aws · mergify · Jul 30, 2020 · Jul 28, 2020 · Jul 28, 2020 · Jul 29, 2020
diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts
@@ -238,7 +238,7 @@ function renderDomainValidation(validation: CertificateValidation, domainNames:
 
   switch (validation.method) {
     case ValidationMethod.DNS:
-      for (const domainName of domainNames) {
+      for (const domainName of getUniqueDnsDomainNames(domainNames)) {
         const hostedZone = validation.props.hostedZones?.[domainName] ?? validation.props.hostedZone;
         if (hostedZone) {
           domainValidation.push({ domainName, hostedZoneId: hostedZone.hostedZoneId });
@@ -260,3 +260,14 @@ function renderDomainValidation(validation: CertificateValidation, domainNames:
 
   return domainValidation.length !== 0 ? domainValidation : undefined;
 }
+
+/**
+ * Removes wildcard domains (*.example.com) where the base domain (example.com) is present.
+ * This is because the DNS validation treats them as the same thing, and the automated CloudFormation
+ * DNS validation errors out with the duplicate records.
+ */
+function getUniqueDnsDomainNames(domainNames: string[]) {
+  return domainNames.filter(domain => {
+    return Token.isUnresolved(domain) || !domain.startsWith('*.') || !domainNames.includes(domain.replace('*.', ''));
+  });
+}
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts b/packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts
@@ -121,46 +121,118 @@ test('CertificateValidation.fromEmail', () => {
   });
 });
 
-test('CertificateValidation.fromDns', () => {
-  const stack = new Stack();
+describe('CertificateValidation.fromDns', () => {
 
-  new Certificate(stack, 'Certificate', {
-    domainName: 'test.example.com',
-    subjectAlternativeNames: ['extra.example.com'],
-    validation: CertificateValidation.fromDns(),
-  });
+  test('without a hosted zone', () => {
+    const stack = new Stack();
 
-  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
-    DomainName: 'test.example.com',
-    SubjectAlternativeNames: ['extra.example.com'],
-    ValidationMethod: 'DNS',
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      subjectAlternativeNames: ['extra.example.com'],
+      validation: CertificateValidation.fromDns(),
+    });
+
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      SubjectAlternativeNames: ['extra.example.com'],
+      ValidationMethod: 'DNS',
+    });
   });
-});
 
-test('CertificateValidation.fromDns with hosted zone', () => {
-  const stack = new Stack();
+  test('with a hosted zone', () => {
+    const stack = new Stack();
 
-  const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
-    zoneName: 'example.com',
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+    });
+
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
 
-  new Certificate(stack, 'Certificate', {
-    domainName: 'test.example.com',
-    validation: CertificateValidation.fromDns(exampleCom),
+  test('with hosted zone and a wildcard name', () => {
+    const stack = new Stack();
+
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+      subjectAlternativeNames: ['*.test.example.com'],
+    });
+
+    //Wildcard domain names are de-duped.
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
 
-  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
-    DomainName: 'test.example.com',
-    DomainValidationOptions: [
-      {
-        DomainName: 'test.example.com',
-        HostedZoneId: {
-          Ref: 'ExampleCom20E1324B',
+  test('with hosted zone and multiple wildcard names', () => {
+    const stack = new Stack();
+
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+      subjectAlternativeNames: ['*.test.example.com', '*.foo.test.example.com', 'bar.test.example.com'],
+    });
+
+    //Wildcard domain names are de-duped.
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
         },
-      },
-    ],
-    ValidationMethod: 'DNS',
+        {
+          DomainName: '*.foo.test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+        {
+          DomainName: 'bar.test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
+
 });
 
 test('CertificateValidation.fromDnsMultiZone', () => {