How to provision CloudFront distribution with ACM certificate in CloudFormation?
I am trying to achieve the following.
First, deploy a CloudFormation stack to region
- An S3 bucket
- A CloudFront distribution using the S3 bucket as origin
- A CNAME in Route53 under a pre-existing HostedZone pointing to the CloudFront distribution
Then, I want to deploy another CloudFormation stack to region
- An ACM SSL certificate for the domain (CNAME) registered in point 3, above.
Then, I want the certificate created in point 4, above, to be associated with the CloudFront distribution created in point 2, above, as the Viewer Certificate.
I cannot set the CloudFront Viewer Certificate in the first CloudFormation template because it does not exist yet. It will only exist after the second stack is created.
Is there a way to achieve this with CloudFormation? Is there anything I can do with CloudFormation StackSets to achieve this?
Yes, you can use StackSets to do this in conjunction with using Conditions in the template. Basically, set a condition based on the current region and create the resources for that region. You can define that the stacks are created sequentially with us-east-1 first then ap-southeast-2. See: Stack set operation options (see Region concurrency),
OK, but creating them sequentially is not enough. After CloudFormation creates the second stack with the ACM certificate, it needs to go back to the first stack and assign that new ACM certificate to the CloudFront distribution that was created in that first stack. How does your solution achieve that?
Also, the link you provided takes me back to this very same question in re:Post.
If fixed the link. You will have to run the template in us-east-1 first so you have the cert. You could run it first in ap-southeast-2 and have a condition on whether to setup HTTPS. Then go and create the cert in us-east-1 and then go back and update the stack with the new cert information in ap-southeast-2.
Right, kentrad. But that would be a procedural solution. If I am deploying the templates via CLI, I would have to perform 3 steps: 1. Deploy the first stack 2. Deploy the second stack 3. Update the first stack
Even if points 1 and 2 could be performed together as a StackSet, I would still have two separate steps, for it would require me to trigger an update to link the certificate with CloudFront in the end.
I reckon CloudFormation should offer a fully declarative solution for this problem, and the circular dependency should be resolved by AWS.
I think what is missing in your scenario is when you create a certificate, there is currently no way to specify where to install it in CloudFormation for AWS::CertificateManager::Certificate. So, there is no way to create the this circular dependency.
CF distro and ACM certificate in different accountAccepted AnswerMODERATORasked 4 years ago
AWS China CloudFront Error when provisioned using terraformasked 6 days ago
How to provision CloudFront distribution with ACM certificate in CloudFormation?asked 3 months ago
CloudFormation and cloudfront CNAMEasked 4 months ago
Can't use ACM certificate in Cloudfront ChinaAccepted Answerasked 2 months ago
How to setup CloudFront default root object?Accepted Answerasked 2 days ago
How do I use Amazon CloudFront with AWS Elastic Beanstalk as the origin?Accepted AnswerEXPERTasked 2 years ago
Cloudformation does not tag resourcesasked 5 months ago
How to use the same ACM certificate with CloudFront and ELBAccepted Answerasked 3 years ago
Cloudformation Stack Stuck in UPDATE_IN_PROGRESSasked 2 years ago