Terraform: Error applying iam_server_certificate to cloudfront distribution

Created on 24 Oct 2016 · 3Comments · Source: hashicorp/terraform

Terraform Version

v0.7.7

Affected Resource(s)

Please list the resources as a list, for example:

aws_cloudfront_distribution

Terraform Configuration Files

resource "aws_iam_server_certificate" "FOO" {
  name_prefix = "BAR"
  certificate_body = "${file(format("%s.crt", var.certificate_path))}"
  certificate_chain = "${file(format("%s_chain.crt", var.certificate_path))}"
  private_key = "${file(format("%s.key", var.certificate_path))}"
  path = "/cloudfront/${var.environment}-certificate/"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_cloudfront_distribution" "FOO" {
    enabled = true
    aliases = ["${var.cloudfront_aliases}"]
    price_class = "PriceClass_All"

    origin {
        domain_name = "${var.media_bucket["name"]}"
        origin_id = "${var.media_bucket["origin_id"]}"
    }

    default_cache_behavior {
        allowed_methods = ["GET", "HEAD"]
        cached_methods = ["GET", "HEAD"]
        target_origin_id = "${var.media_bucket["origin_id"]}"

        forwarded_values {
            query_string = false

            cookies {
                forward = "none"
            }
        }

        viewer_protocol_policy = "allow-all"
        min_ttl = 0
        max_ttl = 31536000
        default_ttl = 86400
    }

    restrictions {
        geo_restriction {
            restriction_type = "none"
        }
    }

    viewer_certificate {
        iam_certificate_id = "${aws_iam_server_certificate.hubrick-cloudfront.FOO.arn}"
        minimum_protocol_version = "TLSv1"
        ssl_support_method = "sni-only"
    }
}

The cloudfront distribution already exists, I created the aws_iam_server_certificate in order to apply it and replace the default cloudront certificate. When I try to apply it with TF, I'm getting the following error:

Error applying plan:

1 error(s) occurred:

* aws_cloudfront_distribution.media: InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't valid, or doesn't include a valid certificate chain.
    status code: 400, request id: 5b197f8c-99fa-11e6-8b58-639a96e76384

The thing is, if I go the aws console and select the same certificate that was uploaded via TF, it's working without a problem. I've made sure that my certificate is in the correct size (2048).

Source

eyalzek

Most helpful comment

As usual, the second I open the issue I find my problem... I needed to pass the certificate ID and not ARN. eg:
iam_certificate_id = "${aws_iam_server_certificate.hubrick-cloudfront.FOO.arn}" -> iam_certificate_id = "${aws_iam_server_certificate.hubrick-cloudfront.FOO.id}"

eyalzek on 24 Oct 2016

🎉2 👍2

All 3 comments

eyalzek on 24 Oct 2016

🎉2 👍2

If the certificates are imported manually, you can apply the codes to Cloudfront easily.

data "aws_iam_server_certificate" "domain" {
  name = "example.com_wildcard"
  latest      = true
}

resource "aws_cloudfront_distribution" "cdn" {
    ....

    viewer_certificate {
        iam_certificate_id = "${aws_iam_server_certificate.domain.id}"
        minimum_protocol_version = "TLSv1"
        ssl_support_method = "sni-only"
    }
}

ozbillwang on 10 Apr 2017

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.