CloudFront Distribution Creation issue AWS China

Question

I am attempting to deploy two cloudfront distributions in cn-northwest-1 and I cannot seem to get ACM certificates attached to them, terraform keeps returning the following error

error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate source isn't available in this region.
│       status code: 400

The ACM certificates are being generated in us-east-1 and the validation is completing successfully, but it seems that the cloudfront distribution which is created in china cannot access the certificates in the account with access to us-east-1 and RAM does not work for ACM Certificates as far as I could find.

Has anyone run into the similar issue, is the only solution here using SSL/TLS certificates and manually importing them?

Answer 1

You can use the alias method to create and import ACM from another region(us-east-1 as it's the only supported region).

provider "aws" {
    alias   = "us_east"
    region  = "us-east-1"
    # profile = var.profile
  }

And create ACM using this provider:

 resource "aws_acm_certificate" "cloudfront_cdn" {
    provider  = aws.us_east
    domain_name = "*.cdn.${var.domain_name}"
    validation_method = "DNS"

    tags = {
        name = "certificate for cloudfront distribution"
    }

    lifecycle {
      create_before_destroy = true
    }
  }

Then do your DNS validations and certificate validations(I hope you're fine with this as you said your certificate is validating successfully.). Now, create distribution:

# Add product cloudfront distribution
resource "aws_cloudfront_distribution" "product_s3_distribution" {
  origin {
    domain_name = "${var.bucket_name}.s3.amazonaws.com"
    origin_id   = var.bucket_name 
    # s3_origin_config {
    #   origin_access_identity = 
    # }
  }

  enabled             = true
  is_ipv6_enabled     = true
  comment             = "CloudFront distribution for staging"
  aliases = ["${var.route53_record_name}.${var.domain_name}"]
  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = var.bucket_name

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "allow-all"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

  restrictions {
    geo_restriction {
        restriction_type = "none"
    #   restriction_type = "whitelist"
    #   locations        = ["US", "CA", "GB", "DE"]
    }
  }

  viewer_certificate {
    # cloudfront_default_certificate = true
    acm_certificate_arn = aws_acm_certificate.cloudfront_cdn.arn
    ssl_support_method = "sni-only"
  }

  depends_on = [aws_acm_certificate.cloudfront_cdn]
}