From cff8f68890e393bd4dbf654abfed08e7bce79f5d Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:11:44 +0000 Subject: [PATCH 01/10] Adjust rest api gateway to work around mTLS naming issues where required --- .../cdkConstructs/src/constructs/RestApiGateway.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index 16918400..079f0ac6 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -40,6 +40,8 @@ import {addSuppressions} from "../utils/helpers" export interface RestApiGatewayProps { /** Stack name, used as prefix for resource naming and DNS records. */ readonly stackName: string + /** Stack UUID, used as a unique identifier for the stack. Optional */ + readonly stackUUID?: string /** Shared retention period for API and deployment-related log groups. */ readonly logRetentionInDays: number /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */ @@ -56,6 +58,14 @@ export interface RestApiGatewayProps { readonly enableServiceDomain?: boolean } +const function getTrustStoreKeyPrefix(stackName: string, stackUUID?: string) { + if (stackUUID) { + return `cpt-api/${stackName}-${stackUUID}-truststore` + } else { + return `cpt-api/${props.stackName}-truststore` + } +} + /** Creates a regional REST API with standard logging, DNS, and optional mTLS/CSOC integration. */ export class RestApiGateway extends Construct { /** Created API Gateway instance. */ @@ -158,7 +168,7 @@ export class RestApiGateway extends Construct { let mtlsConfig: MTLSConfig | undefined if (enableServiceDomain && props.mutualTlsTrustStoreKey) { - const trustStoreKeyPrefix = `cpt-api/${props.stackName}-truststore` + const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.stackName, props.stackUUID) const logGroup = new LogGroup(this, "LambdaLogGroup", { encryptionKey: cloudWatchLogsKmsKey, logGroupName: `/aws/lambda/${props.stackName}-truststore-deployment`, From 15359f9aaf857a4021e917ba399d32f9f491a5d4 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:12:01 +0000 Subject: [PATCH 02/10] Adjust function --- packages/cdkConstructs/src/constructs/RestApiGateway.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index 079f0ac6..4a602660 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -58,11 +58,11 @@ export interface RestApiGatewayProps { readonly enableServiceDomain?: boolean } -const function getTrustStoreKeyPrefix(stackName: string, stackUUID?: string) { +const getTrustStoreKeyPrefix = (stackName: string, stackUUID?: string) => { if (stackUUID) { return `cpt-api/${stackName}-${stackUUID}-truststore` } else { - return `cpt-api/${props.stackName}-truststore` + return `cpt-api/${stackName}-truststore` } } From dbb6e4fb7c862f0451a0840951a33662c016a568 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:21:42 +0000 Subject: [PATCH 03/10] Add tests Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- .../tests/constructs/RestApiGateway.test.ts | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts index 02b1538a..1d047d6d 100644 --- a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts +++ b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts @@ -344,6 +344,41 @@ describe("RestApiGateway with mTLS", () => { }) }) +describe("RestApiGateway with mTLS and stackUUID", () => { + test("uses stackUUID in trust store deployment key prefix", () => { + const app = new App() + const stack = new Stack(app, "RestApiGatewayStackWithUuid") + + const testPolicy = new ManagedPolicy(stack, "TestPolicy", { + description: "test execution policy", + statements: [ + new PolicyStatement({ + actions: ["lambda:InvokeFunction"], + resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"] + }) + ] + }) + + const apiGateway = new RestApiGateway(stack, "TestApiGateway", { + stackName: "test-stack", + stackUUID: "f47ac10b", + logRetentionInDays: 30, + mutualTlsTrustStoreKey: "truststore.pem", + forwardCsocLogs: false, + csocApiGatewayDestination: "", + executionPolicies: [testPolicy], + enableServiceDomain: true + }) + + apiGateway.api.root.addMethod("GET") + + const template = Template.fromStack(stack) + template.hasResourceProperties("Custom::CDKBucketDeployment", { + DestinationKeyPrefix: "cpt-api/test-stack-f47ac10b-truststore" + }) + }) +}) + describe("RestApiGateway validation errors", () => { test("throws when forwardCsocLogs is true and csocApiGatewayDestination is empty string", () => { const app = new App() From 2eda01c806fee2b5423214d04fe6d4003f8c2e0c Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:26:17 +0000 Subject: [PATCH 04/10] Add tests Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- .../tests/constructs/RestApiGateway.test.ts | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts index 1d047d6d..161369b8 100644 --- a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts +++ b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts @@ -346,6 +346,17 @@ describe("RestApiGateway with mTLS", () => { describe("RestApiGateway with mTLS and stackUUID", () => { test("uses stackUUID in trust store deployment key prefix", () => { + interface ManagedPolicyResource { + Properties?: { + PolicyDocument?: { + Statement?: Array<{ + Action?: Array + Resource?: string | Array + }> + } + } + } + const app = new App() const stack = new Stack(app, "RestApiGatewayStackWithUuid") @@ -376,6 +387,27 @@ describe("RestApiGateway with mTLS and stackUUID", () => { template.hasResourceProperties("Custom::CDKBucketDeployment", { DestinationKeyPrefix: "cpt-api/test-stack-f47ac10b-truststore" }) + + const policies = template.findResources("AWS::IAM::ManagedPolicy") + const expectedTrustStoreObjectPath = + "cpt-api/test-stack-f47ac10b-58cc-4372-a567-0e02b2c3d479-truststore/truststore.pem" + + const hasExpectedTrustStorePath = Object.values(policies).some((policy) => { + const statements = (policy as ManagedPolicyResource).Properties?.PolicyDocument?.Statement ?? [] + return statements.some((statement) => { + if (!statement.Action?.includes("s3:PutObject")) { + return false + } + + const resources = Array.isArray(statement.Resource) + ? statement.Resource + : (statement.Resource ? [statement.Resource] : []) + + return resources.some((resource) => resource.includes(expectedTrustStoreObjectPath)) + }) + }) + + expect(hasExpectedTrustStorePath).toBe(true) }) }) From 5300eb639008d274934919fad089ff915fb4f201 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:39:38 +0000 Subject: [PATCH 05/10] Test fixes --- .../cdkConstructs/src/constructs/RestApiGateway.ts | 8 ++++---- .../tests/constructs/RestApiGateway.test.ts | 14 ++++++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index 4a602660..b9e1ef57 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -41,7 +41,7 @@ export interface RestApiGatewayProps { /** Stack name, used as prefix for resource naming and DNS records. */ readonly stackName: string /** Stack UUID, used as a unique identifier for the stack. Optional */ - readonly stackUUID?: string + readonly stackUuid?: string /** Shared retention period for API and deployment-related log groups. */ readonly logRetentionInDays: number /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */ @@ -58,9 +58,9 @@ export interface RestApiGatewayProps { readonly enableServiceDomain?: boolean } -const getTrustStoreKeyPrefix = (stackName: string, stackUUID?: string) => { - if (stackUUID) { - return `cpt-api/${stackName}-${stackUUID}-truststore` +const getTrustStoreKeyPrefix = (stackName: string, stackUuid?: string) => { + if (stackUuid) { + return `cpt-api/${stackName}-${stackUuid}-truststore` } else { return `cpt-api/${stackName}-truststore` } diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts index 161369b8..4435c14b 100644 --- a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts +++ b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts @@ -351,7 +351,7 @@ describe("RestApiGateway with mTLS and stackUUID", () => { PolicyDocument?: { Statement?: Array<{ Action?: Array - Resource?: string | Array + Resource?: unknown | Array }> } } @@ -372,7 +372,7 @@ describe("RestApiGateway with mTLS and stackUUID", () => { const apiGateway = new RestApiGateway(stack, "TestApiGateway", { stackName: "test-stack", - stackUUID: "f47ac10b", + stackUUID: "f47ac10b-58cc-4372-a567-0e02b2c3d479", logRetentionInDays: 30, mutualTlsTrustStoreKey: "truststore.pem", forwardCsocLogs: false, @@ -385,7 +385,7 @@ describe("RestApiGateway with mTLS and stackUUID", () => { const template = Template.fromStack(stack) template.hasResourceProperties("Custom::CDKBucketDeployment", { - DestinationKeyPrefix: "cpt-api/test-stack-f47ac10b-truststore" + DestinationBucketKeyPrefix: "cpt-api/test-stack-f47ac10b-58cc-4372-a567-0e02b2c3d479-truststore" }) const policies = template.findResources("AWS::IAM::ManagedPolicy") @@ -403,7 +403,13 @@ describe("RestApiGateway with mTLS and stackUUID", () => { ? statement.Resource : (statement.Resource ? [statement.Resource] : []) - return resources.some((resource) => resource.includes(expectedTrustStoreObjectPath)) + return resources.some((resource) => { + if (typeof resource === "string") { + return resource.includes(expectedTrustStoreObjectPath) + } + + return JSON.stringify(resource).includes(expectedTrustStoreObjectPath) + }) }) }) From e92a0fddc933943b83c6fc2d500b842cd6650919 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 11:25:08 +0000 Subject: [PATCH 06/10] Add contextual understanding comment Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- packages/cdkConstructs/src/constructs/RestApiGateway.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index b9e1ef57..7a914c3d 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -40,7 +40,8 @@ import {addSuppressions} from "../utils/helpers" export interface RestApiGatewayProps { /** Stack name, used as prefix for resource naming and DNS records. */ readonly stackName: string - /** Stack UUID, used as a unique identifier for the stack. Optional */ + /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions + * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */ readonly stackUuid?: string /** Shared retention period for API and deployment-related log groups. */ readonly logRetentionInDays: number From 9e6272093a2a7be05abba9bc66e773ed0593b686 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:10:55 +0000 Subject: [PATCH 07/10] Add service name prop, adjust tests Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- .../src/constructs/RestApiGateway.ts | 26 ++++++++----- .../tests/constructs/RestApiGateway.test.ts | 39 +++++++++++++++++-- 2 files changed, 53 insertions(+), 12 deletions(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index 7a914c3d..ffabd832 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -40,13 +40,15 @@ import {addSuppressions} from "../utils/helpers" export interface RestApiGatewayProps { /** Stack name, used as prefix for resource naming and DNS records. */ readonly stackName: string - /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions - * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */ - readonly stackUuid?: string /** Shared retention period for API and deployment-related log groups. */ readonly logRetentionInDays: number /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */ readonly mutualTlsTrustStoreKey: string | undefined + /** Required with mutualTlsTrustStoreKey. Service name, used as prefix for trust store key */ + readonly serviceName?: string | undefined + /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions + * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */ + readonly trustStoreUuuid?: string | undefined /** Enables creation of a second subscription filter to forward logs to CSOC. */ readonly forwardCsocLogs: boolean /** Destination ARN used by the optional CSOC subscription filter. */ @@ -59,11 +61,11 @@ export interface RestApiGatewayProps { readonly enableServiceDomain?: boolean } -const getTrustStoreKeyPrefix = (stackName: string, stackUuid?: string) => { - if (stackUuid) { - return `cpt-api/${stackName}-${stackUuid}-truststore` +const getTrustStoreKeyPrefix = (serviceName: string, stackName: string, trustStoreUuuid?: string) => { + if (trustStoreUuuid) { + return `${serviceName}/${stackName}-${trustStoreUuuid}-truststore` } else { - return `cpt-api/${stackName}-truststore` + return `${serviceName}/${stackName}-truststore` } } @@ -80,9 +82,11 @@ export class RestApiGateway extends Construct { * @example * ```ts * const api = new RestApiGateway(this, "MyApi", { - * stackName: "my-service", + * stackName: "v1.3", * logRetentionInDays: 30, * mutualTlsTrustStoreKey: "truststore.pem", + * serviceName: "my-service", + * trustStoreUuuid: "abc123", * forwardCsocLogs: true, * csocApiGatewayDestination: "arn:aws:logs:eu-west-2:123456789012:destination:csoc", * executionPolicies: [myLambdaInvokePolicy], @@ -104,6 +108,10 @@ export class RestApiGateway extends Construct { throw new Error("mutualTlsTrustStoreKey should not be provided when enableServiceDomain is false") } + if (props.mutualTlsTrustStoreKey && !props.serviceName) { + throw new Error("serviceName must be provided when mTLS is set") + } + // Imports const cloudWatchLogsKmsKey = Key.fromKeyArn( this, "cloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn) @@ -169,7 +177,7 @@ export class RestApiGateway extends Construct { let mtlsConfig: MTLSConfig | undefined if (enableServiceDomain && props.mutualTlsTrustStoreKey) { - const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.stackName, props.stackUUID) + const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.serviceName, props.stackName, props.trustStoreUuuid) const logGroup = new LogGroup(this, "LambdaLogGroup", { encryptionKey: cloudWatchLogsKmsKey, logGroupName: `/aws/lambda/${props.stackName}-truststore-deployment`, diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts index 4435c14b..a0e96499 100644 --- a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts +++ b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts @@ -253,6 +253,7 @@ describe("RestApiGateway with mTLS", () => { stackName: "test-stack", logRetentionInDays: 30, mutualTlsTrustStoreKey: "truststore.pem", + serviceName: "cpt-api", forwardCsocLogs: false, csocApiGatewayDestination: "", executionPolicies: [testPolicy], @@ -321,6 +322,12 @@ describe("RestApiGateway with mTLS", () => { expect(Object.keys(customResources).length).toBeGreaterThan(0) }) + test("uses serviceName in trust store deployment key prefix", () => { + template.hasResourceProperties("Custom::CDKBucketDeployment", { + DestinationBucketKeyPrefix: "cpt-api/test-stack-truststore" + }) + }) + test("disables execute-api endpoint when mTLS is enabled", () => { template.hasResourceProperties("AWS::ApiGateway::RestApi", { Name: "test-stack-apigw", @@ -344,8 +351,8 @@ describe("RestApiGateway with mTLS", () => { }) }) -describe("RestApiGateway with mTLS and stackUUID", () => { - test("uses stackUUID in trust store deployment key prefix", () => { +describe("RestApiGateway with mTLS and trustStoreUuuid", () => { + test("uses trustStoreUuuid in trust store deployment key prefix", () => { interface ManagedPolicyResource { Properties?: { PolicyDocument?: { @@ -372,9 +379,10 @@ describe("RestApiGateway with mTLS and stackUUID", () => { const apiGateway = new RestApiGateway(stack, "TestApiGateway", { stackName: "test-stack", - stackUUID: "f47ac10b-58cc-4372-a567-0e02b2c3d479", logRetentionInDays: 30, mutualTlsTrustStoreKey: "truststore.pem", + serviceName: "cpt-api", + trustStoreUuuid: "f47ac10b-58cc-4372-a567-0e02b2c3d479", forwardCsocLogs: false, csocApiGatewayDestination: "", executionPolicies: [testPolicy], @@ -458,12 +466,37 @@ describe("RestApiGateway validation errors", () => { stackName: "test-stack", logRetentionInDays: 30, mutualTlsTrustStoreKey: "truststore.pem", + serviceName: "cpt-api", forwardCsocLogs: false, csocApiGatewayDestination: "", executionPolicies: [testPolicy], enableServiceDomain: false })).toThrow("mutualTlsTrustStoreKey should not be provided when enableServiceDomain is false") }) + + test("throws when mutualTlsTrustStoreKey is set and serviceName is missing", () => { + const app = new App() + const stack = new Stack(app, "ValidationStack3") + const testPolicy = new ManagedPolicy(stack, "TestPolicy", { + description: "test execution policy", + statements: [ + new PolicyStatement({ + actions: ["lambda:InvokeFunction"], + resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"] + }) + ] + }) + + expect(() => new RestApiGateway(stack, "TestApiGateway", { + stackName: "test-stack", + logRetentionInDays: 30, + mutualTlsTrustStoreKey: "truststore.pem", + forwardCsocLogs: false, + csocApiGatewayDestination: "", + executionPolicies: [testPolicy], + enableServiceDomain: true + })).toThrow("serviceName must be provided when mTLS is set") + }) }) describe("RestApiGateway enableServiceDomain default behaviour", () => { From e4f9b3b4e4b6f06ce832fe4bfd84ee4cc78a8cff Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 13:59:43 +0000 Subject: [PATCH 08/10] Make it optional Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- packages/cdkConstructs/src/constructs/RestApiGateway.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index ffabd832..c9b94849 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -48,7 +48,7 @@ export interface RestApiGatewayProps { readonly serviceName?: string | undefined /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */ - readonly trustStoreUuuid?: string | undefined + readonly trustStoreUuuid: string | undefined /** Enables creation of a second subscription filter to forward logs to CSOC. */ readonly forwardCsocLogs: boolean /** Destination ARN used by the optional CSOC subscription filter. */ From 6819a7a0a68609b6fe66c0d6e1ac9e85f9062288 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 14:10:41 +0000 Subject: [PATCH 09/10] service name is optional already Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- packages/cdkConstructs/src/constructs/RestApiGateway.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index c9b94849..ff5d1c5c 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -45,7 +45,7 @@ export interface RestApiGatewayProps { /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */ readonly mutualTlsTrustStoreKey: string | undefined /** Required with mutualTlsTrustStoreKey. Service name, used as prefix for trust store key */ - readonly serviceName?: string | undefined + readonly serviceName: string | undefined /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */ readonly trustStoreUuuid: string | undefined From 041476278b4c519d28a0858570d68ec18bd2be50 Mon Sep 17 00:00:00 2001 From: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> Date: Thu, 16 Apr 2026 14:58:27 +0000 Subject: [PATCH 10/10] Allow undefined Signed-off-by: Connor Avery <214469360+connoravo-nhs@users.noreply.github.com> --- .../cdkConstructs/src/constructs/RestApiGateway.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index ff5d1c5c..0b7df284 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -61,7 +61,9 @@ export interface RestApiGatewayProps { readonly enableServiceDomain?: boolean } -const getTrustStoreKeyPrefix = (serviceName: string, stackName: string, trustStoreUuuid?: string) => { +const getTrustStoreKeyPrefix = (stackName: string, + serviceName: string | undefined, + trustStoreUuuid: string | undefined) => { if (trustStoreUuuid) { return `${serviceName}/${stackName}-${trustStoreUuuid}-truststore` } else { @@ -177,7 +179,11 @@ export class RestApiGateway extends Construct { let mtlsConfig: MTLSConfig | undefined if (enableServiceDomain && props.mutualTlsTrustStoreKey) { - const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.serviceName, props.stackName, props.trustStoreUuuid) + const trustStoreKeyPrefix = getTrustStoreKeyPrefix( + props.stackName, + props.serviceName, + props.trustStoreUuuid + ) const logGroup = new LogGroup(this, "LambdaLogGroup", { encryptionKey: cloudWatchLogsKmsKey, logGroupName: `/aws/lambda/${props.stackName}-truststore-deployment`,