How to attach an ACM certificate from a different region (us-east1) to an application load balancer in another region using terraform

0
votes

I have my AWS infrastructure setup in ap-southeast-1 using terraform, however, I want to link my ACM certificate created in us-east1 to my load balancer using aws_alb_listener resource.


resource "aws_alb_listener" "https" {
  load_balancer_arn = aws_lb.main.id
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = var.acm_certificate_arn
  depends_on        = [aws_alb_target_group.main]

  default_action {
    target_group_arn = aws_alb_target_group.main.arn
    type             = "forward"
  }
}

When I do terraform apply, it raises an error.

Is it possible to attach an ACM certificate to alb from a different region using terraform?

My use case is this cert will also be used in AWS CloudFront as a CDN.

2
amazon-web-servicesterraformterraform-provider-awsaws-acm
You need to create a cert in both regions.ydaetskcoR
CloudFront requires the ACM certificate be in us-east-1 region. ALB requires that the cert be in the same region as the ALB. You'll have to create an ACM certificate in each region. Since they are free, this isn't really an issue.Mark B

2 Answers

2
votes

Is it possible to attach an ACM certificate to alb from a different region using terraform?

Sadly its not possible. ACM certs can only be used in the regions where they created, not counting global resources such as CloudFront.

For your ALB, you have to create new ACM in ALB's region and register it to the same domain. From AWS blog:

ACM certificates must be requested or imported in the same AWS Region as your load balancer. Amazon CloudFront distributions must request the certificate in the US East (N. Virginia) Region.

0
votes

You can create another certificate in another region with the same domain name.

Per example, given you have an aws_acm_certificate called default

# Your default certificate in ap-southeast-1
resource "aws_acm_certificate" "default" {
  domain_name       = aws_route53_record.default.fqdn
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = {
    Environment = var.environment
  }
}

The "default" certificate are using the default provider, so let's create another aws provider with an alias

provider "aws" {
  alias  = "us_east"
  region = "us-east-1"
}

Now we can create the "same" certificate in another region using this provedir

resource "aws_acm_certificate" "us" {
  domain_name       = aws_route53_record.default.fqdn
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  provider = aws.us_east

  tags = {
    Environment = var.environment
  }
}

Your listener now can use this new certificate in us-east-1

resource "aws_alb_listener" "https" {
  load_balancer_arn = aws_lb.main.id
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.us.arn
  depends_on        = [aws_alb_target_group.main]

  default_action {
    target_group_arn = aws_alb_target_group.main.arn
    type             = "forward"
  }
}