From 25948fc211644a043bf7aabe5cce5b85a5fa3a68 Mon Sep 17 00:00:00 2001
From: Reed Hermes <hermesr@amazon.com>
Date: Wed, 11 Mar 2020 18:40:56 -0700
Subject: [PATCH] fix(acm): Allow tokens as a part of the hosted zone name

This review adds a basic check to not try and validate unresolved tokens when performing validation for the `DnsValidatedCertificate` construct.

fixes #6133
---
 .../lib/dns-validated-certificate.ts          |  4 ++-
 .../test/test.dns-validated-certificate.ts    | 29 ++++++++++++++++---
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
index e1aa72e2f61b2..baf38db074020 100644
--- a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -109,7 +109,9 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
     protected validate(): string[] {
         const errors: string[] = [];
         // Ensure the zone name is a parent zone of the certificate domain name
-        if (this.domainName !== this.normalizedZoneName && !this.domainName.endsWith('.' + this.normalizedZoneName)) {
+        if (!cdk.Token.isUnresolved(this.normalizedZoneName) &&
+              this.domainName !== this.normalizedZoneName &&
+              !this.domainName.endsWith('.' + this.normalizedZoneName)) {
             errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for certificate domain name ${this.domainName}`);
         }
         return errors;
diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
index 45bc6c1b5e1f8..50c4e6e9d0faa 100644
--- a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
+++ b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
@@ -1,7 +1,7 @@
-import { expect, haveResource } from '@aws-cdk/assert';
+import { expect, haveResource, SynthUtils } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
-import { App, Stack } from '@aws-cdk/core';
+import { App, Stack, Token } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { DnsValidatedCertificate } from '../lib/dns-validated-certificate';
 
@@ -93,8 +93,29 @@ export = {
       hostedZone: helloDotComZone,
     });
 
-    // a bit of a hack: expect(stack) will trigger validation.
-    test.throws(() => expect(stack), /DNS zone hello.com is not authoritative for certificate domain name example.com/);
+    test.throws(() => {
+      SynthUtils.synthesize(stack);
+    }, /DNS zone hello.com is not authoritative for certificate domain name example.com/);
+
+    test.done();
+  },
+
+  'does not try to validate unresolved tokens'(test: Test) {
+    const stack = new Stack();
+
+    const helloDotComZone = new PublicHostedZone(stack, 'HelloDotCom', {
+      zoneName: Token.asString('hello.com')
+    });
+
+    new DnsValidatedCertificate(stack, 'Cert', {
+      domainName: 'hello.com',
+      hostedZone: helloDotComZone
+    });
+
+    test.doesNotThrow(() => {
+      SynthUtils.synthesize(stack);
+    });
+
     test.done();
   },