[aws-certificatemanager] validationDomains does not need to be supplied for PCA certificates

[mifisignal]

When using tokens for domain names, attempting to create a new ACM certificate throws the error:

When using Tokens for domain names, 'validationDomains' needs to be supplied

This makes sense when generating a public certificate, but not for a private certificate issued by Private Certificate Authority (PCA) since these certificates are not validated.

Reproduction Steps

    const serviceCertificate = new acm.Certificate(
      this,
      "ServiceCertificate",
      {
        domainName: `${sdService.serviceName}.${namespace.namespaceName}`,
      }
    );
    // App Mesh Gateways and Virtual Nodes can only use PCA or file-backed certificates
    (serviceCertificate.node
      .defaultChild as cdk.CfnResource).addPropertyOverride(
      "CertificateAuthorityArn",
      CertificateAuthorityArn
    );

What did you expect to happen?

What actually happened?

Environment

• CLI Version : 1.61.1
• Framework Version: 1.61.1
• Node.js Version: 12.18.1
• OS : MacOS Catalina
• Language (Version): TypeScript

---

This is 🐛 Bug Report

[mifisignal]

Additionally, if a tokens are not used in the code, CDK nevertheless will auto-inject domain validation properties which can fail textual validation if the domain name does not have a dot in it.

Example:

"ServiceCertificateXXXXX": {
      "Type": "AWS::CertificateManager::Certificate",
      "Properties": {
        "DomainName": "app.test",
        "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2:xxxxxx:certificate-authority/xxxxxx",
        "DomainValidationOptions": [
          {
            "DomainName": "app.test",
            "ValidationDomain": "test"
          }
        ],
        "ValidationMethod": "EMAIL"
      },
      "Metadata": {
        "aws:cdk:path": "xxxxx"
      }
    },

The DomainValidationOptions property should be omitted if the certificate is issued by PCA.

[njlynch]

Thanks for the report, @otterley.

At this time, the Certificate construct doesn't support PCAs, which is why you're needing to resort to escape hatches and encountering errors. I'm going to re-tag this as a feature request to track that support.

In the meantime, I'd suggest just using the underlying CfnCertificate directly, as the Certificate class isn't buying you much without the domain validation.

new CfnCertificate(this, 'ServiceCertificate', {
  certificateAuthorityArn: 'arn:aws:acm-pca:us-east-2:xxxxxx:certificate-authority/xxxxxx',
  domainName: `${sdService.serviceName}.${namespace.namespaceName}`,
});