fix(certificatemanager): DNS validation for wildcard certificates (aws#9291)

If a certificate with automatic (Route53) DNS validation contains both a base
domain name and the wildcard for that domain (e.g., `example.com` and
`*.example.com`), the corresponding DNS validation records are identical.
This seems to have caused problems for the automated CloudFormation DNS
validation.

Solving the problem by removing the redundant wildcard entries from the
DomainValidationOption.

fixes aws#9248


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: njlynch

packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts

@@ -238,7 +238,7 @@ function renderDomainValidation(validation: CertificateValidation, domainNames:
 
   switch (validation.method) {
     case ValidationMethod.DNS:
-      for (const domainName of domainNames) {
+      for (const domainName of getUniqueDnsDomainNames(domainNames)) {
         const hostedZone = validation.props.hostedZones?.[domainName] ?? validation.props.hostedZone;
         if (hostedZone) {
           domainValidation.push({ domainName, hostedZoneId: hostedZone.hostedZoneId });
@@ -260,3 +260,14 @@ function renderDomainValidation(validation: CertificateValidation, domainNames:
 
   return domainValidation.length !== 0 ? domainValidation : undefined;
 }
+
+/**
+ * Removes wildcard domains (*.example.com) where the base domain (example.com) is present.
+ * This is because the DNS validation treats them as the same thing, and the automated CloudFormation
+ * DNS validation errors out with the duplicate records.
+ */
+function getUniqueDnsDomainNames(domainNames: string[]) {
+  return domainNames.filter(domain => {
+    return Token.isUnresolved(domain) || !domain.startsWith('*.') || !domainNames.includes(domain.replace('*.', ''));
+  });
+}

packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts

@@ -121,46 +121,118 @@ test('CertificateValidation.fromEmail', () => {
   });
 });
 
-test('CertificateValidation.fromDns', () => {
-  const stack = new Stack();
+describe('CertificateValidation.fromDns', () => {
 
-  new Certificate(stack, 'Certificate', {
-    domainName: 'test.example.com',
-    subjectAlternativeNames: ['extra.example.com'],
-    validation: CertificateValidation.fromDns(),
-  });
+  test('without a hosted zone', () => {
+    const stack = new Stack();
 
-  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
-    DomainName: 'test.example.com',
-    SubjectAlternativeNames: ['extra.example.com'],
-    ValidationMethod: 'DNS',
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      subjectAlternativeNames: ['extra.example.com'],
+      validation: CertificateValidation.fromDns(),
+    });
+
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      SubjectAlternativeNames: ['extra.example.com'],
+      ValidationMethod: 'DNS',
+    });
   });
-});
 
-test('CertificateValidation.fromDns with hosted zone', () => {
-  const stack = new Stack();
+  test('with a hosted zone', () => {
+    const stack = new Stack();
 
-  const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
-    zoneName: 'example.com',
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+    });
+
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
 
-  new Certificate(stack, 'Certificate', {
-    domainName: 'test.example.com',
-    validation: CertificateValidation.fromDns(exampleCom),
+  test('with hosted zone and a wildcard name', () => {
+    const stack = new Stack();
+
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+      subjectAlternativeNames: ['*.test.example.com'],
+    });
+
+    //Wildcard domain names are de-duped.
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
 
-  expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
-    DomainName: 'test.example.com',
-    DomainValidationOptions: [
-      {
-        DomainName: 'test.example.com',
-        HostedZoneId: {
-          Ref: 'ExampleCom20E1324B',
+  test('with hosted zone and multiple wildcard names', () => {
+    const stack = new Stack();
+
+    const exampleCom = new route53.HostedZone(stack, 'ExampleCom', {
+      zoneName: 'example.com',
+    });
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      validation: CertificateValidation.fromDns(exampleCom),
+      subjectAlternativeNames: ['*.test.example.com', '*.foo.test.example.com', 'bar.test.example.com'],
+    });
+
+    //Wildcard domain names are de-duped.
+    expect(stack).toHaveResource('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      DomainValidationOptions: [
+        {
+          DomainName: 'test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
         },
-      },
-    ],
-    ValidationMethod: 'DNS',
+        {
+          DomainName: '*.foo.test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+        {
+          DomainName: 'bar.test.example.com',
+          HostedZoneId: {
+            Ref: 'ExampleCom20E1324B',
+          },
+        },
+      ],
+      ValidationMethod: 'DNS',
+    });
   });
+
 });
 
 test('CertificateValidation.fromDnsMultiZone', () => {