3

I have my AWS infrastructure setup in ap-southeast-1 using terraform, however, I want to link my ACM certificate created in us-east1 to my load balancer using aws_alb_listener resource.


resource "aws_alb_listener" "https" {
  load_balancer_arn = aws_lb.main.id
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = var.acm_certificate_arn
  depends_on        = [aws_alb_target_group.main]

  default_action {
    target_group_arn = aws_alb_target_group.main.arn
    type             = "forward"
  }
}

When I do terraform apply, it raises an error.

Is it possible to attach an ACM certificate to alb from a different region using terraform?

My use case is this cert will also be used in AWS CloudFront as a CDN.

Marcin
  • 215,873
  • 14
  • 235
  • 294
channa ly
  • 9,479
  • 14
  • 53
  • 86
  • 1
    You need to create a cert in both regions. – ydaetskcoR Feb 15 '21 at 10:09
  • 1
    CloudFront requires the ACM certificate be in `us-east-1` region. ALB requires that the cert be in the same region as the ALB. You'll have to create an ACM certificate in each region. Since they are free, this isn't really an issue. – Mark B Feb 15 '21 at 15:07

2 Answers2

5

Is it possible to attach an ACM certificate to alb from a different region using terraform?

Sadly its not possible. ACM certs can only be used in the regions where they created, not counting global resources such as CloudFront.

For your ALB, you have to create new ACM in ALB's region and register it to the same domain. From AWS blog:

ACM certificates must be requested or imported in the same AWS Region as your load balancer. Amazon CloudFront distributions must request the certificate in the US East (N. Virginia) Region.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • I think It allows certs from other regions to be added to ALB using the AWS management console. I am not sure if this can work with cloudfront. – channa ly Feb 15 '21 at 10:18
  • 1
    @channaly The only way to use same certificate is if you get one from third party, e.g. letsencrypt, and the import it in both regions. Sadly ALB will not let use ACM certificate from different region. – Marcin Feb 15 '21 at 10:19
1

You can create another certificate in another region with the same domain name.

Per example, given you have an aws_acm_certificate called default

# Your default certificate in ap-southeast-1
resource "aws_acm_certificate" "default" {
  domain_name       = aws_route53_record.default.fqdn
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = {
    Environment = var.environment
  }
}

The "default" certificate are using the default provider, so let's create another aws provider with an alias

provider "aws" {
  alias  = "us_east"
  region = "us-east-1"
}

Now we can create the "same" certificate in another region using this provedir

resource "aws_acm_certificate" "us" {
  domain_name       = aws_route53_record.default.fqdn
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  provider = aws.us_east

  tags = {
    Environment = var.environment
  }
}

Your listener now can use this new certificate in us-east-1

resource "aws_alb_listener" "https" {
  load_balancer_arn = aws_lb.main.id
  port              = 443
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.us.arn
  depends_on        = [aws_alb_target_group.main]

  default_action {
    target_group_arn = aws_alb_target_group.main.arn
    type             = "forward"
  }
}
Duke
  • 3,226
  • 1
  • 18
  • 23