Route53 subdomain not resolved with nslookup

Question

My problem

I am trying to build a personal CDN to share static file with my contacts. The design includes an S3 bucket, a CloudFront distribution and a subdomain registered via Route53, all configured using Terraform.

However, I can reach my files via S3 and Cloudfront, but not via my subdomain (cdn.adamatan.com).

What's working

S3

curl http://cdn.adamatan.com.s3.amazonaws.com/index.html

CloudFront

curl https://d36tl9ayobqfgg.cloudfront.net/index.html

What's broken

I can't get the files using the subdomain. Moreover, the nslookup for cdn.adamatan.com and adamatan.con do not work. I think that I've misconfigured Route53 somehow.

Configuration

Domain

Hosted Zone

Terraform configuration

variable "hosted_zone" {
  default = "adamatan.com"
}

variable "domain" {
  default = "cdn.adamatan.com"
}

variable "aws_region" {
  default = "us-east-1"
}

provider "aws" {
  region  = "${var.aws_region}"
  profile = "personal"
  version = "~> 1.1"
}

/*
   The S3 bucket storing the files. It must bear the same name as the domain
   pointing to it. See https://gist.github.com/danihodovic/a51eb0d9d4b29649c2d094f4251827dd,
   and http://stackoverflow.com/a/5048129/2966951
*/
resource "aws_s3_bucket" "adamatan_cdn_bucket" {
  bucket = "${var.domain}"
  acl = "public-read"

  policy = <<EOF
{
      "Version":"2008-10-17",
      "Statement":[{
        "Sid":"AllowPublicRead",
        "Effect":"Allow",
        "Principal": {"AWS": "*"},
        "Action":["s3:GetObject"],
        "Resource":["arn:aws:s3:::${var.domain}/*"]
      }]
    }
  EOF

  tags {
    Description = "Origin bucket for my personal CDN"
  }
}

resource "aws_route53_zone" "cdn_zone" {
  name = "${var.hosted_zone}"
}

resource "aws_route53_record" "root_domain" {
  zone_id = "${aws_route53_zone.cdn_zone.zone_id}"
  name = "${var.domain}"
  type = "A"

  alias {
    name = "${aws_cloudfront_distribution.adamatan_cdn_distribution.domain_name}"
    zone_id = "${aws_cloudfront_distribution.adamatan_cdn_distribution.hosted_zone_id}"
    evaluate_target_health = false
  }
}

resource "aws_cloudfront_distribution" "adamatan_cdn_distribution" {
  origin {
    domain_name = "${var.domain}.s3.amazonaws.com"
    origin_id   = "${var.domain}"
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "Permanent public file distribution"
  default_root_object = "index.html"

  aliases = ["${var.domain}"]

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "${var.domain}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "allow-all"
    min_ttl                = 60
    default_ttl            = 300
    max_ttl                = 86400
  }

  price_class = "PriceClass_All"

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}


output "domain" {
  value = "${var.domain}"
}

output "cdn_domain" {
  value = "${aws_cloudfront_distribution.adamatan_cdn_distribution.domain_name}"
}

My question

How can I map my subdomain (cdn.adamatan.com) to my cloudfront distribution (d36tl9ayobqfgg.cloudfront.net) using Terraform (preferably with SSL support)?

Answer 1

In Amazon Hosted Zone you have different set of name servers than at your registrar.

Domain Name: ADAMATAN.COM
Registrar: Gandi SAS
Name Server: NS-1193.AWSDNS-21.ORG
Name Server: NS-1889.AWSDNS-44.CO.UK
Name Server: NS-4.AWSDNS-00.COM
Name Server: NS-1193.AWSDNS-21.ORG

None of the name servers above answers to adamatan.com SOA & cdn.adamatan.com. These name servers don't have your domain configured at them, while the set of servers on your zone have:

;; ANSWER SECTION:
cdn.adamatan.com.       60      IN      A       13.33.23.245
cdn.adamatan.com.       60      IN      A       13.33.23.59
cdn.adamatan.com.       60      IN      A       13.33.23.22
cdn.adamatan.com.       60      IN      A       13.33.23.89
cdn.adamatan.com.       60      IN      A       13.33.23.45
cdn.adamatan.com.       60      IN      A       13.33.23.248
cdn.adamatan.com.       60      IN      A       13.33.23.169
cdn.adamatan.com.       60      IN      A       13.33.23.94

;; AUTHORITY SECTION:
adamatan.com.           172800  IN      NS      ns-1511.awsdns-60.org.
adamatan.com.           172800  IN      NS      ns-1730.awsdns-24.co.uk.
adamatan.com.           172800  IN      NS      ns-378.awsdns-47.com.
adamatan.com.           172800  IN      NS      ns-936.awsdns-53.net.

Go to the domain management on your Gandi account and change your name servers accordingly. The NS records at the parent (.com) zone should match the ones in your own (adamatan.com).

Keep in mind that the TTL on both zones is 172800 seconds i.e. 48 hours. It may take up to two days for these changes to take effect. dig adamatan.com NS @a.gtld-servers.net. shows if they have been updated on the root name servers of .com, and that's when the count actually begins.