🐛 fix(certificates): correctly validate multi-zone certificates and handle naming of zones

Author: sladg

Diff for: README.md

@@ -6,6 +6,7 @@ This is an alternative to existing Lambda@Edge implementation ([see](https://www
 
 This library uses Cloudfront, S3, ApiGateway and Lambdas to deploy easily in seconds (hotswap supported).
 
+Multiple domains can be specified within CLI and Routing as well as Certificates are handled automatically.
 
 ## TL;DR
 - In your NextJS project, set output to standalone.

Diff for: lib/cdk/app.ts

@@ -10,19 +10,19 @@ const app = new App()
 const commandCwd = process.cwd()
 
 new NextStandaloneStack(app, envConfig.stackName, {
-	// NextJS lambda specific config
+	// NextJS lambda specific config.
 	assetsZipPath: path.resolve(commandCwd, './next.out/assetsLayer.zip'),
 	codeZipPath: path.resolve(commandCwd, './next.out/code.zip'),
 	dependenciesZipPath: path.resolve(commandCwd, './next.out/dependenciesLayer.zip'),
 	customServerHandler: 'index.handler',
 
-	// Image lambda specific config
+	// Image lambda specific config.
 	imageHandlerZipPath: optimizerCodePath,
 	imageLayerZipPath: optimizerLayerPath,
 	imageLambdaHash: `${name}_${version}`,
 	customImageHandler: handler,
 
-	// Lambda & AWS config
+	// Lambda & AWS config.
 	apigwServerPath: '/_server',
 	apigwImagePath: '/_image',
 

Diff for: lib/cdk/stack.ts

@@ -23,7 +23,7 @@ export class NextStandaloneStack extends Stack {
 	assetsBucket?: Bucket
 	cfnDistro?: IDistribution
 	cfnCertificate?: ICertificate
-	domains: MappedDomain[]
+	domains: MappedDomain[] = []
 
 	constructor(scope: App, id: string, config: CustomStackProps) {
 		super(scope, id, config)
@@ -68,6 +68,8 @@ export class NextStandaloneStack extends Stack {
 				domains: config.domainNames,
 				profile: config.awsProfile,
 			})
+
+			console.log("Domains's config:", this.domains)
 		}
 
 		if (this.domains.length > 0) {

Diff for: lib/cdk/types.ts

@@ -18,14 +18,15 @@ export interface CustomStackProps extends StackProps {
 	lambdaRuntime: Runtime
 	imageLambdaTimeout?: number
 	imageLambdaMemory?: number
-	domainNames: string[]
 	redirectFromApex: boolean
-	awsProfile?: string
 	customApiDomain?: string
+	certificateArn?: string
+	domainNames: string[]
+	awsProfile?: string
 }
 
 export interface MappedDomain {
-	recordName: string
+	recordName?: string
 	domain: string
 	zone: IHostedZone
 }

Diff for: lib/cdk/utils/cfnCertificate.ts

@@ -1,5 +1,5 @@
 import { CfnOutput, Stack } from 'aws-cdk-lib'
-import { Certificate, CertificateValidation } from 'aws-cdk-lib/aws-certificatemanager'
+import { CertificateValidation, DnsValidatedCertificate } from 'aws-cdk-lib/aws-certificatemanager'
 import { MappedDomain } from '../types'
 
 export interface SetupCfnCertificateProps {
@@ -11,13 +11,18 @@ export const setupCfnCertificate = (scope: Stack, { domains }: SetupCfnCertifica
 
 	// us-east-1 is needed for Cloudfront to accept certificate.
 	// https://github.com/aws/aws-cdk/issues/8934
-	const multiZoneMap = domains.reduce((acc, curr) => ({ ...acc, [curr.domain]: curr.zone }), {})
+	const multiZoneMap = otherDomains.reduce((acc, curr) => ({ ...acc, [curr.domain]: curr.zone }), {})
 
-	const certificate = new Certificate(scope, 'Certificate', {
-		domainName: firstDomain.domain,
+	const easyCheck = domains.reduce((acc, curr) => ({ ...acc, [curr.domain]: curr.zone.zoneName }), {})
 
+	// We need to stick with DNSValidatedCertificate for now, because Certificate construct does not support region specifiation.
+	// So we would need to manage two different stacks and create certificate in us-east-1 with second stack.
+	const certificate = new DnsValidatedCertificate(scope, 'Certificate', {
+		domainName: firstDomain.domain,
+		hostedZone: firstDomain.zone,
 		subjectAlternativeNames: otherDomains.map((a) => a.domain),
 		validation: CertificateValidation.fromDnsMultiZone(multiZoneMap),
+		region: 'us-east-1',
 	})
 
 	new CfnOutput(scope, 'certificateArn', { value: certificate.certificateArn })

Diff for: lib/cdk/utils/dnsRecords.ts

@@ -45,19 +45,21 @@ const matchDomainToHostedZone = (domainToMatch: string, zones: string[]) => {
 		throw new Error(`No hosted zone found for domain: ${domainToMatch}`)
 	}
 
-	return matchedZone.replace('/.$/', '')
+	// Remove trailing dot
+	return matchedZone.endsWith('.') ? matchedZone.slice(0, -1) : matchedZone
 }
 
 export const prepareDomains = (scope: Stack, { domains, profile }: PrepareDomainProps): MappedDomain[] => {
 	const zones = getAvailableHostedZones(profile)
 
 	return domains.map((domain, index) => {
 		const hostedZone = matchDomainToHostedZone(domain, zones)
-		const recordName = domain.replace(hostedZone, '')
-
+		const subdomain = domain.replace(hostedZone, '')
+		const recordName = subdomain.endsWith('.') ? subdomain.slice(0, -1) : subdomain
 		const zone = HostedZone.fromLookup(scope, `Zone_${index}`, { domainName: hostedZone })
 
-		return { zone, recordName, domain }
+		// Returning additional info, useful for debugging
+		return { zone, recordName, domain, subdomain, hostedZone }
 	})
 }
 

Diff for: lib/cdk/utils/redirect.ts

@@ -10,7 +10,7 @@ export const setupApexRedirect = (scope: Stack, { domain }: SetupApexRedirectPro
 	new HttpsRedirect(scope, `ApexRedirect`, {
 		// Currently supports only apex (root) domain.
 		zone: domain.zone,
-		targetDomain: domain.recordName,
+		targetDomain: domain.domain,
 	})
 
 	new CfnOutput(scope, 'RedirectFrom', { value: domain.zone.zoneName })

Diff for: lib/cli.ts

@@ -60,7 +60,7 @@ program
 	.option('--imageLambdaTimeout <sec>', 'Set timeout for lambda function handling image optimization.', Number, IMAGE_LAMBDA_DEFAULT_TIMEOUT)
 	.option('--imageLambdaMemory <mb>', 'Set memory for lambda function handling image optimization.', Number, IMAGE_LAMBDA_DEFAULT_MEMORY)
 	.option('--lambdaRuntime <runtime>', "Specify version of NodeJS to use as Lambda's runtime. Options: node14, node16, node18.", 'node16')
-	.option('--domains <domainList>', 'Comma-separated list of domains to use. (example: mydomain.com,mydonain.au,other.domain.com)', undefined)
+	.option('--domainNames <domainList>', 'Comma-separated list of domains to use. (example: mydomain.com,mydonain.au,other.domain.com)', undefined)
 	.option('--customApiDomain <domain>', 'Domain to forward the requests to /api routes, by default API routes will be handled by the server lambda.', undefined)
 	.option('--redirectFromApex', 'Redirect from apex domain to specified address.', false)
 	.option('--profile <name>', 'AWS profile to use with CDK.', undefined)
@@ -79,7 +79,7 @@ program
 			imageLambdaTimeout,
 			customApiDomain,
 			redirectFromApex,
-			domains,
+			domainNames,
 			hotswap,
 			profile,
 		} = options
@@ -97,7 +97,7 @@ program
 				imageLambdaTimeout,
 				customApiDomain,
 				redirectFromApex,
-				domains,
+				domainNames,
 				hotswap,
 				profile,
 			}),

Diff for: lib/cli/deploy.ts

@@ -11,7 +11,7 @@ interface Props {
 	imageLambdaMemory?: number
 	imageLambdaTimeout?: number
 	customApiDomain?: string
-	domains?: string
+	domainNames?: string
 	redirectFromApex?: boolean
 	profile?: string
 	hotswap: boolean
@@ -29,7 +29,7 @@ export const deployHandler = async ({
 	lambdaRuntime,
 	imageLambdaMemory,
 	imageLambdaTimeout,
-	domains,
+	domainNames,
 	customApiDomain,
 	redirectFromApex,
 	hotswap,
@@ -56,7 +56,7 @@ export const deployHandler = async ({
 		...(lambdaRuntime && { LAMBDA_RUNTIME: lambdaRuntime.toString() }),
 		...(imageLambdaMemory && { IMAGE_LAMBDA_MEMORY: imageLambdaMemory.toString() }),
 		...(imageLambdaTimeout && { IMAGE_LAMBDA_TIMEOUT: imageLambdaTimeout.toString() }),
-		...(domains && { DOMAINS: domains }),
+		...(domainNames && { DOMAIN_NAMES: domainNames }),
 		...(customApiDomain && { CUSTOM_API_DOMAIN: customApiDomain }),
 		...(redirectFromApex && { REDIRECT_FROM_APEX: redirectFromApex.toString() }),
 	}

Diff for: lib/index.ts

@@ -4,30 +4,33 @@ export { NextStandaloneStack } from './cdk/stack'
 export { CustomStackProps } from './cdk/types'
 
 import { SetupApiGwProps, setupApiGateway } from './cdk/utils/apiGw'
-import { SetupCfnCertificateProps, setupCfnCertificate } from './cdk/utils/cfnCertificate'
+import { setupCfnCertificate, SetupCfnCertificateProps } from './cdk/utils/cfnCertificate'
 import { SetupCfnDistroProps, setupCfnDistro } from './cdk/utils/cfnDistro'
 import { SetupImageLambdaProps, setupImageLambda } from './cdk/utils/imageLambda'
 import { SetupServerLambdaProps, setupServerLambda } from './cdk/utils/serverLambda'
 import { UploadAssetsProps, setupAssetsBucket, uploadStaticAssets } from './cdk/utils/s3'
-import { SetupDnsRecordsProps, setupDnsRecords } from './cdk/utils/dnsRecords'
+import { SetupDnsRecordsProps, setupDnsRecords, prepareDomains, PrepareDomainProps } from './cdk/utils/dnsRecords'
 
 export const CdkUtils = {
 	setupApiGateway,
-	setupCfnCertificate,
 	setupAssetsBucket,
+	setupCfnCertificate,
 	setupCfnDistro,
 	setupDnsRecords,
 	setupImageLambda,
 	setupServerLambda,
 	uploadStaticAssets,
+	prepareDomains,
 }
 
 export {
+	//
 	SetupApiGwProps,
-	SetupCfnCertificateProps,
 	SetupCfnDistroProps,
+	SetupCfnCertificateProps,
 	SetupImageLambdaProps,
 	SetupServerLambdaProps,
 	UploadAssetsProps,
 	SetupDnsRecordsProps,
+	PrepareDomainProps,
 }