that HIPAA requires TLS termination on an instance, not the ELB. Can’t confirm or deny, as I’m in financial services, thought I’d mention it for those under such compliance/regulations.

[jesdynf]

Yeah, you won't believe the work I had to put in over it. As part of the stack creation process, I have to create a backend CA and hand certificates out to a bunch of services, and then make other services use 'em. Getting Elastic Beanstalk to use an arbitrary certificate for the backhaul is both possible and documented, but not as well I would've liked.

[toomuchtodo]

Let me know what would’ve made it easier on the AWS side and I’ll try to get it implemented with our TAM.

[jesdynf]

It was CloudFormation that made it difficult -- I had to work out exactly how to get the certificate all the way down to the load balancer's configuration details, starting from CloudFormation's interface into provisioning Elastic Beanstalk.

However, the format ELB would accept a certificate in was really frustrating, too -- I ended up having to create a Lambda function that would load a certificate file from S3 and then parse it and then return the results as a resource CFN could later refer to. If I could've simply provided an S3 URI that the CA lived in, and had the ELB load it up during initial config, I could've used many fewer layers.

The CFN syntax for actually setting those critical ELB details was also unclear, too. It took some experimentation and off-Amazon examples before I finally understood how the rule groupings worked together.

If you're curious about what the final results were, the tail-end of https://github.com/openemr/openemr-devops/blob/master/packag.... covers a lot of that ground. Thanks!