fix(acm): domainName length constraint failure due to Tokens (#23567)

rv2673 · web-flow · commit 2d7e3c0e9edf · 2023-01-04T23:46:00.000Z
When creating Certificate where the domainName property contains tokens, the length check can fail. This is because the string encoded token can cause the length to exceed the maximum even if token will resolve to something shorter. To solve this the property is checked for token as provided in the design guidelines: https://github.com/aws/aws-cdk/blob/b14a3d1dc4c4508ad354d954b9480e9c2c64401c/docs/DESIGN_GUIDELINES.md#throwing-exceptions fixes #23565 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? // No fix involves only synth time code. * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? // No changes to integration tests where made. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts
@@ -242,7 +242,7 @@ export class Certificate extends CertificateBase implements ICertificate {
     }
 
     // check if domain name is 64 characters or less
-    if (props.domainName.length > 64) {
+    if (!Token.isUnresolved(props.domainName) && props.domainName.length > 64) {
       throw new Error('Domain name must be 64 characters or less');
     }
 
diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -3,6 +3,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as route53 from '@aws-cdk/aws-route53';
 import * as cdk from '@aws-cdk/core';
+import { Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CertificateProps, ICertificate } from './certificate';
 import { CertificateBase } from './certificate-base';
@@ -87,7 +88,7 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi
     this.region = props.region;
     this.domainName = props.domainName;
     // check if domain name is 64 characters or less
-    if (this.domainName.length > 64) {
+    if (!Token.isUnresolved(props.domainName) && props.domainName.length > 64) {
       throw new Error('Domain name must be 64 characters or less');
     }
     this.normalizedZoneName = props.hostedZone.zoneName;
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts b/packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts
@@ -1,6 +1,6 @@
 import { Template, Match } from '@aws-cdk/assertions';
 import * as route53 from '@aws-cdk/aws-route53';
-import { Duration, Lazy, Stack } from '@aws-cdk/core';
+import { Aws, Duration, Lazy, Stack } from '@aws-cdk/core';
 import { Certificate, CertificateValidation } from '../lib';
 
 test('apex domain selection by default', () => {
@@ -91,6 +91,37 @@ test('throws when domain name is longer than 64 characters', () => {
   }).toThrow(/Domain name must be 64 characters or less/);
 });
 
+test('does not throw when domain name is longer than 64 characters with tokens', () => {
+  const stack = new Stack();
+  const embededToken = Aws.REGION;
+  const baseDomain = 'a'.repeat(65-embededToken.length);
+  const domainName = `${embededToken}${baseDomain}`;
+  new Certificate(stack, 'Certificate', {
+    domainName,
+    validation: CertificateValidation.fromEmail({
+      [domainName]: 'example.com',
+    }),
+  });
+
+  const domainNameJoin = {
+    'Fn::Join': [
+      '',
+      [
+        {
+          Ref: 'AWS::Region',
+        },
+        baseDomain,
+      ],
+    ],
+  };
+  Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+    DomainName: domainNameJoin,
+    DomainValidationOptions: [{
+      DomainName: domainNameJoin,
+      ValidationDomain: 'example.com',
+    }],
+  });
+});
 
 test('needs validation domain supplied if domain contains a token', () => {
   const stack = new Stack();
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/dns-validated-certificate.test.ts b/packages/@aws-cdk/aws-certificatemanager/test/dns-validated-certificate.test.ts
@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
-import { App, Stack, Token, Tags, RemovalPolicy } from '@aws-cdk/core';
+import { App, Stack, Token, Tags, RemovalPolicy, Aws } from '@aws-cdk/core';
 import { DnsValidatedCertificate } from '../lib/dns-validated-certificate';
 
 test('creates CloudFormation Custom Resource', () => {
@@ -252,6 +252,47 @@ test('throws when domain name is longer than 64 characters', () => {
   }).toThrow(/Domain name must be 64 characters or less/);
 }),
 
+test('does not throw when domain name is longer than 64 characters with tokens', () => {
+  const stack = new Stack();
+  const zoneName = 'example.com';
+  const exampleDotComZone = new PublicHostedZone(stack, 'ExampleDotCom', {
+    zoneName,
+  });
+  const embededToken = Aws.REGION;
+  const baseSubDomain = 'a'.repeat(65 - embededToken.length -1 -zoneName.length);
+  const domainName = `${embededToken}${baseSubDomain}.${zoneName}`;
+
+  new DnsValidatedCertificate(stack, 'Cert', {
+    domainName,
+    hostedZone: exampleDotComZone,
+    transparencyLoggingEnabled: false,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::CloudFormation::CustomResource', {
+    ServiceToken: {
+      'Fn::GetAtt': [
+        'CertCertificateRequestorFunction98FDF273',
+        'Arn',
+      ],
+    },
+    DomainName: {
+      'Fn::Join': [
+        '',
+        [
+          {
+            Ref: 'AWS::Region',
+          },
+          `${baseSubDomain}.${zoneName}`,
+        ],
+      ],
+    },
+    HostedZoneId: {
+      Ref: 'ExampleDotCom4D1B83AA',
+    },
+    CertificateTransparencyLoggingPreference: 'DISABLED',
+  });
+});
+
 test('test transparency logging settings is passed to the custom resource', () => {
   const stack = new Stack();
 

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,7 @@ export class Certificate extends CertificateBase implements ICertificate {`
`242`	`242`	`}`
`243`	`243`
`244`	`244`	`// check if domain name is 64 characters or less`
`245`		`- if (props.domainName.length > 64) {`
	`245`	`+ if (!Token.isUnresolved(props.domainName) && props.domainName.length > 64) {`
`246`	`246`	`throw new Error('Domain name must be 64 characters or less');`
`247`	`247`	`}`
`248`	`248`