Terraform-provider-aws: Creating CloudFront distro right after creating the ssl cert fails

Created on 11 Jun 2019  ยท  8Comments  ยท  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @lrhazi as hashicorp/terraform#21687. It was migrated here as a result of the provider split. The original body of the issue is below._

Not sure if this is a bug, but it does seem to happen each time I try it.
Trying to create an AWS CloudFront distribution fails because of missing SSL cert, but the cert was created by the same terraform apply and succeeded. Simply retrying the terraform apply immediately works.

> terraform --version
Terraform v0.12.1

module.acm_accreditation_a.aws_acm_certificate_validation.main: Creation complete after 38s [id=2019-06-11 15:13:35 +0000 UTC]

Error: error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
        status code: 400, request id: 6f72605d-8c5b-11e9-b247-632e3f9d6419

  on ..\..\..\modules\s3-cdn\main.tf line 6, in resource "aws_cloudfront_distribution" "distribution":
   6: resource "aws_cloudfront_distribution" "distribution" {
bug serviccloudfront
Source
picture hashibot[bot]
👍10

Most helpful comment

I had a similar issue and believe it is resolved by adding a depends_on attribute on aws_acm_certificate_validation resource in the aws_cloudfront_distribution resource.

I would be interested to understand if it resolves your issue.

picture adatoo on 6 Feb 2020
👍6 🚀1

All 8 comments

Hi @lrhazi sorry you are running into issues here. There was a similar problem to the one you are reporting fixed some time ago: https://github.com/terraform-providers/terraform-provider-aws/pull/4698

In order for us to best help could you please provide the provider version by using this command terraform providers.

nywilken picture nywilken on 11 Jun 2019

Sorry didnt see this earleir. here you go:

PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod> terraform providers
.
โ”œโ”€โ”€ provider.aws
โ”œโ”€โ”€ provider.aws.us-east-1
โ”œโ”€โ”€ module.acm_accreditation_a
โ”‚   โ”œโ”€โ”€ provider.aws.acm
โ”‚   โ”œโ”€โ”€ provider.aws.route53
โ”‚   โ””โ”€โ”€ provider.aws.us-east-1 (from state)
โ”œโ”€โ”€ module.acm_anthropology_a
โ”‚   โ”œโ”€โ”€ provider.aws.acm
โ”‚   โ”œโ”€โ”€ provider.aws.route53
โ”‚   โ””โ”€โ”€ provider.aws.us-east-1 (from state)
โ”œโ”€โ”€ module.acm_migration_test_2019
โ”‚   โ”œโ”€โ”€ provider.aws.acm
โ”‚   โ”œโ”€โ”€ provider.aws.route53
โ”‚   โ””โ”€โ”€ provider.aws.us-east-1 (from state)
โ”œโ”€โ”€ module.cdn_accreditation_a
โ”‚   โ””โ”€โ”€ provider.aws
โ”œโ”€โ”€ module.cdn_anthropology_a
โ”‚   โ””โ”€โ”€ provider.aws
โ””โ”€โ”€ module.cdn_migration_test_2019
    โ””โ”€โ”€ provider.aws

PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod> terraform providers --version
Terraform v0.12.1
+ provider.aws v2.14.0

Your version of Terraform is out of date! The latest version
is 0.12.2. You can update by downloading from www.terraform.io/downloads.html
PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod>
lrhazi picture lrhazi on 14 Jun 2019

@lrhazi did you find a workaround or fix for this ? Running into the same issue ..

ben5556 picture ben5556 on 27 Oct 2019

I can confirm the same failing behavior on v2.45.0 of aws provider

lc-nyovchev picture lc-nyovchev on 21 Jan 2020

I had a similar issue and believe it is resolved by adding a depends_on attribute on aws_acm_certificate_validation resource in the aws_cloudfront_distribution resource.

I would be interested to understand if it resolves your issue.

adatoo picture adatoo on 6 Feb 2020
👍6 🚀1

@adatoo - your comment solved my issue, thanks!

dianazv picture dianazv on 11 Mar 2020

Didn't work for me - adding the depends_on creates a cycle:
Error: Cycle: aws_cloudfront_distribution.bootstrap, aws_route53_record.bootstrap, aws_acm_certificate_validation.bootstrap

It's obvious really:

  • The Route 53 alias record needs CloudFront to be up so it can point somewhere
  • CloudFront needs the SSL certificate to be created and validated
  • We can't validate the SSL certificate without Route 53 being ready

The only thing I can think of is what a human would do - create the CloudFront distribution first with the default SSL certificate. Then create the Route 53 record, then the ACM SSL certificate, then validate the certificate with DNS, then update the CloudFront distribution. But I guess Terraform isn't that smart currently, and I don't know if it has the ability to do that, even in theory.

Or run terraform apply, wait until it fails whilst creating the CloudFront distribution, manually click start DNS validation in the AWS console, wait until the certificate is validated, then run terraform apply again.

antgel picture antgel on 11 Aug 2020

Update on my prior comment, actually I needed some more insight about creating two aws_route53_records, one for domain validation, one for the domain itself. (This isn't what's in the docs.) Anyway thanks for the insight.

antgel picture antgel on 11 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

reedloden picture reedloden  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
ccslamstack picture ccslamstack  ยท  3Comments
joelittlejohn picture joelittlejohn  ยท  3Comments