0

I can't come up with a proper title as my issue is rather complicated (at least for me).

I need to create an infrastructure in AWS

CloudFront
    ElasticBeanstalk (backend)
    S3 (frontend)
Route53 (dns)
CertificateManager (ssl)
...

Now I can create my hosted zone without an issue, but when I'm trying to create the cloudfront, the first thing terraform tries to do is create and validate a certificate.

As I'm not aware on how my cloudfront url will be yet, I can't create an A record pointing to it. The certificate points to that record though (it's a subdomain of my hosted zone) and therefore the certificate validation times out and terraform ends the apply.

As domain and certificate came later in the development it didn't come up yet as the cloudfront distribution has been there already, but while migrating to a environment I'm hitting a wall.

I can't force terraform to create the record first via a null_resource or a depends_on entry because that will form a loop.

Any ideas?

Update:

I'm using an alias in CloudFront, and I'm hosting my domain in Route53.

My issue though is that for the route53 record (not the validation but the certificate itself) I'm using a cloudfront reference:

resource "aws_route53_record" "frontend_record" {
  name    = ...
  zone_id = ...
  type    = "A"

  alias {
    name = local.cloudfront_domain_name <-- this here
    ...
  }
}

And I can't get this because the CloudFront distribution isn't created yet.

Ben
  • 188
  • 4
  • 15

1 Answers1

1

If you are using the default CloudFront URL for the CloudFront distribution that you are creating and do not define any aliases then you will want to specify the following in your configuration:

  viewer_certificate {
    cloudfront_default_certificate = true
  }

If you have aliases defined in your CloudFront configuration like this:

 aliases = ["mysite.example.com", "yoursite.example.com"]

Then that is the domain you use to create your certificates. In which case you not only want to create your certificate but validate it as well before CloudFront can use it: 

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"
}

data "aws_route53_zone" "zone" {
  name         = "example.com."
  private_zone = false
}

resource "aws_route53_record" "cert_validation" {
  name    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.zone.zone_id}"
  records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

The above assumes your domain is hosted in Route53. If your domain is not hosted in Route53 then you will likely need to create the certificate and validate it before using it in your CloudFront terraform configuration. You can validate certificates via DNS or email.

Dexley
  • 47
  • 3
  • I updated my post as I can't format my comment properely. Thank you for your answer! – Ben Jun 19 '20 at 19:50