amplify-education
diff --git a/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 1 deletion b/‎README.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎package-lock.json‎
Lines changed: 4994 additions & 3553 deletions b/‎package-lock.json‎
Lines changed: 4994 additions & 3553 deletions
diff --git a/‎package.json‎
Lines changed: 2 additions & 1 deletion b/‎package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/aws/acm-wrapper.ts‎
Lines changed: 4 additions & 0 deletions b/‎src/aws/acm-wrapper.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/aws/api-gateway-v1-wrapper.ts‎
Lines changed: 54 additions & 7 deletions b/‎src/aws/api-gateway-v1-wrapper.ts‎
Lines changed: 54 additions & 7 deletions
diff --git a/‎src/aws/api-gateway-v2-wrapper.ts‎
Lines changed: 54 additions & 7 deletions b/‎src/aws/api-gateway-v2-wrapper.ts‎
Lines changed: 54 additions & 7 deletions
diff --git a/‎src/globals.ts‎
Lines changed: 2 additions & 1 deletion b/‎src/globals.ts‎
Lines changed: 2 additions & 1 deletion
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [9.1.0] - 2026-02-10
+
+### Changed
+- Add support for private custom domains. Thank you @StevenCAD ([648](https://github.com/amplify-education/serverless-domain-manager/pull/648))
+
 ## [9.0.0] - 2026-02-04
 
 ### Changed
 
@@ -155,7 +155,7 @@ custom:
 | createRoute53IPv6Record | `true` | Toggles whether or not the plugin will create an AAAA Alias record in Route53 mapping the `domainName` to the generated distribution domain name. If false, does not create a record.                                                                                                                                                                                  |
 | route53Profile | `(none)` | Profile to use for accessing Route53 resources when Route53 records are in a different account                                                                                                                                                                                                                                                                         |
 | route53Region | `(none)` | Region to send Route53 services requests to (only applicable if also using route53Profile option)                                                                                                                                                                                                                                                                      |
-| endpointType | `EDGE` | Defines the endpoint type, accepts `REGIONAL` or `EDGE`.                                                                                                                                                                                                                                                                                                               |
+| endpointType | `EDGE` | Defines the endpoint type, accepts `REGIONAL`, `EDGE`, or `PRIVATE`. Note: `PRIVATE` endpoints are only supported with REST APIs and can only be accessed from within a VPC. Private endpoints do not support HTTP APIs, WebSocket APIs, mutual TLS, or non-simple routing policies. |
 | apiType | rest | Defines the api type, accepts `rest`, `http` or `websocket`.                                                                                                                                                                                                                                                                                                           |
 | tlsTruststoreUri | `undefined` | An Amazon S3 url that specifies the truststore for mutual TLS authentication, for example `s3://bucket-name/key-name`. The truststore can contain certificates from public or private certificate authorities. Be aware mutual TLS is only available for `regional` APIs.                                                                                              |
 | tlsTruststoreVersion | `undefined` | The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket.                                                                                                                                                                                                                                  |
@@ -212,7 +212,9 @@ npm test
 To run integration tests, set an environment variable `TEST_DOMAIN` to the domain you will be testing for (i.e. `example.com` if creating a domain for `api.example.com`). 
 And `ROUTE53_PROFILE` for creating route53 record in one AWS account and deploy in another. Then,
 ```
+export SERVERLESS_LICENSE_KEY=<license_key>
 export TEST_DOMAIN=example.com
+export VPC_NAME=vpc_name
 export ROUTE53_PROFILE=default
 export TLS_TRUSTSTORE_URI=s3://bucket-name/key-name
 export TLS_TRUSTSTORE_VERSION=default
 
@@ -1,6 +1,6 @@
 {
   "name": "serverless-domain-manager",
-  "version": "9.0.0",
+  "version": "9.1.0",
   "engines": {
     "node": ">=18"
   },
@@ -66,6 +66,7 @@
     "randomstring": "^1.3.0",
     "serverless": "4.2.5",
     "serverless-plugin-split-stacks": "^1.14.0",
+    "serverless-vpc-discovery": "^6.0.0",
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3"
   },
 
@@ -61,6 +61,10 @@ class ACMWrapper {
         errorMessage += ` The endpoint type '${Globals.endpointTypes.edge}' is used. ` +
           `Make sure the needed ACM certificate exists in the '${Globals.defaultRegion}' region.`;
       }
+      if (domain.endpointType === Globals.endpointTypes.private) {
+        errorMessage += ` The endpoint type '${Globals.endpointTypes.private}' is used. ` +
+          `Make sure the needed ACM certificate exists in the '${Globals.getRegion()}' region.`;
+      }
       throw Error(errorMessage);
     }
     return certificateArn;
 
@@ -17,6 +17,9 @@ import {
   GetBasePathMappingsCommandOutput,
   GetDomainNameCommand,
   GetDomainNameCommandOutput,
+  GetDomainNamesCommand,
+  GetDomainNamesCommandInput,
+  GetDomainNamesCommandOutput,
   UpdateBasePathMappingCommand
 } from "@aws-sdk/client-api-gateway";
 import ApiGatewayMap = require("../models/api-gateway-map");
@@ -25,6 +28,7 @@ import Logging from "../logging";
 import { getAWSPagedResults } from "../utils";
 
 class APIGatewayV1Wrapper extends APIGatewayBase {
+  protected readonly versionPrefix = "V1";
   public readonly apiGateway: APIGatewayClient;
 
   constructor (credentials?: any) {
@@ -54,7 +58,8 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
     };
 
     const isEdgeType = domain.endpointType === Globals.endpointTypes.edge;
-    if (isEdgeType) {
+    const isPrivateType = domain.endpointType === Globals.endpointTypes.private;
+    if (isEdgeType || isPrivateType) {
       params.certificateArn = domain.certificateArn;
     } else {
       params.regionalCertificateArn = domain.certificateArn;
@@ -88,11 +93,15 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
    * @param silent: To issue an error or not. Not by default.
    */
   public async getCustomDomain (domain: DomainConfig, silent: boolean = true): Promise<DomainInfo> {
+    const domainNameId = await this.resolvePrivateDomainNameId(domain, silent);
+    if (domainNameId === null) return;
+
     // Make API call
     try {
       const domainInfo: GetDomainNameCommandOutput = await this.apiGateway.send(
         new GetDomainNameCommand({
-          domainName: domain.givenDomainName
+          domainName: domain.givenDomainName,
+          ...(domainNameId && { domainNameId })
         })
       );
       return new DomainInfo(domainInfo);
@@ -106,11 +115,41 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
     }
   }
 
+  protected async fetchPrivateDomainNameId (domain: DomainConfig): Promise<string | undefined> {
+    try {
+      type DomainNameItem = {
+        domainName: string;
+        domainNameId?: string;
+        endpointConfiguration?: { types?: string[] };
+      };
+
+      const items = await getAWSPagedResults<DomainNameItem, GetDomainNamesCommandInput, GetDomainNamesCommandOutput>(
+        this.apiGateway,
+        "items",
+        "position",
+        "position",
+        new GetDomainNamesCommand({})
+      );
+
+      const matchingDomain = items.find(
+        (item) => item.domainName === domain.givenDomainName &&
+                  item.endpointConfiguration?.types?.includes(Globals.endpointTypes.private)
+      );
+
+      return matchingDomain?.domainNameId;
+    } catch (err) {
+      Logging.logWarning(`V1 - Unable to list domain names to find domainNameId: ${err.message}`);
+      return undefined;
+    }
+  }
+
   public async deleteCustomDomain (domain: DomainConfig): Promise<void> {
     // Make API call
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(new DeleteDomainNameCommand({
-        domainName: domain.givenDomainName
+        domainName: domain.givenDomainName,
+        ...(domainNameId && { domainNameId })
       }));
     } catch (err) {
       throw new Error(`V1 - Failed to delete custom domain '${domain.givenDomainName}':\n${err.message}`);
@@ -119,11 +158,13 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
 
   public async createBasePathMapping (domain: DomainConfig): Promise<void> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(new CreateBasePathMappingCommand({
         basePath: domain.basePath,
         domainName: domain.givenDomainName,
         restApiId: domain.apiId,
-        stage: domain.stage
+        stage: domain.stage,
+        ...(domainNameId && { domainNameId })
       }));
       Logging.logInfo(`V1 - Created API mapping '${domain.basePath}' for '${domain.givenDomainName}'`);
     } catch (err) {
@@ -135,13 +176,15 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
 
   public async getBasePathMappings (domain: DomainConfig): Promise<ApiGatewayMap[]> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       const items = await getAWSPagedResults<BasePathMapping, GetBasePathMappingsCommandInput, GetBasePathMappingsCommandOutput>(
         this.apiGateway,
         "items",
         "position",
         "position",
         new GetBasePathMappingsCommand({
-          domainName: domain.givenDomainName
+          domainName: domain.givenDomainName,
+          ...(domainNameId && { domainNameId })
         })
       );
       return items.map((item) => {
@@ -159,14 +202,16 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
     Logging.logInfo(`V1 - Updating API mapping from '${domain.apiMapping.basePath}'
             to '${domain.basePath}' for '${domain.givenDomainName}'`);
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(new UpdateBasePathMappingCommand({
         basePath: domain.apiMapping.basePath,
         domainName: domain.givenDomainName,
         patchOperations: [{
           op: "replace",
           path: "/basePath",
           value: domain.basePath
-        }]
+        }],
+        ...(domainNameId && { domainNameId })
       }));
     } catch (err) {
       throw new Error(
@@ -177,10 +222,12 @@ class APIGatewayV1Wrapper extends APIGatewayBase {
 
   public async deleteBasePathMapping (domain: DomainConfig): Promise<void> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(
         new DeleteBasePathMappingCommand({
           basePath: domain.apiMapping.basePath,
-          domainName: domain.givenDomainName
+          domainName: domain.givenDomainName,
+          ...(domainNameId && { domainNameId })
         })
       );
       Logging.logInfo(`V1 - Removed '${domain.apiMapping.basePath}' base path mapping`);
 
@@ -19,12 +19,16 @@ import {
   GetApiMappingsCommandOutput,
   GetDomainNameCommand,
   GetDomainNameCommandOutput,
+  GetDomainNamesCommand,
+  GetDomainNamesCommandInput,
+  GetDomainNamesCommandOutput,
   UpdateApiMappingCommand
 } from "@aws-sdk/client-apigatewayv2";
 import Logging from "../logging";
 import { getAWSPagedResults } from "../utils";
 
 class APIGatewayV2Wrapper extends APIGatewayBase {
+  protected readonly versionPrefix = "V2";
   public readonly apiGateway: ApiGatewayV2Client;
 
   constructor (credentials?: any) {
@@ -59,7 +63,8 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
     };
 
     const isEdgeType = domain.endpointType === Globals.endpointTypes.edge;
-    if (!isEdgeType && domain.tlsTruststoreUri) {
+    const isPrivateType = domain.endpointType === Globals.endpointTypes.private;
+    if (!isEdgeType && !isPrivateType && domain.tlsTruststoreUri) {
       params.MutualTlsAuthentication = {
         TruststoreUri: domain.tlsTruststoreUri
       };
@@ -87,11 +92,15 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
    * @param silent: To issue an error or not. Not by default.
    */
   public async getCustomDomain (domain: DomainConfig, silent: boolean = true): Promise<DomainInfo> {
+    const domainNameId = await this.resolvePrivateDomainNameId(domain, silent);
+    if (domainNameId === null) return;
+
     // Make API call
     try {
       const domainInfo: GetDomainNameCommandOutput = await this.apiGateway.send(
         new GetDomainNameCommand({
-          DomainName: domain.givenDomainName
+          DomainName: domain.givenDomainName,
+          ...(domainNameId && { DomainNameId: domainNameId })
         })
       );
       return new DomainInfo(domainInfo);
@@ -105,16 +114,46 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
     }
   }
 
+  protected async fetchPrivateDomainNameId (domain: DomainConfig): Promise<string | undefined> {
+    try {
+      type DomainNameItem = {
+        DomainName: string;
+        DomainNameId?: string;
+        DomainNameConfigurations?: Array<{ EndpointType?: string }>;
+      };
+
+      const items = await getAWSPagedResults<DomainNameItem, GetDomainNamesCommandInput, GetDomainNamesCommandOutput>(
+        this.apiGateway,
+        "Items",
+        "NextToken",
+        "NextToken",
+        new GetDomainNamesCommand({})
+      );
+
+      const matchingDomain = items.find(
+        (item) => item.DomainName === domain.givenDomainName &&
+                  item.DomainNameConfigurations?.some((config) => config.EndpointType === Globals.endpointTypes.private)
+      );
+
+      return matchingDomain?.DomainNameId;
+    } catch (err) {
+      Logging.logWarning(`V2 - Unable to list domain names to find domainNameId: ${err.message}`);
+      return undefined;
+    }
+  }
+
   /**
    * Delete Custom Domain Name
    * @param domain: DomainConfig
    */
   public async deleteCustomDomain (domain: DomainConfig): Promise<void> {
     // Make API call
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(
         new DeleteDomainNameCommand({
-          DomainName: domain.givenDomainName
+          DomainName: domain.givenDomainName,
+          ...(domainNameId && { DomainNameId: domainNameId })
         })
       );
     } catch (err) {
@@ -138,12 +177,14 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
       );
     }
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(
         new CreateApiMappingCommand({
           ApiId: domain.apiId,
           ApiMappingKey: domain.basePath,
           DomainName: domain.givenDomainName,
-          Stage: domain.stage
+          Stage: domain.stage,
+          ...(domainNameId && { DomainNameId: domainNameId })
         })
       );
       Logging.logInfo(`V2 - Created API mapping '${domain.basePath}' for '${domain.givenDomainName}'`);
@@ -160,13 +201,15 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
    */
   public async getBasePathMappings (domain: DomainConfig): Promise<ApiGatewayMap[]> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       const items = await getAWSPagedResults<ApiMapping, GetApiMappingsCommandInput, GetApiMappingsCommandOutput>(
         this.apiGateway,
         "Items",
         "NextToken",
         "NextToken",
         new GetApiMappingsCommand({
-          DomainName: domain.givenDomainName
+          DomainName: domain.givenDomainName,
+          ...(domainNameId && { DomainNameId: domainNameId })
         })
       );
       return items.map(
@@ -185,13 +228,15 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
    */
   public async updateBasePathMapping (domain: DomainConfig): Promise<void> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(
         new UpdateApiMappingCommand({
           ApiId: domain.apiId,
           ApiMappingId: domain.apiMapping.apiMappingId,
           ApiMappingKey: domain.basePath,
           DomainName: domain.givenDomainName,
-          Stage: domain.stage
+          Stage: domain.stage,
+          ...(domainNameId && { DomainNameId: domainNameId })
         })
       );
       Logging.logInfo(`V2 - Updated API mapping to '${domain.basePath}' for '${domain.givenDomainName}'`);
@@ -207,9 +252,11 @@ class APIGatewayV2Wrapper extends APIGatewayBase {
    */
   public async deleteBasePathMapping (domain: DomainConfig): Promise<void> {
     try {
+      const domainNameId = await this.getDomainNameIdForPrivateDomain(domain);
       await this.apiGateway.send(new DeleteApiMappingCommand({
         ApiMappingId: domain.apiMapping.apiMappingId,
-        DomainName: domain.givenDomainName
+        DomainName: domain.givenDomainName,
+        ...(domainNameId && { DomainNameId: domainNameId })
       }));
       Logging.logInfo(`V2 - Removed API Mapping with id: '${domain.apiMapping.apiMappingId}'`);
     } catch (err) {
 
@@ -23,7 +23,8 @@ export default class Globals {
 
   public static endpointTypes = {
     edge: "EDGE",
-    regional: "REGIONAL"
+    regional: "REGIONAL",
+    private: "PRIVATE"
   };
 
   public static apiTypes = {
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,10 @@ class ACMWrapper {`
`61`	`61`	errorMessage += ` The endpoint type '${Globals.endpointTypes.edge}' is used. ` +
`62`	`62`	`Make sure the needed ACM certificate exists in the '${Globals.defaultRegion}' region.`;
`63`	`63`	`}`
	`64`	`+ if (domain.endpointType === Globals.endpointTypes.private) {`
	`65`	+ errorMessage += ` The endpoint type '${Globals.endpointTypes.private}' is used. ` +
	`66`	+ `Make sure the needed ACM certificate exists in the '${Globals.getRegion()}' region.`;
	`67`	`+ }`
`64`	`68`	`throw Error(errorMessage);`
`65`	`69`	`}`
`66`	`70`	`return certificateArn;`