I've configured the following certificate using aws_acm_ceritifcate resource:
provider "aws" {
alias = "virginia"
region = "us-east-1"
}
resource "aws_acm_certificate" "primary" {
domain_name = var.domain_name
validation_method = "DNS"
subject_alternative_names = ["*.${var.domain_name}"]
provider = aws.virginia
lifecycle {
create_before_destroy = true
}
tags = merge(
var.tags,
{
Name = "${var.project}-ACM-certificate",
}
)
}
resource "aws_route53_record" "certificate_validator_record" {
allow_overwrite = true
name = tolist(aws_acm_certificate.primary.domain_validation_options)[0].resource_record_name
records = [tolist(aws_acm_certificate.primary.domain_validation_options)[0].resource_record_value]
type = tolist(aws_acm_certificate.primary.domain_validation_options)[0].resource_record_type
zone_id = aws_route53_zone.primary.zone_id
ttl = 60
}
resource "aws_acm_certificate_validation" "certificate_validator" {
certificate_arn = aws_acm_certificate.primary.arn
validation_record_fqdns = [aws_route53_record.certificate_validator_record.fqdn]
}
As you can see, I need the certificate to validate the configured domain and its sub-domains. I configured Cloudfront:
module "cdn" {
source = "terraform-aws-modules/cloudfront/aws"
comment = "CloudFront for caching S3 private and static website"
is_ipv6_enabled = true
price_class = "PriceClass_100"
create_origin_access_identity = true
aliases = [var.frontend_domain_name]
origin_access_identities = {
s3_identity = "S3 dedicated for hosting the frontend"
}
origin = {
s3_identity = {
domain_name = module.s3_bucket.s3_bucket_bucket_regional_domain_name
s3_origin_config = {
origin_access_identity = "s3_identity"
}
}
}
default_cache_behavior = {
target_origin_id = "s3_identity"
viewer_protocol_policy = "redirect-to-https"
default_ttl = 5400
min_ttl = 3600
max_ttl = 7200
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
}
default_root_object = "index.html"
custom_error_response = [
{
error_code = 403
response_code = 404
response_page_path = "/index.html"
},
{
error_code = 404
response_code = 404
response_page_path = "/index.html"
}
]
viewer_certificate = {
acm_certificate_arn = aws_acm_certificate.primary.arn
ssl_support_method = "sni-only"
}
tags = merge(
var.tags,
{
Name = "${var.project}-Cloudfront",
Stack = "frontend"
}
)
}
But when I try to create this terraform plan I get this error:
module.cdn.aws_cloudfront_distribution.this[0]: Still creating... [1m0s elapsed]
╷
│ Error: reading ACM Certificate (arn:aws:acm:us-east-1:***:certificate/ARN_PLACEHOLDER): couldn't find resource
│
│ with aws_acm_certificate_validation.certificate_validator,
│ on acm.tf line 33, in resource "aws_acm_certificate_validation" "certificate_validator":
│ 33: resource "aws_acm_certificate_validation" "certificate_validator" {
│
╵
╷
│ Error: error creating CloudFront Distribution: InvalidViewerCertificate: The certificate that is attached to your distribution doesn't cover the alternate domain name (CNAME) that you're trying to add. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements
│ status code: 400, request id: blabla
│
│ with module.cdn.aws_cloudfront_distribution.this[0],
│ on .terraform/modules/cdn/main.tf line 15, in resource "aws_cloudfront_distribution" "this":
│ 15: resource "aws_cloudfront_distribution" "this" {
│
╵
Releasing state lock. This may take a few moments...
If I go to my AWS account and check the certificate:
So if the certificate is valid and placed in us-east-1, where am I wrong?
I solved the issue with:
Problem was that my cert validation was configured in my default region rather than
us-east-1region (as my certificate)