# help

Ross Gerbasi

01/14/2022, 6:24 AM
Hey all, Cloud*Flare*/Cloudfront question. I am using the normal
construct to deploy a CloudFront backed S3 site, all working great. I have a
url. I then attempted to go to Cloud*Flare* and setup a CNAME from my domain to this CloudFront url. This did not work and resulted in a CloudFront 403 error. Turns out you need to add alternate domains to the CloudFront instance to allow access to it. So to test this I manually pop'd into the AWS console and added an alternate domain to the CloudFront instance. However in order to do this I have to use ACM to get a certificate. Certificate required the domain I wished to use, and gave me a CNAME entry I had to enter into Cloud*Flare* to prove I have permissions for the domain. This went pretty quick and once the cert was validated, I added the alternate domain to CloudFront and added the newly requested cert. After a couple seconds everything was connected and my custom domain worked. So ended up with Cloud*Flare* DNS -> CloudFront -> S3. Which is what I wanted. So why am I writing all this? Well I am curious if SST can help me with any of this process. I am going to assume the answer is No, as I need to manually enter the cert info into Cloud*Flare* to get this working. However there is an API so maybe this could get automated... Either way I am wondering if SST can help with any step here, maybe it can create the AWS Cert for me, then I would manually have to go in and get the info, add it to Cloud*Flare*, and add the alt domain to the CloudFront instance. All of this would only need to be set in production, and once set once should be ok. I also wanted to confirm no one sees any major issues with manually going into AWS and adjusting these things after the SST deploy. Any reason future deploys would mess with this? Or does it seem fairly safe to setup once and be good? Our Org is all about Cloud*Flare* so we want to stick with it, otherwise we would just go all in on Route53/CloudFront, but I have been asked to make sure Cloud*Flare* stays in the mix. Any thoughts, concerns, experience would be greatly appreciated! Thanks!
Alright I think I have the better solution here, which is create the cert in ACM first then just share the ARN with SST and provide that to the
config on the
construct. This is working great however the same thing doesn't seem to work for the
Construct. I needed to add a Route53 Host Zone. SST kept erroring that it did not exist for my domain. After creating that it worked, however I am not using Amazon DNS, my domain is external. Could we get a
config for the
construct like we have for

Lukasz K

01/14/2022, 8:38 AM
Ross, I had a similar request and I think it's placed somewhere on the roadmap already 😄

Ross Gerbasi

01/14/2022, 4:14 PM
Oh ok, is that public anywhere? In the meantime do you just let SST write to a unneeded route53 zone?


01/26/2022, 7:24 AM
Hey guys, quick update,
has been added to the
consturct in v0.59.4.