Configuration with existing hosted zone

Hi, I am trying to use your library with an already existing Hosted Zone. Therefore I replaced the reference to the Hosted Zone in all files with the existing Hosted Zone ID and removed the Hosted Zone from the resources. Unfortunately something still doesn't work with cloudfront. Because I didn't fully understand some configuration files I can't tell where the error is. Below are all configuration files with my setup:

Configuration

# serverless.yml
service:
  name: my-service

provider:
  name: aws
  runtime: nodejs8.10
  region: eu-central-1
  stage: dev
  environment:
    HOSTED_ZONE_ID: 'MY_EXISTING_HOSTED_ZONE_ID'
    DOMAIN: 'my-subdomain-of-hosted-zone'

plugins:
  - serverless-s3-sync
  - serverless-pseudo-parameters
  - serverless-stack-output
  - serverless-cloudfront-invalidate

custom:
  # The domain name to be used
  domainName: ${self:provider.environment.DOMAIN}

  # Output plugin configuration
  output:
    handler: modules/output.handler

  # CloudFront invalidation plugin configuration
  cloudfrontInvalidate:
    distributionIdKey: 'CloudFrontDistributionId'
    items: # Add your files to invalidate here:
      - '/index.html'

  # S3 sync plugin configuration
  s3Sync:
    - bucketName: ${self:provider.environment.DOMAIN}
      localDir: src

resources:
  - ${file(resources/custom-acm-certificate-lambda.yml)}
  - ${file(resources/custom-acm-certificate-lambda-role.yml)}
  - ${file(resources/cloudfront-origin-access-identity.yml)}
  - ${file(resources/s3-bucket.yml)}
  - ${file(resources/s3-policies.yml)}
  - ${file(resources/dns-records.yml)}
  - ${file(resources/certificate.yml)}
  - ${file(resources/cf-distribution.yml)}
  - ${file(resources/outputs.yml)}

# custom-acm-certificate-lambda.yml
Resources:
  CustomAcmCertificateLambda:
    Type: 'AWS::Lambda::Function'
    Metadata:
      Source: https://github.com/dflook/cloudformation-dns-certificate
      Version: 1.7.1
    Properties:
      Description: Cloudformation custom resource for DNS validated certificates
      Handler: index.handler
      Role: '#{CustomAcmCertificateLambdaExecutionRole.Arn}'
      Runtime: python3.6
      Timeout: 900
      Code:
        ZipFile: "T=RuntimeError\nimport copy,hashlib as t,json,logging as B,time\
          \ as b\nfrom boto3 import client as K\nfrom botocore.exceptions import ClientError\
          \ as u,ParamValidationError as v\nfrom botocore.vendored import requests\
          \ as w\nA=B.getLogger()\nA.setLevel(B.INFO)\nD=A.info\nS=A.exception\nd=json.dumps\n\
          M=copy.copy\ne=b.sleep\ndef handler(event,c):\n\tA9='OldResourceProperties';A8='Update';A7='Delete';A6='None';A5='acm';A4='FAILED';A3='properties';A2='stack-id';A1='logical-id';A0='DNS';s='Old';r='Certificate';q='LogicalResourceId';p='DomainName';o='ValidationMethod';n='Route53RoleArn';m='Region';a='RequestType';Z='Reinvoked';Y='StackId';X=None;R='Status';Q='Key';P='';O=True;N='DomainValidationOptions';L=False;J='ResourceProperties';I='cloudformation:';H='Value';G='CertificateArn';F='Tags';C='PhysicalResourceId';A=event;f=c.get_remaining_time_in_millis;D(A)\n\
          \tdef g():\n\t\tD=M(B)\n\t\tfor H in ['ServiceToken',m,F,n]:D.pop(H,X)\n\
          \t\tif o in B:\n\t\t\tif B[o]==A0:\n\t\t\t\tfor I in set([B[p]]+B.get('SubjectAlternativeNames',[])):k(I)\n\
          \t\t\t\tdel D[N]\n\t\tA[C]=E.request_certificate(IdempotencyToken=y,**D)[G];l()\n\
          \tdef U(a):\n\t\twhile O:\n\t\t\ttry:E.delete_certificate(**{G:a});return\n\
          \t\t\texcept u as B:\n\t\t\t\tS(P);A=B.response['Error']['Code']\n\t\t\t\
          \tif A=='ResourceInUseException':\n\t\t\t\t\tif f()/1000<30:raise\n\t\t\t\
          \t\te(5);continue\n\t\t\t\tif A in['ResourceNotFoundException','ValidationException']:return\n\
          \t\t\t\traise\n\t\t\texcept v:return\n\tdef V(props):\n\t\tfor J in E.get_paginator('list_certificates').paginate():\n\
          \t\t\tfor B in J['CertificateSummaryList']:\n\t\t\t\tD(B);C={A[Q]:A[H]for\
          \ A in E.list_tags_for_certificate(**{G:B[G]})[F]}\n\t\t\t\tif C.get(I+A1)==A[q]and\
          \ C.get(I+A2)==A[Y]and C.get(I+A3)==hash(props):return B[G]\n\tdef h():\n\
          \t\tif A.get(Z,L):raise T('Certificate not issued in time')\n\t\tA[Z]=O;D(A);K('lambda').invoke(FunctionName=c.invoked_function_arn,InvocationType='Event',Payload=d(A).encode())\n\
          \tdef i():\n\t\twhile f()/1000>30:\n\t\t\tB=E.describe_certificate(**{G:A[C]})[r];D(B)\n\
          \t\t\tif B[R]=='ISSUED':return O\n\t\t\telif B[R]==A4:raise T(B.get('FailureReason',P))\n\
          \t\t\te(5)\n\t\treturn L\n\tdef x():B=M(A[s+J]);B.pop(F,X);C=M(A[J]);C.pop(F,X);return\
          \ B!=C\n\tdef j():\n\t\tW='Type';V='Name';U='HostedZoneId';T='ValidationStatus';S='PENDING_VALIDATION';L='ResourceRecord'\n\
          \t\tif B.get(o)!=A0:return\n\t\twhile O:\n\t\t\tI=E.describe_certificate(**{G:A[C]})[r];D(I)\n\
          \t\t\tif I[R]!=S:return\n\t\t\tif not[A for A in I.get(N,[{}])if T not in\
          \ A or L not in A]:break\n\t\t\tb.sleep(1)\n\t\tfor F in I[N]:\n\t\t\tif\
          \ F[T]==S:M=k(F[p]);P=M.get(n,B.get(n));J=K('sts').assume_role(RoleArn=P,RoleSessionName=(r+A[q])[:64],DurationSeconds=900)['Credentials']if\
          \ P is not X else{};Q=K('route53',aws_access_key_id=J.get('AccessKeyId'),aws_secret_access_key=J.get('SecretAccessKey'),aws_session_token=J.get('SessionToken')).change_resource_record_sets(**{U:M[U],'ChangeBatch':{'Comment':'Domain\
          \ validation for '+A[C],'Changes':[{'Action':'UPSERT','ResourceRecordSet':{V:F[L][V],W:F[L][W],'TTL':60,'ResourceRecords':[{H:F[L][H]}]}}]}});D(Q)\n\
          \tdef k(n):\n\t\tC='.';n=n.rstrip(C);D={A[p].rstrip(C):A for A in B[N]};A=n.split(C)\n\
          \t\twhile len(A):\n\t\t\tif C.join(A)in D:return D[C.join(A)]\n\t\t\tA=A[1:]\n\
          \t\traise T(N+' missing'+' for '+n)\n\thash=lambda v:t.new('md5',d(v,sort_keys=O).encode()).hexdigest()\n\
          \tdef l():B=M(A[J].get(F,[]));B+=[{Q:I+A1,H:A[q]},{Q:I+A2,H:A[Y]},{Q:I+'stack-name',H:A[Y].split('/')[1]},{Q:I+A3,H:hash(A[J])}];E.add_tags_to_certificate(**{G:A[C],F:B})\n\
          \tdef W():D(A);B=w.put(A['ResponseURL'],json=A,headers={'content-type':P});B.raise_for_status()\n\
          \ttry:\n\t\ty=hash(A['RequestId']+A[Y]);B=A[J];E=K(A5,region_name=B.get(m));A[R]='SUCCESS'\n\
          \t\tif A[a]=='Create':\n\t\t\tif A.get(Z,L)is L:A[C]=A6;g()\n\t\t\tj()\n\
          \t\t\tif not i():return h()\n\t\telif A[a]==A7:\n\t\t\tif A[C]!=A6:\n\t\t\
          \t\tif A[C].startswith('arn:'):U(A[C])\n\t\t\t\telse:U(V(B))\n\t\telif A[a]==A8:\n\
          \t\t\tif x():\n\t\t\t\tD(A8)\n\t\t\t\tif V(B)==A[C]:\n\t\t\t\t\ttry:E=K(A5,region_name=A[A9].get(m));D(A7);U(V(A[A9]))\n\
          \t\t\t\t\texcept:S(P)\n\t\t\t\t\treturn W()\n\t\t\t\tif A.get(Z,L)is L:g()\n\
          \t\t\t\tj()\n\t\t\t\tif not i():return h()\n\t\t\telse:\n\t\t\t\tif F in\
          \ A[s+J]:E.remove_tags_from_certificate(**{G:A[C],F:A[s+J][F]})\n\t\t\t\t\
          l()\n\t\telse:raise T(A[a])\n\t\treturn W()\n\texcept Exception as z:S(P);A[R]=A4;A['Reason']=str(z);return\
          \ W()"

# custom-acm-certificate-lambda-role.yml
Resources:
  CustomAcmCertificateLambdaExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: '2012-10-17'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - acm:AddTagsToCertificate
                  - acm:DeleteCertificate
                  - acm:DescribeCertificate
                  - acm:RemoveTagsFromCertificate
                Effect: Allow
                Resource:
                  - 'arn:aws:acm:*:#{AWS::AccountId}:certificate/*'
              - Action:
                  - acm:RequestCertificate
                  - acm:ListTagsForCertificate
                  - acm:ListCertificates
                Effect: Allow
                Resource:
                  - '*'
              - Action:
                  - route53:ChangeResourceRecordSets
                Effect: Allow
                Resource:
                  - arn:aws:route53:::hostedzone/*
            Version: '2012-10-17'
          PolicyName: 'CustomAcmCertificateLambdaExecutionPolicy-${self:service.name}'

# cloudfront-origin-access-identity.yml
Resources:
  CloudFrontOriginAccessIdentity:
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: '${self:service.name}-oai'

# s3-bucket.yml
Resources:
  WebsiteBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: ${self:provider.environment.DOMAIN}

# s3-policies.yml
Resources:
  WebsiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
    DependsOn:
      - WebsiteBucket
    Properties:
      Bucket:
        Ref: WebsiteBucket
      PolicyDocument:
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal:
              AWS:
                Fn::Join:
                  - ' '
                  - - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
                    - '#{CloudFrontOriginAccessIdentity}'
            Action:
              - s3:GetObject
            Resource:
              - Fn::Join: [
                  '', [
                    'arn:aws:s3:::',
                    {
                      'Ref': 'WebsiteBucket'
                    },
                    '/*'
                  ]
                ]

# dns-records.yml
# See RecordSet: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html
# See AliasTarget: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html
# See https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region (below the first table for hosted zone ids / website endpoints of S3)
Resources:
  DnsRecord:
    Type: 'AWS::Route53::RecordSet'
    Properties:
      Comment: 'Alias CloudFront for ${self:provider.environment.DOMAIN}'
      HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
      Type: A
      Name: '${self:provider.environment.DOMAIN}'
      AliasTarget:
        # Generated domain name from CloudFront
        DNSName: '#{CFDistribution.DomainName}'
        # Default (static) hosted zone for CloudFront
        HostedZoneId: 'Z2FDTNDATAQYW2'
  WWWDnsRecord:
    Type: 'AWS::Route53::RecordSet'
    Properties:
      Comment: 'Alias CloudFront for www.${self:provider.environment.DOMAIN}'
      HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
      Type: A
      Name: 'www.${self:provider.environment.DOMAIN}'
      AliasTarget:
        # Generated domain name from CloudFront
        DNSName: '#{CFDistribution.DomainName}'
        # Default (static) hosted zone for CloudFront
        HostedZoneId: 'Z2FDTNDATAQYW2'

# certificate.yml
Resources:
  SSLCertificate:
    Type: 'Custom::DNSCertificate'
    Properties:
      DomainName: '${self:provider.environment.DOMAIN}'
      SubjectAlternativeNames:
        - 'www.${self:provider.environment.DOMAIN}'
      ValidationMethod: DNS
      # Needs to be in us-east-1 because of CloudFront limitations
      Region: us-east-1
      DomainValidationOptions:
        - DomainName: '${self:provider.environment.DOMAIN}'
          HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
      ServiceToken: '#{CustomAcmCertificateLambda.Arn}'

# cf-distribution.yml
# See https://blog.m-taylor.co.uk/2018/01/cloudformation-template-for-a-cloudfront-enabled-s3-website.html
Resources:
  CFDistribution:
    Type: 'AWS::CloudFront::Distribution'
    DependsOn:
      - WebsiteBucket
      - SSLCertificate
      - CloudFrontOriginAccessIdentity
    Properties:
      DistributionConfig:
        Aliases:
          - '${self:provider.environment.DOMAIN}'
          - 'www.${self:provider.environment.DOMAIN}'
        Origins:
          - DomainName: '#{WebsiteBucket.DomainName}'
            OriginPath: ''
            Id: S3BucketOrigin
            S3OriginConfig:
              OriginAccessIdentity:
                Fn::Join:
                  - ''
                  - - 'origin-access-identity/cloudfront/'
                    - '#{CloudFrontOriginAccessIdentity}'
        Comment: 'CloudFront origin for ${self:provider.environment.DOMAIN}'
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3BucketOrigin
          Compress: true
          ForwardedValues:
            QueryString: 'false'
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        Enabled: 'true'
        HttpVersion: 'http2'
        PriceClass: 'PriceClass_100'
        ViewerCertificate:
          AcmCertificateArn: '#{SSLCertificate}'
          SslSupportMethod: sni-only

# outputs.yml
Outputs:
  CloudFrontDistributionId:
    Description: CloudFront distribution id
    Value:
      Ref: CFDistribution
  HostedZoneNameservers:
    Description: The nameservers for the Hosted Zone (to be used with your external DNS configuration)
    Value:
      'Fn::Join':
        - ', '
        - 'Fn::GetAtt': ['${self:provider.environment.HOSTED_ZONE_ID}', 'NameServers']

Error Message:

# outputs.yml
Error: The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource MY_EXISTING_HOSTED_ZONE_ID

tobilg / serverless-aws-static-websites

Configuration with existing hosted zone #6

Configuration

Error Message:

Could you please help me modify the configuration to get it working?