From 99a4e30b92383bd24fe6aaf3650e5bb1d37f3909 Mon Sep 17 00:00:00 2001
From: Nicholas Smith <nsmith@amplience.com>
Date: Wed, 2 Aug 2023 14:49:49 +0100
Subject: [PATCH] fix: removes the requirement to have a domain name if you're
 associating a certificate to a Distribution, this means you can provision a
 new Distribution and then use associate-alias to transfer a domain name

---
 packages/aws-cdk-lib/aws-cloudfront/README.md |  2 +-
 .../aws-cloudfront/lib/distribution.ts        |  7 +----
 .../aws-cloudfront/test/distribution.test.ts  | 28 +++++++++----------
 3 files changed, 15 insertions(+), 22 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-cloudfront/README.md b/packages/aws-cdk-lib/aws-cloudfront/README.md
index a4866aa28b469..5dae55eaea7f0 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/README.md
+++ b/packages/aws-cdk-lib/aws-cloudfront/README.md
@@ -77,7 +77,7 @@ new cloudfront.Distribution(this, 'myDist', {
 When you create a distribution, CloudFront assigns a domain name for the distribution, for example: `d111111abcdef8.cloudfront.net`; this value can
 be retrieved from `distribution.distributionDomainName`. CloudFront distributions use a default certificate (`*.cloudfront.net`) to support HTTPS by
 default. If you want to use your own domain name, such as `www.example.com`, you must associate a certificate with your distribution that contains
-your domain name, and provide one (or more) domain names from the certificate for the distribution.
+your domain name, and optionally provide one (or more) domain names from the certificate for the distribution.
 
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
index 7918a5e996cbd..a511e124b139d 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -126,8 +126,7 @@ export interface DistributionProps {
    * Alternative domain names for this distribution.
    *
    * If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name,
-   * you can add an alternate domain name to your distribution. If you attach a certificate to the distribution,
-   * you must add (at least one of) the domain names of the certificate to this list.
+   * you can add an alternate domain name to your distribution.
    *
    * @default - The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)
    */
@@ -306,10 +305,6 @@ export class Distribution extends Resource implements IDistribution {
       if (!Token.isUnresolved(certificateRegion) && certificateRegion !== 'us-east-1') {
         throw new Error(`Distribution certificates must be in the us-east-1 region and the certificate you provided is in ${certificateRegion}.`);
       }
-
-      if ((props.domainNames ?? []).length === 0) {
-        throw new Error('Must specify at least one domain name to use a certificate with a distribution');
-      }
     }
 
     const originId = this.addOrigin(props.defaultBehavior.origin);
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
index af3b268688703..1d7f1d9a580f6 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -453,23 +453,21 @@ describe('certificates', () => {
     }).toThrow(/Distribution certificates must be in the us-east-1 region and the certificate you provided is in eu-west-1./);
   });
 
-  test('adding a certificate without a domain name throws', () => {
+  test('adding a certificate without a domain name is permitted', () => {
     const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
+    new Distribution(stack, 'Dist', {
+      defaultBehavior: { origin: defaultOrigin() },
+      certificate: certificate,
+    });
 
-    expect(() => {
-      new Distribution(stack, 'Dist1', {
-        defaultBehavior: { origin: defaultOrigin() },
-        certificate,
-      });
-    }).toThrow(/Must specify at least one domain name/);
-
-    expect(() => {
-      new Distribution(stack, 'Dist2', {
-        defaultBehavior: { origin: defaultOrigin() },
-        domainNames: [],
-        certificate,
-      });
-    }).toThrow(/Must specify at least one domain name/);
+    Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::Distribution', {
+      DistributionConfig: {
+        ViewerCertificate: {
+          AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
+        },
+      },
+    });
+  });
   });
 
   test('use the TLSv1.2_2021 security policy by default', () => {