0

I am attempting to deploy two cloudfront distributions in cn-northwest-1 and I cannot seem to get ACM certificates attached to them, terraform keeps returning the following error

error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate source isn't available in this region.
│       status code: 400

The ACM certificates are being generated in us-east-1 and the validation is completing successfully, but it seems that the cloudfront distribution which is created in china cannot access the certificates in the account with access to us-east-1 and RAM does not work for ACM Certificates as far as I could find.

Has anyone run into the similar issue, is the only solution here using SSL/TLS certificates and manually importing them?

a3yko
  • 57
  • 5

2 Answers2

1

You can use the alias method to create and import ACM from another region(us-east-1 as it's the only supported region).

provider "aws" {
    alias   = "us_east"
    region  = "us-east-1"
    # profile = var.profile
  }

And create ACM using this provider:

 resource "aws_acm_certificate" "cloudfront_cdn" {
    provider  = aws.us_east
    domain_name = "*.cdn.${var.domain_name}"
    validation_method = "DNS"

    tags = {
        name = "certificate for cloudfront distribution"
    }

    lifecycle {
      create_before_destroy = true
    }
  }

Then do your DNS validations and certificate validations(I hope you're fine with this as you said your certificate is validating successfully.). Now, create distribution:

# Add product cloudfront distribution
resource "aws_cloudfront_distribution" "product_s3_distribution" {
  origin {
    domain_name = "${var.bucket_name}.s3.amazonaws.com"
    origin_id   = var.bucket_name 
    # s3_origin_config {
    #   origin_access_identity = 
    # }
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "CloudFront distribution for staging"
  aliases = ["${var.route53_record_name}.${var.domain_name}"]
  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = var.bucket_name

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

  restrictions {
    geo_restriction {
        restriction_type = "none"
    #   restriction_type = "whitelist"
    #   locations        = ["US", "CA", "GB", "DE"]
    }
  }

  viewer_certificate {
    # cloudfront_default_certificate = true
    acm_certificate_arn = aws_acm_certificate.cloudfront_cdn.arn
    ssl_support_method = "sni-only"
  }

  depends_on = [aws_acm_certificate.cloudfront_cdn]
}
Sagar Budhathoki Magar
  • 41
  • 1
  • 9
  • This is the method I am using currently and it is not functional in china, it does work everywhere else. I also received a response on the AWS support forms and it seems the AWS China Does not currently support ACM Certificates for CloudFront, You Have to use a third party generated certificates and import it. – a3yko May 19 '22 at 07:43
0

Received a response on the AWS support forms and it seems the AWS China Does not currently support ACM Certificates for CloudFront, You Have to use an already generated SSL Certificate and import it into IAM, specifically into /cloudfront/ and then it can be used by CloudFront

a3yko
  • 57
  • 5