Terraform: Allow aws_acm_certificate to lookup certificates in different region

Hi @KifBV!

Currently the answer to doing anything in multiple regions is to instantiate the aws provider multiple times, giving one an alias like this:

provider "aws" {
  # The "default" instance of the provider
  region = "eu-west-1"
}
provider "aws" {
  # us-east-1 instance
  region = "us-east-1"
  alias = "use1"
}

With that extra provider block in place you can attach selected resources to the other instance by adding the provider meta-argument, like this:

data "aws_acm_certificate" "it" {
  provider = "aws.use1"
  # ...
}

In your case this is probably the only resource that actually needs this special trick, because Terraform already understands that global services (Cloudfront, Route53, IAM, etc) need to operate on us-east-1 regardless of what region you selected, so the right thing happens even though you've got the other provider set to eu-west-1. However, if you wanted to be explicit about it you could also add that provider argument to the cloudfront distribution resource(s), optionally.

Hi @apparentlymart
Understood, thank you very much!

however I do not see provider here https://www.terraform.io/docs/providers/aws/d/acm_certificate.html, can you explain it

It's a meta-parameter available to all resources.

apologies, but I seem to have the same problem, although my certificate is in us-east-1 and I think I have correctly configured the provider.

here's what I have:

OSX:power-blox-setup tom$ pipenv run aws acm list-certificates --profile power-blox
{
    "CertificateSummaryList": []
}
OSX:power-blox-setup tom$ pipenv run aws acm list-certificates --profile power-blox --region us-east-1
{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:648039538347:certificate/931e7467-ec74-458c-aee7-770d98adbacc",
            "DomainName": "api.power-blox.cloud"
        }
    ]
}

so the certificate is in us-east-1 as needed. Then my tf:

# main.tf
provider "aws" {
  region                  = "${var.aws_region}"
  shared_credentials_file = "~/.aws/credentials"
  profile                 = "${var.aws_profile}"
  version                 = "~> 1.41"
}
provider "aws" {
  alias                   = "useast1"
  region                  = "us-east-1"
}
# then in a submodule
data "aws_acm_certificate" "api" {
  provider = "aws.useast1"
  domain   = "api.power-blox.cloud"
  statuses = ["ISSUED"]
}

when I run terraform plan I get:

Error: Error refreshing state: 1 error(s) occurred:

* module.apigw.data.aws_acm_certificate.api: 1 error(s) occurred:

* module.apigw.data.aws_acm_certificate.api: data.aws_acm_certificate.api: No certificate for domain "api.power-blox.cloud" found in this region

I've spent quite a bit of time adding and deleting certificates and changing settings, with no luck. any ideas what the problem could be? any help appreciated, thanks!

Hi @grudelsud!

The AWS provider is no longer developed in this repository, so the team that now maintains it will not see your comment here. I'd suggest opening an issue in the provider's own repository so that the current maintainers can see and respond to it. Thanks!

hey @apparentlymart thanks for the recommendation. Turns out that when I started preparing the bug report, I found what the problem was. I'll leave a post-mortem here in case anyone stumbles on the same problem.

after upgrading to latest version of Terraform v0.11.10 and creating a simple main.tf for the bug report (as my previous post above), I got the error:

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws.useast1: No valid credential sources found for AWS Provider.
    Please see https://terraform.io/docs/providers/aws/index.html for more information on
    providing credentials for the AWS Provider

and so I was... 😕 I changed my provider configuration to repeat the credentials file, as follows:

provider "aws" {
  region                  = "${var.aws_region}"
  shared_credentials_file = "~/.aws/credentials"
  profile                 = "${var.aws_profile}"
  version                 = "~> 1.41"
}

# used to fetch ssl certificates for global endpoints (must be defined in us east 1)
provider "aws" {
  alias                   = "useast1"
  region                  = "us-east-1"
  shared_credentials_file = "~/.aws/credentials"
  profile                 = "${var.aws_profile}"
  version                 = "~> 1.41"
}

and voila, it works! 🍾

thanks!

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.