Terraform AWS ACM certificates in us-east-1 for resources in eu-west-1

Question

I have a terraform module that provisions resources primarily in eu-west-1. I need an ACM certificate to attach to a Cloudfront distribution. The certificate must be provisioned in us-east-1.

I have thus configured two providers:

provider "aws" {
  version = "~> 1.0"
  region = "eu-west-1"
}

provider "aws" {
  version = "~> 1.0"
  region = "us-east-1"
  alias = "us-east-1"
}

In my module, I provision the certificate like so:

resource "aws_acm_certificate" "cert" {
  provider = "aws.us-east-1"
  domain_name = "${var.domain_name}"
  validation_method = "DNS"
  tags = "${var.tags}"

  lifecycle {
    create_before_destroy = true
  }
}

Problem #1: I tried to import my existing ACM certificate using:

terraform import module.mymod.aws_acm_certificate.cert arn:aws:acm:us-east-1:xyz:certificate/uuid

This fails with: "Could not find certificate with id". Is terraform looking in the wrong region? I confirmed with the aws CLI that the certificate does indeed exist (e.g. no typos in the ARN).

Ok, so I figured I could just create new certificate. This does work, and I now have two certificates, but I then run into problem #2:

resource "aws_route53_record" "cert_validation" {
  name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.zone.id}"
  records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl = 60
}

This attempts to set up DNS validation for ACM. The hosted zone exists in eu-west-1, so I'm expecting problems here. However, this still fails with "Could not find certificate ...", and I'm assuming terraform gets confused about regions. I tried adding provider = "aws.us-east-1" to this resource as well, but it still fails the same way.

So, no matter what I do, Terraform is unable to locate my certificate, even it has created it itself. Am I doing something wrong?

Route53 hosted zones are global, not regional so I think you're confusing something there. It looks like you probably have a lot of things going on that's confusing this case so it might be worth trying to make a minimal reproduction case where you just attempt to create the ACM cert, R53 records and the validation and edit your question to show just the code for that and provide the exact error you're getting so people can follow along. — ydaetskcoR
It’s also worth noting that the id is not always the arn and rarely documented. It’s worth trying other unique identifiers, like name. — RubberDuck

Christian Johansen Christian Johansen · Accepted Answer · 2018-08-29T12:36:34

Turns out my problem was with aws_acm_certificate_validation. By specifying the provider in the same region as the certificate, it was all resolved.

resource "aws_acm_certificate_validation" "cert" {
  provider = "aws.us-east-1" # <== Add this
  certificate_arn = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

Terraform AWS ACM certificates in us-east-1 for resources in eu-west-1

1 Answers