Terraform Recipes: CloudFront TLS certificates

At the end of the previous article, I briefly hinted at various intricacies of provisioning a TLS certificate for your CloudFront distribution. Let’s briefly have a look at what you can expect and how to deal with it!

In general, you will likely encounter two issues if you want to serve your CloudFront traffic over HTTPS: while most AWS services (for example, Elastic Load Balancer) require the certificates to be issued in the same region as the service itself is provisioned, the situation is quite different for CloudFront as that service is region-less. For CloudFront, all certificates must be issued in the North Virginia (us-east-1) region.

The second issue is that before Amazon Certificate Manager turns your certificate request into a valid certificate, it requires you to validate the request either by e-mail or by provisioning a special DNS record. That means that if you try assigning the certificate to a CloudFront distribution while the generation is still in process (or the validation is pending), you’ll be met with a swift failure. But there’s an easy way around both issues!

Requesting freedom certificates 🦅

Let’s deal with the regional issue first. This is how you can force a region for a single Terraform resource, even if the rest of your Terraform resources reside in another region:

###################################
# ACM Certificate
###################################
resource "aws_acm_certificate" "cf_gitbook" {
  provider = aws.virginia

  domain_name       = aws_s3_bucket.gitbook.bucket
  validation_method = "DNS"

  tags = {
    Name        = "${local.name_prefix}cf_gitbook"
    Environment = terraform.workspace
  }

  lifecycle {
    create_before_destroy = true
  }
}

But where does the aws.virginia value come from? Good question! You have to define a provider alias like so:

###################################
# Providers
###################################
provider "aws" {
  version = "~> 2.0"
  region  = "ap-northeast-1"
}

provider "aws" {
  alias = "virginia"

  version = "~> 2.0"
  region  = "us-east-1"
}

Automatically validating certificate request ✅

As you can see in the snippet above, I chose to go for the DNS validation method – that’s because unlike with the e-mail validation method, it can be done automatically and the progress can be tracked by Terraform – that sounds like something we’d precisely want.

###################################
# Route 53 Record
###################################
resource "aws_route53_record" "cf_gitbook_validation" {
  zone_id = aws_route53_zone.public[0].zone_id
  name    = aws_acm_certificate.cf_gitbook.domain_validation_options.0.resource_record_name
  type    = aws_acm_certificate.cf_gitbook.domain_validation_options.0.resource_record_type
  records = [aws_acm_certificate.cf_gitbook.domain_validation_options.0.resource_record_value]
  ttl     = 300
}

With the record in place, we can track the progress of certificate issuance like so:

###################################
# ACM Certificate Validation
###################################
resource "aws_acm_certificate_validation" "cf_gitbook" {
  provider = aws.virginia

  certificate_arn         = aws_acm_certificate.cf_gitbook.arn
  validation_record_fqdns = [aws_route53_record.cf_gitbook_validation.fqdn]
}

We need to also specify the provider alias we created earlier as the aws_acm_certificate.cf_gitbook only exists in the us-east-1 region. Fortunately, Route 53 is a global service, so we won’t run into any issues related to accessing resources from two different regions in one resource.

Putting it all together 🧩

But what was the purpose of creating the aws_acm_certificate_validation? After all, it does not show anywhere in AWS Console, as it’s a virtual resource.

Well, while aws_acm_certificate resource will show up in Terraform as created as soon as certificate issuance request is accepted, aws_acm_certificate_validation will only register as created once validation and issuance is finished and the certificate is ready to be used. aws_acm_certificate_validation resources can be used like so:

###################################
# CloudFront
###################################
resource "aws_cloudfront_distribution" "gitbook" {
  …
  
  viewer_certificate {
    acm_certificate_arn      = aws_acm_certificate_validation.cf_gitbook.certificate_arn
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2018"
  }
}

With the code above, the CloudFront distribution will start provisioning only once the certificate is ready to be used, exactly as we want it.