Cloudformation: Reference created ACM Certificate in other region

Question

Since https certificates for Cloudfront can only be created in us-east-1 and my entire stack is created in eu-west-1 I wanted to create a stack in us-east-1 that contains the ACM certificate, and then use that certificate in my stack(s) in eu-west-1.

The only problem is, how do I reference this certificate without hardcoding it, as I can't ImportValue an output in another region.

e.g.

  Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt S3Bucket.RegionalDomainName
            Id: ****
            CustomOriginConfig:
              HTTPPort: '80'
              HTTPSPort: '443'
              OriginProtocolPolicy: https-only
        DefaultRootObject: 'index.html'
        Enabled: true
        Aliases:
          - 'bla.bla.com'
        DefaultCacheBehavior:
          TargetOriginId: '*-origin'
          AllowedMethods:
          - GET
          - HEAD
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6'
        ViewerCertificate:
          AcmCertificateArn: !ImportValue ****
          SslSupportMethod: sni-only

What do I need to put on the AcmCertificateArn line when I deploy this in eu-west-1?

Answer 1

As you've pointed out, you can't make cross-region export/import references between stacks in different regions. In this case, usually you would provide the Certificate ARN as an input parameter to your stack in eu-west-1.

The other options would involve the use of SSM parameters dynamic references to pass the value of the certificate's ARN. For fully automated solution, you would need to develop a custom resource in eu-west-1 in the form of a lambda function. The function would query the stack in us-east-1 for the arn in its outputs and return the arn to the stack in eu-west-1.