By using AWS re:Post, you agree to the Terms of Use

How to provision CloudFront distribution with ACM certificate in CloudFormation?

0

I am trying to achieve the following.

First, deploy a CloudFormation stack to region ap-southeast-2 containing:

  1. An S3 bucket
  2. A CloudFront distribution using the S3 bucket as origin
  3. A CNAME in Route53 under a pre-existing HostedZone pointing to the CloudFront distribution

Then, I want to deploy another CloudFormation stack to region us-east-1 with:

  1. An ACM SSL certificate for the domain (CNAME) registered in point 3, above.

Then, I want the certificate created in point 4, above, to be associated with the CloudFront distribution created in point 2, above, as the Viewer Certificate.

I cannot set the CloudFront Viewer Certificate in the first CloudFormation template because it does not exist yet. It will only exist after the second stack is created.

Is there a way to achieve this with CloudFormation? Is there anything I can do with CloudFormation StackSets to achieve this?

1 Answer
0

Yes, you can use StackSets to do this in conjunction with using Conditions in the template. Basically, set a condition based on the current region and create the resources for that region. You can define that the stacks are created sequentially with us-east-1 first then ap-southeast-2. See: Stack set operation options (see Region concurrency),

profile picture
EXPERT
answered 7 months ago
  • OK, but creating them sequentially is not enough. After CloudFormation creates the second stack with the ACM certificate, it needs to go back to the first stack and assign that new ACM certificate to the CloudFront distribution that was created in that first stack. How does your solution achieve that?

    Also, the link you provided takes me back to this very same question in re:Post.

  • If fixed the link. You will have to run the template in us-east-1 first so you have the cert. You could run it first in ap-southeast-2 and have a condition on whether to setup HTTPS. Then go and create the cert in us-east-1 and then go back and update the stack with the new cert information in ap-southeast-2.

  • Right, kentrad. But that would be a procedural solution. If I am deploying the templates via CLI, I would have to perform 3 steps:

    1. Deploy the first stack
    2. Deploy the second stack
    3. Update the first stack

    Even if points 1 and 2 could be performed together as a StackSet, I would still have two separate steps, for it would require me to trigger an update to link the certificate with CloudFront in the end.

    I reckon CloudFormation should offer a fully declarative solution for this problem, and the circular dependency should be resolved by AWS.

  • I think what is missing in your scenario is when you create a certificate, there is currently no way to specify where to install it in CloudFormation for AWS::CertificateManager::Certificate. So, there is no way to create the this circular dependency.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions