I have an imported self-signed ACM certificate in AWS, but I’m encountering an issue where AWS won’t allow me to attach the certificate to a CloudFront distribution unless my Route 53 hosted zone record name is already pointing to the CloudFront URL. This issue arises from the following error: “InvalidViewerCertificate - The certificate that is attached to your distribution was not issued by a trusted certificate authority.”
The problem is that this error is causing the creation of the CloudFront distribution to fail during the Terraform apply step. Without the CloudFront distribution being created, I am unable to configure Route 53 to point to a CloudFront URL that doesn’t yet exist.
Does anyone know how can I break this circular dependency? I have considered some options, but all of them seem to ruin automation.
You’re hitting a classic chicken-and-egg problem with ACM and CloudFront — here’s a workaround to break the cycle without ruining automation:
Solution: Use a null_resource with a local-exec or depends_on workaround to force Terraform to apply in two stages.
Stage 1: Apply all resources except the CloudFront distribution. Use a dummy null_resource that runs a no-op or echo command, but depends on the Route 53 record pointing to a placeholder (like a dummy S3 website endpoint).
Stage 2: After DNS is in place, apply the CloudFront distribution using the imported self-signed cert. AWS will now recognize the domain points to CloudFront and let the cert through.
You can also consider splitting your Terraform into two separate applies (e.g., using workspaces or manual triggers), though it’s slightly less elegant.
Unfortunately, ACM and CloudFront both assume a traditional CA trust chain, so self-signed certs trigger these validation roadblocks.