我试图在cn-northwest-1部署两个云前端发行版,我似乎无法获得附加到它们的ACM证书,terraform一直返回以下错误
error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate source isn't available in this region.
│ status code: 400
ACM证书正在us-east-1中生成,验证正在成功完成,但据我所见,在中国创建的cloudfront分发无法访问us-east-1帐户中的证书,RAM无法用于ACM证书。
有没有人遇到类似的问题,是这里使用SSL/TLS证书并手动导入它们的唯一解决方案?
您可以使用别名方法从另一个区域(us-east-1,因为它是唯一支持的区域)创建和导入ACM。
provider "aws" {
alias = "us_east"
region = "us-east-1"
# profile = var.profile
}
并使用此提供程序创建ACM:
resource "aws_acm_certificate" "cloudfront_cdn" {
provider = aws.us_east
domain_name = "*.cdn.${var.domain_name}"
validation_method = "DNS"
tags = {
name = "certificate for cloudfront distribution"
}
lifecycle {
create_before_destroy = true
}
}
然后进行DNS验证和证书验证(我希望您对此没有问题,因为您说您的证书验证成功。)现在,创建发行版:
# Add product cloudfront distribution
resource "aws_cloudfront_distribution" "product_s3_distribution" {
origin {
domain_name = "${var.bucket_name}.s3.amazonaws.com"
origin_id = var.bucket_name
# s3_origin_config {
# origin_access_identity =
# }
}
enabled = true
is_ipv6_enabled = true
comment = "CloudFront distribution for staging"
aliases = ["${var.route53_record_name}.${var.domain_name}"]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.bucket_name
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "none"
# restriction_type = "whitelist"
# locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
# cloudfront_default_certificate = true
acm_certificate_arn = aws_acm_certificate.cloudfront_cdn.arn
ssl_support_method = "sni-only"
}
depends_on = [aws_acm_certificate.cloudfront_cdn]
}
收到AWS支持表单的回复,似乎AWS中国目前不支持CloudFront的ACM证书,您必须使用已经生成的SSL证书并将其导入IAM,特别是导入/CloudFront/,然后CloudFront才能使用