aws-certificatemanager DnsValidatedCertificateHandler does not properly handle certs with SubjectAlternativeNames

[mmoulton]

A DnsValidatedCertificate will never successfully validate when SubjectAlternativeNames are present. This seems to be due to the custom resource only adding the first DomainValidationOptions record to Route53. See line 110 here. This should add a new ResourceRecordSet for every DomainValidationOptions result.

Reproduction Steps

Create a DnsValidatedCertificate and add at least one record to subjectAlternativeNames.

Environment

• CLI Version : 1.14.0
• Framework Version: 1.14.0
• OS : MacOS 10.14
• Language : Typescript

---

This is 🐛 Bug Report

[rix0rrr]

Thanks for reporting.

[pasieronen]

Furthermore, it looks like validationDomains option (which could be used to work around this, assuming all subjectAlternativeNames are under the same name) is totally ignored by DnsValidatedCertificate...

[jamiepmullan]

Any updates on this @SomayaB or @rix0rrr ?

[jamiepmullan]

@rix0rrr / @SomayaB Can we please get an update on this one?

[rix0rrr]

@jamiepmullan We don't have any concrete plans for addressing this on the short term. A PR for it would be welcomed though

[touzoku]

+1 to this bug report.

The bug is in the CustomResource function here:

record = options[0].ResourceRecord;

The code should iterate over options array (these are all domain validation options, including subjectAlternativeNames) instead of taking the first element of the array and then passing it to:

const changeBatch = await route53.changeResourceRecordSets({
    ChangeBatch: {
      Changes: [{
        Action: 'UPSERT',
        ResourceRecordSet: {
          Name: record.Name,
          Type: record.Type,
          TTL: 60,
          ResourceRecords: [{
            Value: record.Value
          }]
        }
      }]
    },
    HostedZoneId: hostedZoneId
  }).promise();

The fix is dead simple: just do a for(const option of options) { ... }

@skinny85