fix(acm): enabled validation of certificates on the zone name (#2133)

As it is now, only certificates with subdomains are correctly validated

Got help from @njlaw to find and correct the issue

Author: McDoit

packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

@@ -83,7 +83,7 @@ export class DnsValidatedCertificate extends cdk.Construct implements ICertifica
     protected validate(): string[] {
         const errors: string[] = [];
         // Ensure the zone name is a parent zone of the certificate domain name
-        if (!this.domainName.endsWith('.' + this.normalizedZoneName)) {
+        if (this.domainName !== this.normalizedZoneName && !this.domainName.endsWith('.' + this.normalizedZoneName)) {
             errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for certificate domain name ${this.domainName}`);
         }
         return errors;

packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts

@@ -112,4 +112,31 @@ export = {
     test.throws(() => expect(stack), /DNS zone hello.com is not authoritative for certificate domain name example.com/);
     test.done();
   },
+
+  'test root certificate'(test: Test) {
+    const stack = new Stack();
+
+    const exampleDotComZone = new PublicHostedZone(stack, 'ExampleDotCom', {
+      zoneName: 'example.com'
+    });
+
+    new DnsValidatedCertificate(stack, 'Cert', {
+      domainName: 'example.com',
+      hostedZone: exampleDotComZone,
+    });
+
+    expect(stack).to(haveResource('AWS::CloudFormation::CustomResource', {
+        ServiceToken: {
+        'Fn::GetAtt': [
+          'CertCertificateRequestorFunction98FDF273',
+          'Arn'
+          ]
+        },
+        DomainName: 'example.com',
+        HostedZoneId: {
+          Ref: 'ExampleDotCom4D1B83AA'
+        }
+      }));
+    test.done();
+  },
 };