fix(elasticloadbalancingv2): add validation on application listeners for certificates on HTTP protocol (#34233)

### Issue # (if applicable)


### Reason for this change

ElasticLoadBalancerV2 throw a 400 error if you try to append a certificate to a listener on port 80 (or protocol HTTP).
This PR brings this same validation to CDK

### Description of changes

Added a new check for the application protocol and the length of certificates, and if there is any certificate, throw a validation error.
Also, added a test for this case.

### Describe any new or updated permissions being added

### Description of how you validated changes

### Checklist

 My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Author: wmattei

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

@@ -8,7 +8,7 @@ import { ListenerCondition } from './conditions';
 import { ITrustStore } from './trust-store';
 import * as ec2 from '../../../aws-ec2';
 import * as cxschema from '../../../cloud-assembly-schema';
-import { Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core';
+import { Annotations, Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
@@ -293,6 +293,10 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
     // Enhanced CDK Analytics Telemetry
     addConstructMetadata(this, props);
 
+    if (protocol === ApplicationProtocol.HTTP && props.certificates?.length) {
+      Annotations.of(this).addWarningV2('@aws-cdk/aws-elasticloadbalancingv2:httpListenerWithCertificates', 'Certificates cannot be specified for HTTP listeners. Use HTTPS instead.');
+    }
+
     this.loadBalancer = props.loadBalancer;
     this.protocol = protocol;
     this.port = port;

packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts

@@ -1,6 +1,6 @@
 import { describeDeprecated, testDeprecated } from '@aws-cdk/cdk-build-tools';
 import * as constructs from 'constructs';
-import { Match, Template } from '../../../assertions';
+import { Annotations, Match, Template } from '../../../assertions';
 import * as acm from '../../../aws-certificatemanager';
 import { Metric } from '../../../aws-cloudwatch';
 import * as ec2 from '../../../aws-ec2';
@@ -257,6 +257,21 @@ describe('tests', () => {
     });
   });
 
+  test('HTTP listener cannot have a certificate', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
+
+    const listener = lb.addListener('Listener', {
+      port: 80,
+      certificates: [elbv2.ListenerCertificate.fromArn('cert1')],
+      defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })],
+    });
+
+    Annotations.fromStack(stack).hasWarning('/'+listener.node.path, Match.stringLikeRegexp('Certificates cannot be specified for HTTP listeners. Use HTTPS instead.'));
+  });
+
   test('Can configure targetType on TargetGroups', () => {
     // GIVEN
     const stack = new cdk.Stack();