Skip to content

chore(certificatemanager): add domain name format validation to Certificate construct #35302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

chore(certificatemanager): add domain name format validation to Certificate construct #35302

wants to merge 7 commits into from

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Aug 22, 2025
edited
Loading

Issue # (if applicable)

Closes #35294.

Reason for this change

The AWS CDK Certificate construct currently only validates domain name length (≤64 characters) but lacks format validation at synthesis time. This causes deployment failures that could be caught early, wasting developer time and resources. AWS Certificate Manager requires domain names to match specific format requirements, and invalid formats result in ValidationException errors during deployment.

This enhancement adds synthesis-time domain name format validation using a comprehensive regex pattern based on AWS Route 53 domain name format requirements, preventing deployment failures and improving the developer experience by catching invalid domain formats early in the development cycle.

Description of changes

Core Implementation:

  • Added comprehensive domain format validation: Implemented regex-based validation using pattern /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\\.)+[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/ based on AWS Route 53 domain name format requirements
  • Enhanced validation scope: Extended validation to cover both domainName and subjectAlternativeNames properties
  • Preserved token handling: Maintained proper !Token.isUnresolved() checks to bypass validation for dynamic domain names
  • Added comprehensive error messages: Included clear explanations and examples of valid domain formats in error messages

Validation Rules Enforced:

  • Each label must be 1-63 characters long (per AWS Route 53 DNS domain name format requirements - "Each label can be up to 63 bytes long")
  • Labels must start and end with alphanumeric characters (a-z, A-Z, 0-9)
  • Labels can contain hyphens in the middle but not at start or end
  • Optional wildcard prefix (*.) is allowed for subdomains
  • Domain must have at least one dot (subdomain + TLD structure)
  • No consecutive dots or trailing dots allowed

What Gets Validated:

  • ✅ Standard domains: example.com, sub.example.com
  • ✅ Wildcard domains: *.example.com, *.deep.sub.example.com
  • ✅ Multi-level subdomains: deep.sub.example.com
  • ✅ Numeric labels: 123.example.com, test123.example456.com
  • ✅ Hyphens in middle: test-sub.example-domain.com
  • ❌ Invalid formats: -example.com, test-.com, sub.*.example.com, example..com, .example.com

Implementation Details:

  • Validation is added after the existing length check in the Certificate constructor
  • Follows established CDK ValidationError pattern with construct scope for consistency
  • Maintains backward compatibility - only validates cases that would fail at deployment anyway
  • Error messages provide helpful examples and clear constraint explanations

Describe any new or updated permissions being added

N/A - This change only adds synthesis-time validation and does not modify IAM permissions or resource access patterns.

Description of how you validated changes

Unit Tests (4 new test suites, 228 lines):

  1. Valid domain formats test: Covers standard domains, wildcards, subdomains, multi-level domains, numeric labels, and hyphens in middle of labels
  2. Invalid domain formats test: Tests domains starting/ending with hyphens, consecutive dots, invalid wildcards, empty labels, and missing TLD structure
  3. Regex validation within length limits test: Ensures format validation works correctly for domains within the 64-character limit
  4. Subject alternative names validation test: Verifies that all alternative domain names are properly validated
  5. Token handling test: Confirms that dynamic domains using tokens bypass validation appropriately

Test Coverage:

  • Valid cases: 10 different valid domain patterns tested
  • Invalid cases: 15+ different invalid domain patterns tested
  • Edge cases: Maximum label lengths, wildcard positioning, numeric domains, hyphen placement
  • Integration: Subject alternative names validation, token bypass behavior

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team August 22, 2025 04:00
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Aug 22, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 22, 2025
@pahud pahud marked this pull request as ready for review August 22, 2025 16:42
@pahud pahud marked this pull request as draft August 22, 2025 18:50
@pahud pahud marked this pull request as ready for review August 23, 2025 01:12
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-certificatemanager: Missing simple validation for domainName in the Certificate construct

1 participant

@pahud