Merge pull request #975 from pepperize/fix/remove-TagManager-tags-to-restore-compatibility-with-newer-CDK-versions

fix: remove TagManager-generated tags to prevent Route53 validation e…

Author: pflorek

LICENSE

@@ -54,7 +54,7 @@ export class AlarmHealthCheck extends HealthCheckBase {
         insufficientDataHealthStatus: insufficientDataHealthStatus,
         type: HealthCheckType.CLOUDWATCH_METRIC,
       },
-      healthCheckTags: this.tags.renderedTags,
+      healthCheckTags: this.resolveSafeTags(),
     });
 
     this.healthCheckId = resource.attrHealthCheckId;

src/alarm-health-check.ts

@@ -58,7 +58,7 @@ export class CalculatedHealthCheck extends HealthCheckBase {
         healthThreshold: props.healthThreshold,
         type: HealthCheckType.CALCULATED,
       },
-      healthCheckTags: this.tags.renderedTags,
+      healthCheckTags: this.resolveSafeTags(),
     });
 
     this.healthCheckId = resource.attrHealthCheckId;

src/calculated-health-check.ts

@@ -158,7 +158,7 @@ export class EndpointHealthCheck extends HealthCheckBase {
         measureLatency: props.latencyGraphs,
         regions: props.regions,
       },
-      healthCheckTags: this.tags.renderedTags,
+      healthCheckTags: this.resolveSafeTags(),
     });
 
     this.healthCheckId = resource.attrHealthCheckId;

src/endpoint-health-check.ts

@@ -1,4 +1,4 @@
-import { ITaggable, Resource, TagManager, TagType } from "aws-cdk-lib";
+import { IResolvable, ITaggable, Lazy, Resource, TagManager, TagType, Token } from "aws-cdk-lib";
 import * as cloudwatch from "aws-cdk-lib/aws-cloudwatch";
 import * as route53 from "aws-cdk-lib/aws-route53";
 import { RecordSet } from "aws-cdk-lib/aws-route53";
@@ -85,6 +85,28 @@ export abstract class HealthCheckBase extends Resource implements IHealthCheck,
 
   readonly tags = new TagManager(TagType.STANDARD, "AWS::Route53::HealthCheck");
 
+  protected resolveSafeTags(): route53.CfnHealthCheck.HealthCheckTagProperty[] | IResolvable {
+    return Lazy.any({
+      produce: () => {
+        const raw = this.tags.renderedTags;
+
+        if (Token.isUnresolved(raw)) {
+          return raw;
+        }
+
+        const arr = raw as unknown as route53.CfnHealthCheck.HealthCheckTagProperty[];
+
+        function isSafeString(v: unknown) {
+          if (typeof v !== "string") return false;
+          const allowed = /^[a-zA-Z0-9 _.:\/=+\-@]+$/;
+          return allowed.test(v) && !v.includes("${") && !v.includes("}") && !v.includes("$");
+        }
+
+        return arr.filter((t) => isSafeString(t.value)).map((t) => ({ key: t.key!, value: t.value! }));
+      },
+    });
+  }
+
   failover(recordSet: RecordSet, evaluateTargetHealth?: boolean, failover?: Failover) {
     const resource = recordSet.node.defaultChild;