Im trying to create a Cloudform distribution using an existing ACM Certificate:
data "aws_acm_certificate" "issued" {
domain = "*.mydomain.com"
statuses = ["ISSUED"]
}
resource "aws_cloudfront_distribution" "cloudfront" {
...
viewer_certificate {
cloudfront_default_certificate = false
acm_certificate_arn = data.aws_acm_certificate.issued.id
minimum_protocol_version = "TLSv1.1_2016"
ssl_support_method = "sni-only"
}
...
}
I'm getting the error: Error: error updating CloudFront Distribution (EMLDE0O3OG6CZ): InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
The certificate is already in use with another manually created distribution, also when I replace data.aws_acm_certificate.issued.id by the certificate ARN as a string everything works fine.
Ok so looking a bit closer I've realised that the certificate was coming from the region that I'm deploying my resources and not "us-east-1"
Based on this answer, this is how I've fixed the problem:
provider "aws" {
region = var.aws_region
}
provider "aws" {
alias = "virginia"
region = "us-east-1"
}
data "aws_acm_certificate" "issued" {
domain = "*.example.com"
statuses = ["ISSUED"]
provider = aws.virginia
}
According with Terraform's docs, the provider without an alias is the default and I'll use the second only to fetch my certificate data!