Possbile Issue: Failing to add CNAME to CloudFront distribution

[dciphered]

Hi guys,

I've been experiencing an issue with the initial deployment procedure, namely the script failing when attempting to add a custom domain to the CloudFront distribution.

Firstly, because of the ACM region restrictions, I've created an new public certificate in the us-east-1 region that matches the custom domain that I plan to utilise for images (e.g. img.domain.com). However, I've specified the region within the settings yaml file as eu-west-2.

The CUSTOM_DOMAIN parameter has been set to reflect the cert name/SAN and the ACM_CERTIFICATE_ARN parameter has been set to reference the new certificate in the format of: arn:aws:acm:us-east-1:12345678:certificate/abc123-abc123-abc123-abc123-abc123 (sanitised)

In short, the process fails each and every time with the following error:
An error occurred: CloudFrontDistribution - Resource handler returned message: "Invalid request provided: To add an alternate domain name (CNAME) to a CloudFront distribution, you must attach a trusted certificate that validates your authorization to use the domain name. For more details, see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements (Service: CloudFront, Status Code: 400, Request ID: ......

What am I missing?

Versions
Operating System: MacOS 10.15.7
Serverless Sharp: 2.1.1

[Mosnar]

I haven't used the custom domain functionality myself. Maybe @bs-thomas can provide some insight, since he authored the original feature?

[dciphered]

Thansk @Mosnar - would be great to get some clarity on this issue. As a temporary workaround, I removed those parameters from the settings file and after the env was spun up, I manually added the CNAME and custom SSL cert to the CF distribution. Only problem is, when redeploying via the IaaC method, it overwrites the above changes and reverts back to using the default CF SSL cert.

Definitely needs some further debugging...

[Wintereise]

Confirmed, this still doesn't work (not even if you attempt to deploy it on us-east-1).

[bs-thomas]

The logic seems to have broke after another contributor has added the ACM_CERTIFICATE_ARN feature in, to allow direct specification of a certificate by ARN.

I have re-programmed the logic as follows:

• Check if there is ACM_CERTIFICATE_ARN provided. If so, use it to bind to CloudFront.
• Otherwise, check if there is a CUSTOM_DOMAIN provided. If so, create a new certificate, and use it to bind to CloudFront.
• Otherwise, assume there is no domain nor certificate binding. Just use the good ole CloudFront domain.

Sending in a pull request in just a bit.