option to include parentDomain in the cert

packages/constructs/wildcard-certificate/src/lambda/ensure-wildcard-certificate.ts

@@ -116,9 +116,13 @@ export const getDomainValidationRecords = async (arn: string, attempt: number =
 
 export const ensureWildcardCertificate = async (
   requestId: string,
-  domainMappings: { parentDomainName: string; hostedZoneId: string; roleArn?: string }[],
+  domainMappings: { parentDomainName: string; hostedZoneId: string; roleArn?: string; includeParent?: boolean }[],
 ): Promise<string> => {
-  const wildcardDomainNames = domainMappings.map(({ parentDomainName }) => `*.${parentDomainName}`)
+  const wildcardDomainNames = domainMappings
+    .map(({ parentDomainName, includeParent }) => {
+      return includeParent ? [parentDomainName, `*.${parentDomainName}`] : [`*.${parentDomainName}`]
+    })
+    .flat()
   console.log('ensureWildcardCert', wildcardDomainNames)
   const existing = await findCertificates(wildcardDomainNames)
   console.log('got existing', JSON.stringify(existing))

packages/constructs/wildcard-certificate/src/wildcard-certificate.ts

@@ -7,7 +7,13 @@ import { PolicyStatement } from 'aws-cdk-lib/aws-iam'
 import * as path from 'path'
 import { HostedZone } from 'aws-cdk-lib/aws-route53'
 
-type DetailedDomain = { domainName: string; hostedZoneArn?: string; account?: string; roleArn?: string }
+type DetailedDomain = {
+  domainName: string
+  hostedZoneArn?: string
+  account?: string
+  roleArn?: string
+  includeParent?: boolean
+}
 type Domain = DetailedDomain | string
 export interface WildcardCertificateProps {
   domains: Domain[]

packages/constructs/wildcard-certificate/tests/lambda.test.ts

@@ -159,6 +159,82 @@ describe('wildcard-certificate', () => {
     expect(result.Data.certificateArn).toBe('cert-arn')
   })
 
+  it('should include the parent domain in the cert if told to', async () => {
+    acmMock.on(ListCertificatesCommand).resolves({
+      CertificateSummaryList: [],
+    })
+    acmMock.on(RequestCertificateCommand).resolves({
+      CertificateArn: 'cert-arn',
+    })
+    acmMock.on(DescribeCertificateCommand).resolves({
+      Certificate: {
+        DomainValidationOptions: [
+          {
+            ValidationStatus: 'SUCCESS',
+            DomainName: '',
+            ResourceRecord: {
+              Name: 'first-record-name.asdf.com',
+              Type: 'TXT',
+              Value: 'first-record-value',
+            },
+          },
+          {
+            ValidationStatus: 'SUCCESS',
+            DomainName: '',
+            ResourceRecord: {
+              Name: 'second-record-name.qwerty.com',
+              Type: 'TXT',
+              Value: 'second-record-value',
+            },
+          },
+        ],
+      },
+    })
+
+    route53Mock.on(ChangeResourceRecordSetsCommand).resolves({
+      ChangeInfo: {
+        Id: 'change-batch-id',
+        Status: 'INSYNC',
+        SubmittedAt: new Date(),
+      },
+    })
+
+    route53Mock.on(GetChangeCommand).resolves({
+      ChangeInfo: {
+        Id: 'change-batch-id',
+        Status: 'INSYNC',
+        SubmittedAt: new Date(),
+      },
+    })
+
+    const result = await onEvent(
+      genEvent('Create', [
+        {
+          parentDomainName: 'asdf.com',
+          hostedZoneId: '123',
+          includeParent: true,
+        },
+        {
+          parentDomainName: 'qwerty.com',
+          hostedZoneId: '456',
+          includeParent: true,
+        },
+      ]),
+    )
+
+    expect(acmMock).toHaveReceivedCommandWith(RequestCertificateCommand, {
+      DomainName: 'asdf.com',
+      SubjectAlternativeNames: ['asdf.com', '*.asdf.com', 'qwerty.com', '*.qwerty.com'],
+    })
+
+    if (!result.Data) {
+      throw new Error('no result data')
+    }
+    expect(result.Data).toBeDefined()
+    expect(result.Data).toHaveProperty('certificateArn')
+    expect(result.Data.certificateArn).toBe('cert-arn')
+  })
+
   it('should return a cert if it already exists', async () => {
     acmMock.on(ListCertificatesCommand).resolves({
       CertificateSummaryList: [