From 101c371fc8f05b9b70cf4c9588dbbbe9324833aa Mon Sep 17 00:00:00 2001
From: Reed Hermes <hermesr@amazon.com>
Date: Wed, 11 Mar 2020 18:40:56 -0700
Subject: [PATCH] fix(acm): Allow tokens as a part of the hosted zone name

This review adds a basic check to not try and validate unresolved tokens when performing validation for the `DnsValidatedCertificate` construct.

fixes #6133
---
 .../lib/dns-validated-certificate.ts          |  6 +++++-
 .../test/test.dns-validated-certificate.ts    | 19 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
index 5cfa1edb47ad1..238bc92c35ef9 100644
--- a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -94,7 +94,11 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
     protected validate(): string[] {
         const errors: string[] = [];
         // Ensure the zone name is a parent zone of the certificate domain name
-        if (this.domainName !== this.normalizedZoneName && !this.domainName.endsWith('.' + this.normalizedZoneName)) {
+        if (
+            !cdk.Token.isUnresolved(this.normalizedZoneName) &&
+            this.domainName !== this.normalizedZoneName &&
+            !this.domainName.endsWith('.' + this.normalizedZoneName)
+        ) {
             errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for certificate domain name ${this.domainName}`);
         }
         return errors;
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
index 3b62fbc3f309b..be76466360e11 100644
--- a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
@@ -1,7 +1,7 @@
 import { expect, haveResource } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
-import { App, Stack } from '@aws-cdk/core';
+import { App, Stack, Token } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { DnsValidatedCertificate } from '../lib/dns-validated-certificate';
 
@@ -98,6 +98,23 @@ export = {
     test.done();
   },
 
+  'does not try to validate unresolved tokens'(test: Test) {
+    const stack = new Stack();
+
+    const helloDotComZone = new PublicHostedZone(stack, 'HelloDotCom', {
+      zoneName: Token.asString('hello.com')
+    });
+
+    new DnsValidatedCertificate(stack, 'Cert', {
+      domainName: 'hello.com',
+      hostedZone: helloDotComZone
+    });
+
+    // a bit of a hack: expect(stack) will trigger validation.
+    test.doesNotThrow(() => expect(stack), /DNS zone hello.com is not authoritative for certificate domain name example.com/);
+    test.done();
+  },
+
   'test root certificate'(test: Test) {
     const stack = new Stack();