Ability to use and existing, validated, ACM certificate withour having to recreate validation records.

[botre]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

It seems a bit strange that we have to re-create DNS validation records for a certificate that we have already validated in the past.

It would be more convenient if we could just "select" an existing certificate (like how CloudFront does it).

[amitgupta85]

Thanks for your patience on this feature. We would like to ask few questions to make sure we build this feature right.

1. Do you have use cases for App Runner to support both bring your own public ACM as well as private ACM-PCA certificates or is it more about supporting only bring your own public ACM certificates?
2. In either case, please let us know more about the use case for supporting bring your own certificates and why domain validation does not work well when App Runner manages the certificate.

[MarcoGlauser]

For our use case, we only require public ACM. We use App Runner for review apps that get created from PRs. So for every PR, we spin up a new service that would ideally have the domain branch-name.review.domain.com. We found that provisioning a new certificate for each branch is error prone and slow. (additional 5-15 mins on top of the 5-10 min deployment) Being able to use an existing wildcard certificate from ACM would make this use case more viable. Due to the current state of certificates, we're just using the .awsapprunner.com domains instead of our own.