NHSDigital · connoravo-nhs · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts
@@ -40,6 +40,9 @@ import {addSuppressions} from "../utils/helpers"
 export interface RestApiGatewayProps {
   /** Stack name, used as prefix for resource naming and DNS records. */
   readonly stackName: string
+  /** Optional stack UUID. If set, included in the mTLS trust store key prefix to prevent collisions
+   * when deploying multiple stacks with the same name, avoiding AWS API Gateway mTLS key caching issues. */
+  readonly stackUuid?: string
   /** Shared retention period for API and deployment-related log groups. */
   readonly logRetentionInDays: number
   /** Truststore object key to enable mTLS; leave undefined to disable mTLS or when enableServiceDomain is false. */
@@ -56,6 +59,14 @@ export interface RestApiGatewayProps {
   readonly enableServiceDomain?: boolean
 }
 
+const getTrustStoreKeyPrefix = (stackName: string, stackUuid?: string) => {
+  if (stackUuid) {
+    return `cpt-api/${stackName}-${stackUuid}-truststore`
+  } else {
+    return `cpt-api/${stackName}-truststore`
+  }
+}
+
 /** Creates a regional REST API with standard logging, DNS, and optional mTLS/CSOC integration. */
 export class RestApiGateway extends Construct {
   /** Created API Gateway instance. */
@@ -158,7 +169,7 @@ export class RestApiGateway extends Construct {
     let mtlsConfig: MTLSConfig | undefined
 
     if (enableServiceDomain && props.mutualTlsTrustStoreKey) {
-      const trustStoreKeyPrefix = `cpt-api/${props.stackName}-truststore`
+      const trustStoreKeyPrefix = getTrustStoreKeyPrefix(props.stackName, props.stackUUID)
       const logGroup = new LogGroup(this, "LambdaLogGroup", {
         encryptionKey: cloudWatchLogsKmsKey,
         logGroupName: `/aws/lambda/${props.stackName}-truststore-deployment`,

diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts
@@ -344,6 +344,79 @@
   })
 })
 
+describe("RestApiGateway with mTLS and stackUUID", () => {
+  test("uses stackUUID in trust store deployment key prefix", () => {
+    interface ManagedPolicyResource {
+      Properties?: {
+        PolicyDocument?: {
+          Statement?: Array<{
+            Action?: Array<string>
+            Resource?: unknown | Array<unknown>
+          }>
+        }
+      }
+    }
+
+    const app = new App()
+    const stack = new Stack(app, "RestApiGatewayStackWithUuid")
+
+    const testPolicy = new ManagedPolicy(stack, "TestPolicy", {
+      description: "test execution policy",
+      statements: [
+        new PolicyStatement({
+          actions: ["lambda:InvokeFunction"],
+          resources: ["arn:aws:lambda:eu-west-2:123456789012:function:test-function"]
+        })
+      ]
+    })
+
+    const apiGateway = new RestApiGateway(stack, "TestApiGateway", {
+      stackName: "test-stack",
+      stackUUID: "f47ac10b-58cc-4372-a567-0e02b2c3d479",
+      logRetentionInDays: 30,
+      mutualTlsTrustStoreKey: "truststore.pem",
+      forwardCsocLogs: false,
+      csocApiGatewayDestination: "",
+      executionPolicies: [testPolicy],
+      enableServiceDomain: true
+    })
+
+    apiGateway.api.root.addMethod("GET")
+
+    const template = Template.fromStack(stack)
+    template.hasResourceProperties("Custom::CDKBucketDeployment", {
+      DestinationBucketKeyPrefix: "cpt-api/test-stack-f47ac10b-58cc-4372-a567-0e02b2c3d479-truststore"
+    })
+
+    const policies = template.findResources("AWS::IAM::ManagedPolicy")
+    const expectedTrustStoreObjectPath =
+      "cpt-api/test-stack-f47ac10b-58cc-4372-a567-0e02b2c3d479-truststore/truststore.pem"
+
+    const hasExpectedTrustStorePath = Object.values(policies).some((policy) => {
+      const statements = (policy as ManagedPolicyResource).Properties?.PolicyDocument?.Statement ?? []
+      return statements.some((statement) => {
+        if (!statement.Action?.includes("s3:PutObject")) {
+          return false
+        }
+
+        const resources = Array.isArray(statement.Resource)
+          ? statement.Resource
+          : (statement.Resource ? [statement.Resource] : [])
+
+        return resources.some((resource) => {
+          if (typeof resource === "string") {
+            return resource.includes(expectedTrustStoreObjectPath)
+          }
+
+          return JSON.stringify(resource).includes(expectedTrustStoreObjectPath)
+        })
+      })
+    })
+
+    expect(hasExpectedTrustStorePath).toBe(true)
+  })
+})
+
 describe("RestApiGateway validation errors", () => {
   test("throws when forwardCsocLogs is true and csocApiGatewayDestination is empty string", () => {
     const app = new App()