allow blank domainNames

packages/aws-cdk-lib/aws-cloudfront/README.md

@@ -79,6 +79,9 @@ be retrieved from `distribution.distributionDomainName`. CloudFront distribution
 default. If you want to use your own domain name, such as `www.example.com`, you must associate a certificate with your distribution that contains
 your domain name, and provide one (or more) domain names from the certificate for the distribution.
 
+When you want to move a domain name between distributions, you can associate a certificate and specify no domain names.
+See [Moving an alternate domain name to a different distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move) for details.
+
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
 from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise.

packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts

@@ -129,7 +129,7 @@ export interface DistributionProps {
    *
    * If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name,
    * you can add an alternate domain name to your distribution. If you attach a certificate to the distribution,
-   * you must add (at least one of) the domain names of the certificate to this list.
+   * you should add (at least one of) the domain names of the certificate to this list.
    *
    * @default - The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)
    */
@@ -318,10 +318,6 @@ export class Distribution extends Resource implements IDistribution {
       if (!Token.isUnresolved(certificateRegion) && certificateRegion !== 'us-east-1') {
         throw new Error(`Distribution certificates must be in the us-east-1 region and the certificate you provided is in ${certificateRegion}.`);
       }
-
-      if ((props.domainNames ?? []).length === 0) {
-        throw new Error('Must specify at least one domain name to use a certificate with a distribution');
-      }
     }
 
     const originId = this.addOrigin(props.defaultBehavior.origin);

packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts

@@ -457,23 +457,22 @@ describe('certificates', () => {
     }).toThrow(/Distribution certificates must be in the us-east-1 region and the certificate you provided is in eu-west-1./);
   });
 
-  test('adding a certificate without a domain name throws', () => {
+  test('adding a certificate without a domain name', () => {
     const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
 
-    expect(() => {
-      new Distribution(stack, 'Dist1', {
-        defaultBehavior: { origin: defaultOrigin() },
-        certificate,
-      });
-    }).toThrow(/Must specify at least one domain name/);
+    new Distribution(stack, 'Dist1', {
+      defaultBehavior: { origin: defaultOrigin() },
+      certificate,
+    });
 
-    expect(() => {
-      new Distribution(stack, 'Dist2', {
-        defaultBehavior: { origin: defaultOrigin() },
-        domainNames: [],
-        certificate,
-      });
-    }).toThrow(/Must specify at least one domain name/);
+    Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::Distribution', {
+      DistributionConfig: {
+        Aliases: Match.absent(),
+        ViewerCertificate: {
+          AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
+        },
+      },
+    });
   });
 
   test('use the TLSv1.2_2021 security policy by default', () => {