DnsValidatedCertificate: Tokens in the hostedZone property breaks cdk synth

[rhermes62]

🐛 Bug Report

For the DnsValidatedCertificate construct, tokens within the hostedZone property break the cdk synth with the following error:

DNS zone ${Token[Default.Parameter.Value.1234]} is not authoritative for certificate domain name mydomain.com

Ideally, the validation done in the construct should take into account tokens and not try to validate the string value of the token since, well, that is useless since it will always end up being something like ${Token[Default.Parameter.Value.1371]} opposed to the domain you would expect.

Background

We have our Route53 hosted zone deployed in us-east-1. However, we run a global service and need to be able to reference the hosted zone from any region to be able to do things like creating certificates, creating region-specific CNAMES, etc.

With that and to get past the inability to import values directly, we write the hosted zone id and name into SSM's parameter store using the StringParameter construct.

Then, whenever we need the IHostedZone reference, we leverage a custom resource (SSMParameterReader) that enables us to read parameters stored in whatever region we specify.

interface SSMParameterReaderProps {
  parameterName: string;
  region: string;
}

/**
 * A custom construct that is an AwsCustomResource that will use the provided parameterName and region
 * to make a call to SSM to retrieve the parameter's value in that region.
 *
 * This can be used alongside @aws-cdk/aws-ssm.StringParameter to reference values across regions
 */
export class SSMParameterReader extends AwsCustomResource {
  constructor(scope: Construct, name: string, props: SSMParameterReaderProps) {
    const { parameterName, region } = props;

    const ssmAwsSdkCall: AwsSdkCall = {
      service: 'SSM',
      action: 'getParameter',
      parameters: {
        Name: parameterName
      },
      region,
      physicalResourceId: Date.now().toString() // Update physical id to always fetch the latest version
    };

    super(scope, name, { onUpdate: ssmAwsSdkCall });
  }

  /**
   * Returns the string value of the parameter stored in the SSM parameter store
   */
  public getParameterValue(): string {
    return this.getData('Parameter.Value').toString();
  }
}

Using that custom resource, we can then read the hosted zone id/name and HostedZone.fromHostedZoneAttributes method.

const hostedZoneIdReader = new SSMParameterReader(this, 'Route53HostedZonedIdReader', {
  parameterName: 'ROUTE_53_HOSTED_ZONE_ID',
  region: 'us-east-1'
});
const hostedZoneId: string = hostedZoneIdReader.getParameterValue();

const hostedZoneNameReader = new SSMParameterReader(this, 'Route53HostedZoneNameReader', {
  parameterName: 'ROUTE_53_HOSTED_ZONE_NAME',
  region: 'us-east-1'
});
const hostedZoneName: string = hostedZoneNameReader.getParameterValue();

const hostedZone = HostedZone.fromHostedZoneAttributes(this, 'Route53HostedZone', { hostedZoneId, zoneName: hostedZoneName });

With this, we can then use the hostedZone like it was deployed locally. We have used this extensively for creating CNAMES and aliases in the hosted zone from any region but we ran into issues whenever we tried to use the DnsValidatedCertificate since it's validation logic doesn't take into account tokens which are what the output of custom resources get referenced as.

Environment

• CDK CLI Version: 1.20.0
• Module Version: 1.20.0
• OS: macOS Mojave
• Language: TypeScript (but likely all languages)

[rhermes62]

After looking into it, looks like the recommended way for checking for unresolved tokens like this is simply the isUnresolved method.

I'll work on getting a PR out for this so I can get unblocked.