fix(acm): validated certificate survives eventual consistency in serv…

…ice (#3528)

* fix(aws-certificatemanager): fixes #3527 handling describeCertificate response in DnsValidatedCertificate

* Make wait time longer to account for longer inconsistency time

* Update all the package locks

packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js

@@ -76,7 +76,7 @@ let report = function (event, context, responseStatus, physicalResourceId, respo
  */
 const requestCertificate = async function (requestId, domainName, subjectAlternativeNames, hostedZoneId, region) {
   const crypto = require('crypto');
-  const acm = new aws.ACM({region});
+  const acm = new aws.ACM({ region });
   const route53 = new aws.Route53();
   if (waiter) {
     // Used by the test suite, since waiters aren't mockable yet
@@ -96,18 +96,24 @@ const requestCertificate = async function (requestId, domainName, subjectAlterna
 
   console.log('Waiting for ACM to provide DNS records for validation...');
 
-  var describeCertResponse;
-  let attempt = 0;
-  do {
-    // Exponential backoff with jitter based on 100ms base
-    await sleep(Math.random() * (Math.pow(attempt, 2) * 100));
-    describeCertResponse = await acm.describeCertificate({
+  let record;
+  const maxAttempts = 6;
+  for (let attempt = 0; attempt < maxAttempts - 1 && !record; attempt++) {
+    const { Certificate } = await acm.describeCertificate({
       CertificateArn: reqCertResponse.CertificateArn
     }).promise();
-  } while (describeCertResponse.Certificate.DomainValidationOptions < 1 ||
-    'ResourceRecord' in describeCertResponse.Certificate.DomainValidationOptions[0] === false);
+    const options = Certificate.DomainValidationOptions || [];
 
-  const record = describeCertResponse.Certificate.DomainValidationOptions[0].ResourceRecord;
+    if (options.length > 0 && options[0].ResourceRecord) {
+      record = options[0].ResourceRecord;
+    } else {
+      // Exponential backoff with jitter based on 200ms base
+      await sleep(Math.random() * (Math.pow(2, attempt) * 200));
+    }
+  }
+  if (!record) {
+    throw new Error(`Response from describeCertificate did not contain DomainValidationOptions after ${maxAttempts} attempts.`)
+  }
 
   console.log(`Upserting DNS record into zone ${hostedZoneId}: ${record.Name} ${record.Type} ${record.Value}`);
 
@@ -158,7 +164,7 @@ const requestCertificate = async function (requestId, domainName, subjectAlterna
  * @param {string} arn The certificate ARN
  */
 const deleteCertificate = async function (arn, region) {
-  const acm = new aws.ACM({region});
+  const acm = new aws.ACM({ region });
 
   console.log(`Deleting certificate ${arn}`);