NHSDigital · connoravo-nhs · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts
@@ -40,6 +40,8 @@ import {addSuppressions} from "../utils/helpers"
 export interface RestApiGatewayProps {
   /** Stack name, used as prefix for resource naming and DNS records. */
   readonly stackName: string
+  /** Stack UUID, used as a unique identifier for the stack. Optional */
+  readonly stackUUID?: string
   /** Shared retention period for API and deployment-related log groups. */
   readonly logRetentionInDays: number
   /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */
@@ -56,6 +58,14 @@ export interface RestApiGatewayProps {
   readonly enableServiceDomain?: boolean
 }
 
+const getTrustStoreKeyPrefix = (stackName: string, stackUUID?: string) => {
+  if (stackUUID) {
+    return `cpt-api/${stackName}-${stackUUID}-truststore`
+  } else {
+    return `cpt-api/${stackName}-truststore`
+  }
+}
+
 /** Creates a regional REST API with standard logging, DNS, and optional mTLS/CSOC integration. */
 export class RestApiGateway extends Construct {
   /** Created API Gateway instance. */
@@ -158,7 +168,7 @@ export class RestApiGateway extends Construct {
     let mtlsConfig: MTLSConfig | undefined
 
     if (enableServiceDomain && props.mutualTlsTrustStoreKey) {
-      const trustStoreKeyPrefix = `cpt-api/${props.stackName}-truststore`
+      const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.stackName, props.stackUUID)
       const logGroup = new LogGroup(this, "LambdaLogGroup", {
         encryptionKey: cloudWatchLogsKmsKey,
         logGroupName: `/aws/lambda/${props.stackName}-truststore-deployment`,