chore(elasticloadbalancingv2): Add validation on application listeners for certificates on HTTP protocol

Author: wmattei

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

@@ -263,6 +263,10 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
       throw new ValidationError('At least one of \'port\' or \'protocol\' is required', scope);
     }
 
+    if (protocol === ApplicationProtocol.HTTP && props.certificates?.length) {
+      throw new ValidationError('A certificate cannot be specified for HTTP listeners', scope);
+    }
+
     validateMutualAuthentication(scope, props.mutualAuthentication);
 
     let advertiseTrustStoreCaNames: string | undefined;

packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts

@@ -257,6 +257,23 @@ describe('tests', () => {
     });
   });
 
+  test('HTTP listener requires no certificate', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
+
+    // WHEN
+    const listener = lb.addListener('Listener', {
+      port: 80,
+      defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })],
+    });
+
+    // THEN
+    const errors = listener.node.validate();
+    expect(errors).toEqual(['A certificate cannot be specified for HTTP listeners']);
+  });
+
   test('Can configure targetType on TargetGroups', () => {
     // GIVEN
     const stack = new cdk.Stack();