chore: flag if mtls set but domain record not enabled

Author: tstephen-nhs

packages/cdkConstructs/src/constructs/RestApiGateway.ts

@@ -42,7 +42,7 @@ export interface RestApiGatewayProps {
   readonly stackName: string
   /** Shared retention period for API and deployment-related log groups. */
   readonly logRetentionInDays: number
-  /** Truststore object key to enable mTLS; leave undefined to disable mTLS. */
+  /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */
   readonly mutualTlsTrustStoreKey: string | undefined
   /** Enables creation of a second subscription filter to forward logs to CSOC. */
   readonly forwardCsocLogs: boolean
@@ -89,6 +89,10 @@ export class RestApiGateway extends Construct {
       throw new Error("csocApiGatewayDestination must be provided when forwardCsocLogs is true")
     }
 
+    if (!enableServiceDomain && props.mutualTlsTrustStoreKey) {
+      throw new Error("mutualTlsTrustStoreKey should not be provided when enableServiceDomain is false")
+    }
+
     // Imports
     const cloudWatchLogsKmsKey = Key.fromKeyArn(
       this, "cloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn)

packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts

@@ -354,6 +354,30 @@ describe("RestApiGateway validation errors", () => {
       executionPolicies: [testPolicy]
     })).toThrow("csocApiGatewayDestination must be provided when forwardCsocLogs is true")
   })
+
+  test("throws when enableServiceDomain is false and mutualTlsTrustStoreKey is provided", () => {
+    const app = new App()
+    const stack = new Stack(app, "ValidationStack2")
+    const testPolicy = new ManagedPolicy(stack, "TestPolicy", {
+      description: "test execution policy",
+      statements: [
+        new PolicyStatement({
+          actions: ["lambda:InvokeFunction"],
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
+        })
+      ]
+    })
+
+    expect(() => new RestApiGateway(stack, "TestApiGateway", {
+      stackName: "test-stack",
+      logRetentionInDays: 30,
+      mutualTlsTrustStoreKey: "truststore.pem",
+      forwardCsocLogs: false,
+      csocApiGatewayDestination: "",
+      executionPolicies: [testPolicy],
+      enableServiceDomain: false
+    })).toThrow("mutualTlsTrustStoreKey should not be provided when enableServiceDomain is false")
+  })
 })
 
 describe("RestApiGateway enableServiceDomain default behaviour", () => {
@@ -387,3 +411,36 @@ describe("RestApiGateway enableServiceDomain default behaviour", () => {
     template.resourceCountIs("AWS::Route53::RecordSet", 2)
   })
 })
+
+describe("RestApiGateway with enableServiceDomain false", () => {
+  test("does not create custom domain resources when enableServiceDomain is false", () => {
+    const app = new App()
+    const stack = new Stack(app, "DisableServiceDomainStack")
+    const testPolicy = new ManagedPolicy(stack, "TestPolicy", {
+      description: "test execution policy",
+      statements: [
+        new PolicyStatement({
+          actions: ["lambda:InvokeFunction"],
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
+        })
+      ]
+    })
+
+    const apiGateway = new RestApiGateway(stack, "TestApiGateway", {
+      stackName: "test-stack",
+      logRetentionInDays: 30,
+      mutualTlsTrustStoreKey: undefined,
+      forwardCsocLogs: false,
+      csocApiGatewayDestination: "",
+      executionPolicies: [testPolicy],
+      enableServiceDomain: false
+    })
+
+    apiGateway.api.root.addMethod("GET")
+
+    const template = Template.fromStack(stack)
+    template.resourceCountIs("AWS::CertificateManager::Certificate", 0)
+    template.resourceCountIs("AWS::ApiGateway::DomainName", 0)
+    template.resourceCountIs("AWS::Route53::RecordSet", 0)
+  })
+})