aws_apigatewayv2: DomainName.name is no longer passed as value to ARecord

[paulie4]

What is the problem?

We used to be able to create a route53.ARecord with a recordName referencing an apigw2.DomainName.name, but that stopped working after CDK version 1.123.0 (I haven't tested 1.124.0 and 1.125.0, but it definitely stopped working in 1.126.0).

The problem is that apigw2.DomainName.name used to be passed as a value, so the route53.ARecord code could tell that the domain name was a subdomain of the Hosted Zone name, but now that the name is passed as a reference, it can't, so instead of the ARecord being for subdomain.hosted.zone.com, it does it for subdomain.hosted.zone.com.hosted.zone.com.

Reproduction Steps

import aws_cdk.aws_route53_targets as targets
from aws_cdk import core as cdk
from aws_cdk import aws_apigatewayv2 as apigw2
from aws_cdk import aws_certificatemanager as acm
from aws_cdk import aws_route53 as route53

HOSTED_ZONE_NAME = 'hosted.zone.com'
ACCOUNT = '123456789'
REGION = 'us-east-2'


class CdkTestDomnameRoute53Stack(cdk.Stack):
    def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        hostedZone = route53.HostedZone.from_lookup(self, "HZONE", domain_name=HOSTED_ZONE_NAME)

        cert = acm.DnsValidatedCertificate(
            self, 'WildcardCertificate',
            hosted_zone=hostedZone,
            domain_name=f'*.{HOSTED_ZONE_NAME}',
            validation=acm.CertificateValidation.from_dns(hosted_zone=hostedZone)
        )

        dn = apigw2.DomainName(
            self, 'DomainName',
            domain_name=f'subdomain.{HOSTED_ZONE_NAME}',
            certificate=cert
        )

        a_record = route53.ARecord(
            self, 'DnsAlias',
            record_name=dn.name,
            zone=hostedZone,
            target=route53.RecordTarget.from_alias(targets.ApiGatewayv2DomainProperties(
                dn.regional_domain_name, dn.regional_hosted_zone_id
            ))
        )

        cdk.CfnOutput(self, 'OutputDomainName', value=dn.name)
        cdk.CfnOutput(self, 'OutputDnsAlias', value=a_record.domain_name)


app = cdk.App()
env = cdk.Environment(account=ACCOUNT, region=REGION)
CdkTestDomnameRoute53Stack(app, 'CdkTestDomnameRoute53Stack', env=env)

app.synth()

What did you expect to happen?

Both OutputDomainName and OutputDnsAlias should both have the same value.

What actually happened?

Instead of subdomain.hosted.zone.com, the ARecord's domain name is subdomain.hosted.zone.com.hosted.zone.com.

CDK CLI Version

1.126.0 (build f004e1a)

Framework Version

No response

Node.js Version

v14.16.0

OS

Windows

Language

Python

Language Version

Python 3.9.6

Other information

No response

[peterwoodworth]

Looks like this is the change that broke you, the change to use the ref here was intentional. I wonder if @nija-at considered cases like these

[ppena-LiveData]

Oh yeah, ensuring proper dependency ordering is definitely important... Would it make sense for the ARecord code to notice that the reference is for a DomainName and then dig down to see what its domain name is to decide if it already includes the Hosted Zone record name or not?

[nija-at]

Hi,

Thanks for filing this bug. Unfortunately, we had to change this from a value to a reference. Changing this back would break a few more users who are now depending on the new 'Depends On' behavior.

Instead, I suggest not using domain.name reference for your Route53 record and instead passing the original value you expect there.

[ppena-LiveData]

Instead of changing it back to value from a reference, would it be hard for the ARecord code to notice that the reference is for a DomainName and then dig down to see what its domain name is to decide if it already includes the Hosted Zone record name or not?

[nija-at]

@ppena-LiveData - Since the value is a CloudFormation Ref, it would be not be possible for the CDK route53 module to determine the final value until deployment, hence, unable to perform this evaluation.

@njlynch - correct me if my statement is incorrect.

[njlynch]

Yes, and no.

The utility function that processes the given domain name doesn't do any special-casing or handling of Tokens. We could simply take Tokens at their face value, but that may be prone to introducing errors, as the domain name must be a fully-qualified domain name, including trailing ..

The somewhat unintended side-effect is that the function checks for the trailing ., and if present, accepts the value as-is:

aws-cdk/packages/@aws-cdk/aws-route53/lib/util.ts

Lines 53 to 54 in c6db91e

	if (providedName.endsWith('.')) {
	return providedName;

This means if you suffix your domain name (e.g,. '${dn.regional_domain_name}.'), it won't append the hosted zone name to it, and you'll get the result you expect.

[nija-at]

@njlynch - even if the function did handle the token case correctly, since the token resolves to a CloudFormation Ref, it would still not be able to check if the domain name includes the hosted zone. Not until during deployment, no?

[njlynch]

Correct. We'd need to define behavior such that the Token is just absolutely trusted (as I mentioned above, potentially error-prone), or build something as complex as a custom resource to validate.

[nija-at]

@ppena-LiveData - looks like this is not achievable trivially. As suggested above, the best option is to pass the domain name directly rather than reference it via domain.name.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.