https://research.prosyon.ca/topics/security/Recent content in Security on Prosyon ResearchHugoen-usSun, 15 Mar 2026 00:00:00 +0000https://research.prosyon.ca/papers/external-dns-acm-flow/Sun, 15 Mar 2026 00:00:00 +0000https://research.prosyon.ca/papers/external-dns-acm-flow/<h2 id="the-deadlock">The deadlock</h2> <p>A CloudFront distribution with a custom domain needs an <strong>issued</strong> ACM certificate in <code>us-east-1</code>. ACM issues a DNS-validated certificate only after a specific <code>CNAME</code> appears in the domain&rsquo;s zone.<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> When Terraform owns the zone, it writes that record in the same apply. When the zone is <strong>external</strong>, Terraform cannot — and a single apply that both requests the certificate and builds the distribution cannot complete, because:</p>