aws-certificatemanager: Missing simple validation for domainName in the Certificate construct

[slawek-amzn]

Describe the bug

The Certificate construct in AWS CDK does not perform validation on the domainName property at synthesis time. If the user provides an invalid domain name (e.g., a domain that is not a valid wildcard or fully qualified domain), the error only occurs at deployment time. This results in wasted time and failed deployments. The underlying error returned by AWS Certificate Manager is:

1 validation error detected: Value of the input at 'domainValidationOptions.1.member.validationDomain' failed to satisfy constraint: Member must satisfy regular expression pattern: (\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9]) 
(Service: AWSCertificateManager; Status Code: 400; Error Code: ValidationException)

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The Certificate construct should validate the domainName property during synthesis. If the domain name is invalid or missing a required wildcard for subdomain coverage, CDK should raise a synthesis-time error. This prevents failed deployments and saves developer time.

Current Behavior

Currently, CDK allows invalid domain names to pass through synthesis. The errors are only caught during deployment, which leads to wasted time and failed stacks. Example:

const cert = new Certificate(this, 'InternalCert', {
  domainName: zone.zoneName, // This will fail at deployment
});

The fix that works is adding a wildcard to the domain name:

const cert = new Certificate(this, 'InternalCert', {
  domainName: `*.${zone.zoneName}`, // Passes validation
});

Reproduction Steps

N/A - every aws_cdk version

Possible Solution

Add the validation

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.207.0

AWS CDK CLI version

2.1022.0

Node.js Version

18.20.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Mermaid Triage Diagram:

flowchart TD
    A["User creates Certificate with invalid domain"] --> B["CDK Synthesis"]
    B --> C["Current: Only length validation"]
    C --> D["Synthesis succeeds"]
    D --> E["CloudFormation deployment"]
    E --> F["AWS Certificate Manager validation"]
    F --> G["Deployment fails with ValidationException"]

    B --> H["Proposed: Format + length validation"]
    H --> I["Synthesis fails with clear error"]
    I --> J["Developer fixes domain immediately"]

    subgraph "Problem Flow"
        C
        D
        E
        F
        G
    end

    subgraph "Solution Flow"
        H
        I
        J
    end

Loading

---

Hi @slawek-amzn,

Thank you for this excellent enhancement request! You've identified a real pain point where invalid domain names pass CDK synthesis but fail at deployment time, wasting developer time and causing failed stacks. This issue represents a valuable enhancement that would improve developer experience by catching domain validation errors early in the development cycle rather than during deployment.

This is a valid enhancement request for the Certificate construct. Currently, the construct only validates domain name length (64 characters) but doesn't validate the domain format against AWS Certificate Manager's regex pattern:

(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])

Current validation code:

if (props.domainName.length > 64) {
 throw new Error('Domain name cannot be longer than 64 characters');
}

Proposed enhancement:
Add comprehensive domain format validation at synthesis time to match AWS Certificate Manager's requirements, providing immediate feedback instead of deployment-time failures.

This would be a great contribution to improve the developer experience! Would you be interested in submitting a pull request to implement this validation? The implementation would involve:

1. Adding a domain format validation function using the AWS Certificate Manager regex pattern
2. Calling this validation in the Certificate constructor
3. Providing clear error messages with examples of valid domain formats

We'd be happy to review and provide guidance on the implementation approach.