feat(amplify): support custom certificate (#30791)

### Issue # (if applicable)

Closes #30594.

### Reason for this change
To use custom domain for Amplify by setting custom certificate.


### Description of changes
Add `customCertificate` property.


### Description of how you validated changes
Add unit test and integ test.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-amplify-alpha/README.md

@@ -138,6 +138,17 @@ domain.mapSubDomain(main, 'www');
 domain.mapSubDomain(dev); // sub domain prefix defaults to branch name
 ```
 
+To specify a custom certificate for your custom domain use the `customCertificate` property:
+
+```ts
+declare const customCertificate: acm.Certificate;
+declare const amplifyApp: amplify.App;
+
+const domain = amplifyApp.addDomain('example.com', {
+  customCertificate, // set your custom certificate
+});
+```
+
 ## Restricting access
 
 Password protect the app with basic auth by specifying the `basicAuth` prop.

packages/@aws-cdk/aws-amplify-alpha/lib/domain.ts

@@ -1,3 +1,4 @@
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { Lazy, Resource, IResolvable } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
@@ -36,6 +37,13 @@ export interface DomainOptions {
    * @default - all repository branches ['*', 'pr*']
    */
   readonly autoSubdomainCreationPatterns?: string[];
+
+  /**
+   * The type of SSL/TLS certificate to use for your custom domain
+   *
+   * @default - Amplify uses the default certificate that it provisions and manages for you
+   */
+  readonly customCertificate?: acm.ICertificate;
 }
 
 /**
@@ -130,6 +138,10 @@ export class Domain extends Resource {
       enableAutoSubDomain: !!props.enableAutoSubdomain,
       autoSubDomainCreationPatterns: props.autoSubdomainCreationPatterns || ['*', 'pr*'],
       autoSubDomainIamRole: props.autoSubDomainIamRole?.roleArn,
+      certificateSettings: props.customCertificate ? {
+        certificateType: 'CUSTOM',
+        customCertificateArn: props.customCertificate.certificateArn,
+      } : undefined,
     });
 
     this.arn = domain.attrArn;

packages/@aws-cdk/aws-amplify-alpha/rosetta/default.ts-fixture

@@ -2,6 +2,7 @@
 import { SecretValue, Stack } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as amplify from '@aws-cdk/aws-amplify-alpha';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {

packages/@aws-cdk/aws-amplify-alpha/test/domain.test.ts

@@ -1,4 +1,5 @@
 import { Template } from 'aws-cdk-lib/assertions';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { App, SecretValue, Stack } from 'aws-cdk-lib';
 import * as amplify from '../lib';
@@ -64,6 +65,78 @@ test('create a domain', () => {
   });
 });
 
+test('create a domain with custom certificate', () => {
+  // GIVEN
+  const stack = new Stack();
+  const app = new amplify.App(stack, 'App', {
+    sourceCodeProvider: new amplify.GitHubSourceCodeProvider({
+      owner: 'aws',
+      repository: 'aws-cdk',
+      oauthToken: SecretValue.unsafePlainText('secret'),
+    }),
+  });
+  const prodBranch = app.addBranch('main');
+  const devBranch = app.addBranch('dev');
+
+  const customCertificate = new acm.Certificate(stack, 'Cert', {
+    domainName: '*.example.com',
+  });
+
+  // WHEN
+  const domain = app.addDomain('example.com', {
+    subDomains: [
+      {
+        branch: prodBranch,
+        prefix: 'prod',
+      },
+    ],
+    customCertificate,
+  });
+  domain.mapSubDomain(devBranch);
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Amplify::Domain', {
+    AppId: {
+      'Fn::GetAtt': [
+        'AppF1B96344',
+        'AppId',
+      ],
+    },
+    DomainName: 'example.com',
+    CertificateSettings: {
+      CertificateType: 'CUSTOM',
+      CustomCertificateArn: {
+        Ref: 'Cert5C9FAEC1',
+      },
+    },
+    SubDomainSettings: [
+      {
+        BranchName: {
+          'Fn::GetAtt': [
+            'AppmainF505BAED',
+            'BranchName',
+          ],
+        },
+        Prefix: 'prod',
+      },
+      {
+        BranchName: {
+          'Fn::GetAtt': [
+            'AppdevB328DAFC',
+            'BranchName',
+          ],
+        },
+        Prefix: {
+          'Fn::GetAtt': [
+            'AppdevB328DAFC',
+            'BranchName',
+          ],
+        },
+      },
+    ],
+  });
+});
+
 test('map a branch to the domain root', () => {
   // GIVEN
   const stack = new Stack();