CertificateNotfound error when creating LB Listener

Question

I am having trouble adding a certificate to my LB listener. Here is the code used to do so (note these is a snippets of code):

global/main.tf

  resource "aws_acm_certificate" "demo_cert_east" {
  provider          = "aws.east"
  domain_name       = "*.mydomain.com"
  validation_method = "DNS"

  tags {
    Name        = "demo certificate"
    Environment = "demo"
  }

  lifecycle {
    create_before_destroy = true
  }
}

stage/main.tf

data "aws_acm_certificate" "demo_cert" {
  domain   = "*.mydomain.com"
  statuses = ["ISSUED", "PENDING_VALIDATION"]
}

resource "aws_lb_listener" "wfe_demo_ssl" {
  load_balancer_arn = "${aws_lb.wfe_demo.arn}"
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = "${data.aws_acm_certificate.demo_cert.arn}"

  default_action {
    target_group_arn = "${aws_lb_target_group.wfe_demo.arn}"
    type             = "forward"
  }
}

I have ensured that both resources are in the aws-east region. I am getting the error:

Error creating LB Listener: CertificateNotFound: Certificate 'arn:aws:acm:us-east-1:078395932517:certificate/b83ba534-ef9d-4a07-ae13-832695dc8b5a' not found.

So the certificate is getting retrieved correctly by the data source but the listener then can't seem to find it.

Answer 1

To be able to attach an ACM certificate to a load balancer or other AWS resource such as Cloudfront, it must have been validated first.

Changing your data source to find only ISSUED certificates should then push the error to happen in the data source if there are no validated certificates that match your pattern:

data "aws_acm_certificate" "demo_cert" {
  domain   = "*.mydomain.com"
  statuses = ["ISSUED"]
}

To validate the certificate you can either handle this out of band manually when you request it, use some other tool to automatically validate it for you or you can use Terraform's aws_acm_certificate_validation resource when creating the ACM certificate request:

resource "aws_acm_certificate" "cert" {
  domain_name = "example.com"
  validation_method = "DNS"
}

data "aws_route53_zone" "zone" {
  name = "example.com."
  private_zone = false
}

resource "aws_route53_record" "cert_validation" {
  name = aws_acm_certificate.cert.domain_validation_options.0.resource_record_name
  type = aws_acm_certificate.cert.domain_validation_options.0.resource_record_type
  zone_id = data.aws_route53_zone.zone.id
  records = [aws_acm_certificate.cert.domain_validation_options.0.resource_record_value]
  ttl = 60
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn = aws_acm_certificate.cert.arn
  validation_record_fqdns = [aws_route53_record.cert_validation.fqdn]
}