3

In Api Gateway I've created one custom domain, foo.example.com, which creates a Cloud Front distribution with that CNAME.

I also want to create a wildcard domain, *.example.com, but when attempting to create it, CloudFront throws an error:

CNAMEAlreadyExistsException: One or more of the CNAMEs you provided are already associated with a different resource

AWS in its docs states that:

However, you can add a wildcard alternate domain name, such as *.example.com, that includes (that overlaps with) a non-wildcard alternate domain name, such as www.example.com. Overlapping domain names can be in the same distribution or in separate distributions as long as both distributions were created by using the same AWS account.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-wildcard

So I might have misunderstood this, is it possible to accomplish what I've described?

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
nachoab
  • 1,908
  • 1
  • 23
  • 36

2 Answers2

6

This is very likely to be a side-effect of your API Gateway endpoint being configured as Edge Optimized instead of Regional, because with an edge-optimized API, there is a hidden CloudFront distribution provisioned automatically... however, the CloudFront distribution associated with your API is not owned by your account, but rather by an account associated with API Gateway.

Edge-optimized APIs are endpoints that are accessed through a CloudFront distribution that is created and managed by API Gateway.

Amazon API Gateway Supports Regional API Endpoints

This creates a conflict that prevents the wildcard distribution from being created.

Subdomains that mask a wildcard are not allowed to cross AWS account boundaries, because this would potentially allow traffic for a wildcard distribution's matching domains to be hijacked by creating a more specific alternate domain name -- but, as you noted from the documentation, you can do within your own account.

Redeploying your API as Regional instead of Edge Optimized is the likely solution. If you still want the edge optimization behavior, you can create another CloudFront distribution with that specific subdomain for use with the API. This would be allowed, because you would own the distribution. Regional APIs are still globally accessible.

Community
  • 1
  • 1
Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Related solution for creating a cloudfront distribution infront of API gateway: https://stackoverflow.com/a/32825414/185200 – Michael Petito Dec 20 '18 at 23:06
  • I don't think using Regional API gw endpoints solves anything because I was getting the same error though my API gw was Regional. I think what probably happens is that since you have a custom API gw domain (foo.example.co) while simultaneously wanting to serve *.example.com from a CF distro, AWS wouldn't know whether to send requests to foo.example.com to the CF distro or to API gw and hence decides to prevent you from adding a wildcard subdomain CNAME to your CF – Sai Ramachandran Jul 14 '20 at 20:20
2

Yes it is. But keep in mind that CNAMEs set for CloudFront distributions are validated to be globally unique, including API Gateway distributions. So this means you (or any other account) have that CNAME already set up. Currently there is no way to lookup where the conflict is, you may need to raise a ticket with AWS support if you can't find that yourself.

Julio Faerman
  • 13,228
  • 9
  • 57
  • 75
  • In this specific case, the error actually should indicate that another AWS account already has `{some-other-subdomain}.example.com`, **not** `*.example.com`, because if another account already had `*.example.com` then this account would not have been able to create the existing distribution for `foo.example.com`. Subdomains that mask a wildcard are not to cross AWS account boundaries, because this would potentially allow traffic for a wildcard distribution's matching domains to be hijacked by creating a more specific alternate domain name (which you can do within your own account). – Michael - sqlbot Apr 08 '18 at 01:11
  • 1
    Oh... I think I just worked out the identity of that "other account." – Michael - sqlbot Apr 08 '18 at 01:30