TerraformPilot

Troubleshooting

Fix Terraform CloudFront Distribution - CNAMEAlreadyExists

Fix CloudFront CNAME already exists errors in Terraform. Handle duplicate alternate domains across distributions, wildcard conflicts, and account transfers.

LLuca Berton1 min read

Quick Answer

#

Another CloudFront distribution already uses the same alternate domain name (CNAME). A domain can only be associated with one distribution at a time — remove it from the other distribution first, or use a different domain.

The Error

# 
Error: creating CloudFront Distribution:
  CNAMEAlreadyExists: One or more of the CNAMEs you provided are
  already associated with a different resource.

What Causes This Error

#
  1. Domain used by another distribution in the same or different AWS account
  2. Wildcard conflict*.example.com on one distribution conflicts with app.example.com on another
  3. Previous distribution not fully deleted — may take minutes to release the CNAME
  4. Domain on a distribution in another account — someone else claimed it

How to Fix It

#

Solution 1: Find the Conflicting Distribution

# 
# List all distributions and their aliases
aws cloudfront list-distributions \
  --query 'DistributionList.Items[].{Id:Id,Aliases:Aliases.Items[],Status:Status}' \
  --output table
 
# Search for specific domain
aws cloudfront list-distributions \
  --query "DistributionList.Items[?Aliases.Items[?contains(@,'example.com')]].{Id:Id,Aliases:Aliases.Items}"

Solution 2: Remove CNAME from Old Distribution

# 
# Update old distribution to remove the CNAME
resource "aws_cloudfront_distribution" "old" {
  # ... keep everything else
  aliases = []  # Remove the conflicting domain
}
# Or via CLI — update the distribution to remove the alias
aws cloudfront get-distribution-config --id E1234 > config.json
# Edit config.json: remove the alias from Aliases.Items
aws cloudfront update-distribution --id E1234 \
  --distribution-config file://config.json --if-match ETAG

Solution 3: Create the New Distribution

# 
resource "aws_cloudfront_distribution" "main" {
  aliases = ["www.example.com", "example.com"]
 
  origin {
    domain_name = aws_s3_bucket.website.bucket_regional_domain_name
    origin_id   = "s3-website"
 
    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path
    }
  }
 
  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "s3-website"
 
    forwarded_values {
      query_string = false
      cookies { forward = "none" }
    }
 
    viewer_protocol_policy = "redirect-to-https"
  }
 
  viewer_certificate {
    acm_certificate_arn      = aws_acm_certificate.main.arn
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2021"
  }
 
  restrictions {
    geo_restriction { restriction_type = "none" }
  }
 
  enabled             = true
  default_root_object = "index.html"
}

Solution 4: Move CNAME Between Accounts

#

If the CNAME is on a distribution in another AWS account, you need to coordinate:

# Step 1: Owner of old distribution removes the CNAME
# Step 2: Wait 5-10 minutes for propagation
# Step 3: Add the CNAME to your distribution
# Step 4: terraform apply

Troubleshooting Checklist

#
  1. ✅ Which distribution has the CNAME? (aws cloudfront list-distributions)
  2. ✅ Is it in the same account or a different one?
  3. ✅ Has the old distribution been fully deleted/updated?
  4. ✅ Are there wildcard conflicts? (*.example.com vs app.example.com)

Prevention Tips

#
  • Remove CNAMEs before deleting distributions — deletion doesn't immediately release CNAMEs
  • Use terraform destroy -target on old distributions before creating new ones with the same domain
  • Document which distributions own which domains — prevents cross-team conflicts
  • Use Route53 alias records pointing to CloudFront — makes domain-to-distribution mapping clear
#

Conclusion

#

CloudFront CNAMEAlreadyExists means the domain is associated with another distribution. Find the conflicting distribution, remove the CNAME from it, wait for propagation, then create your new distribution. Each domain can only belong to one CloudFront distribution at a time.

#Terraform#AWS#Troubleshooting#Error Fix

Share this article

Related articles