Creating CloudFront distro right after creating the ssl cert fails

[ghost]

This issue was originally opened by @lrhazi as hashicorp/terraform#21687. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Not sure if this is a bug, but it does seem to happen each time I try it.
Trying to create an AWS CloudFront distribution fails because of missing SSL cert, but the cert was created by the same terraform apply and succeeded. Simply retrying the terraform apply immediately works.

> terraform --version
Terraform v0.12.1

module.acm_accreditation_a.aws_acm_certificate_validation.main: Creation complete after 38s [id=2019-06-11 15:13:35 +0000 UTC]

Error: error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.
        status code: 400, request id: 6f72605d-8c5b-11e9-b247-632e3f9d6419

  on ..\..\..\modules\s3-cdn\main.tf line 6, in resource "aws_cloudfront_distribution" "distribution":
   6: resource "aws_cloudfront_distribution" "distribution" {

[nywilken]

Hi @lrhazi sorry you are running into issues here. There was a similar problem to the one you are reporting fixed some time ago: #4698

In order for us to best help could you please provide the provider version by using this command terraform providers.

[lrhazi]

Sorry didnt see this earleir. here you go:

PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod> terraform providers
.
├── provider.aws
├── provider.aws.us-east-1
├── module.acm_accreditation_a
│   ├── provider.aws.acm
│   ├── provider.aws.route53
│   └── provider.aws.us-east-1 (from state)
├── module.acm_anthropology_a
│   ├── provider.aws.acm
│   ├── provider.aws.route53
│   └── provider.aws.us-east-1 (from state)
├── module.acm_migration_test_2019
│   ├── provider.aws.acm
│   ├── provider.aws.route53
│   └── provider.aws.us-east-1 (from state)
├── module.cdn_accreditation_a
│   └── provider.aws
├── module.cdn_anthropology_a
│   └── provider.aws
└── module.cdn_migration_test_2019
    └── provider.aws

PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod> terraform providers --version
Terraform v0.12.1
+ provider.aws v2.14.0

Your version of Terraform is out of date! The latest version
is 0.12.2. You can update by downloading from www.terraform.io/downloads.html
PS C:\Users\lrhazi\PycharmProjects\terraform-projects\projects\web-toptier\prod>

[ben5556]

@lrhazi did you find a workaround or fix for this ? Running into the same issue ..

[lc-nyovchev]

I can confirm the same failing behavior on v2.45.0 of aws provider

[adatoo]

I had a similar issue and believe it is resolved by adding a depends_on attribute on aws_acm_certificate_validation resource in the aws_cloudfront_distribution resource.

I would be interested to understand if it resolves your issue.

[diana-zvulun]

@adatoo - your comment solved my issue, thanks!

[antgel]

Didn't work for me - adding the depends_on creates a cycle:
Error: Cycle: aws_cloudfront_distribution.bootstrap, aws_route53_record.bootstrap, aws_acm_certificate_validation.bootstrap

It's obvious really:

• The Route 53 alias record needs CloudFront to be up so it can point somewhere
• CloudFront needs the SSL certificate to be created and validated
• We can't validate the SSL certificate without Route 53 being ready

The only thing I can think of is what a human would do - create the CloudFront distribution first with the default SSL certificate. Then create the Route 53 record, then the ACM SSL certificate, then validate the certificate with DNS, then update the CloudFront distribution. But I guess Terraform isn't that smart currently, and I don't know if it has the ability to do that, even in theory.

Or run terraform apply, wait until it fails whilst creating the CloudFront distribution, manually click start DNS validation in the AWS console, wait until the certificate is validated, then run terraform apply again.

[antgel]

Update on my prior comment, actually I needed some more insight about creating two aws_route53_records, one for domain validation, one for the domain itself. (This isn't what's in the docs.) Anyway thanks for the insight.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.