feat(s3-deployment): support vsecurityGroups in BucketDeploymentProps

Author: drduhe

packages/aws-cdk-lib/aws-s3-deployment/README.md

@@ -489,6 +489,65 @@ new cdk.CfnOutput(this, 'ObjectKey', {
 });
 ```
 
+## Specifying a Custom VPC, Subnets, and Security Groups in BucketDeployment
+
+By default, the AWS CDK BucketDeployment construct runs in a publicly accessible environment. However, for enhanced security and compliance, you may need to deploy your assets from within a VPC while restricting network access through custom subnets and security groups.
+
+### Using a Custom VPC
+
+To deploy assets within a private network, specify the vpc property in BucketDeploymentProps. This ensures that the deployment Lambda function executes within your specified VPC.
+
+```ts
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'BucketDeploymentExample');
+
+const vpc = ec2.Vpc.fromLookup(stack, 'ExistingVPC', { vpcId: 'vpc-12345678' });
+
+const bucket = new s3.Bucket(stack, 'MyBucket');
+
+new s3deployment.BucketDeployment(stack, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc, 
+    sources: [s3deployment.Source.asset('./website')],
+});
+```
+
+### Specifying Subnets for Deployment
+
+By default, when you specify a VPC, the BucketDeployment function is deployed in the private subnets of that VPC. 
+However, you can customize the subnet selection using the vpcSubnets property.
+
+```ts
+new s3deployment.BucketDeployment(stack, 'DeployToS3', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
+    sources: [s3deployment.Source.asset('./website')],
+});
+```
+
+### Defining Custom Security Groups
+
+For enhanced network security, you can now specify custom security groups in BucketDeploymentProps. 
+This allows fine-grained control over ingress and egress rules for the deployment Lambda function.
+
+```ts
+const securityGroup = new ec2.SecurityGroup(stack, 'CustomSG', {
+    vpc,
+    description: 'Allow HTTPS outbound access',
+    allowAllOutbound: false,
+});
+
+securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443), 'Allow HTTPS traffic');
+
+new s3deployment.BucketDeployment(stack, 'DeployWithSecurityGroup', {
+    destinationBucket: bucket,
+    vpc: vpc,
+    securityGroups: [securityGroup],
+    sources: [s3deployment.Source.asset('./website')],
+});
+```
+
 ## Notes
 
 - This library uses an AWS CloudFormation custom resource which is about 10MiB in

packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts

@@ -282,6 +282,17 @@ export interface BucketDeploymentProps {
    * @default true
    */
   readonly outputObjectKeys?: boolean;
+
+  /**
+   * The list of security groups to associate with the lambda handlers network interfaces.
+   *
+   * Only used if 'vpc' is supplied.
+   *
+   * @default undefined - If the function is placed within a VPC and a security group is
+   * not specified, either by this or securityGroup prop, a dedicated security
+   * group will be created for this function.
+   */
+  readonly securityGroups?: ec2.ISecurityGroup[];
 }
 
 /**
@@ -351,7 +362,7 @@ export class BucketDeployment extends Construct {
 
     const mountPath = `/mnt${accessPointPath}`;
     const handler = new BucketDeploymentSingletonFunction(this, 'CustomResourceHandler', {
-      uuid: this.renderSingletonUuid(props.memoryLimit, props.ephemeralStorageSize, props.vpc),
+      uuid: this.renderSingletonUuid(props.memoryLimit, props.ephemeralStorageSize, props.vpc, props.securityGroups),
       layers: [new AwsCliLayer(this, 'AwsCliLayer')],
       environment: {
         ...props.useEfs ? { MOUNT_PATH: mountPath } : undefined,
@@ -366,6 +377,7 @@ export class BucketDeployment extends Construct {
       ephemeralStorageSize: props.ephemeralStorageSize,
       vpc: props.vpc,
       vpcSubnets: props.vpcSubnets,
+      securityGroups: props.securityGroups ? props.securityGroups : undefined,
       filesystem: accessPoint ? lambda.FileSystem.fromEfsAccessPoint(
         accessPoint,
         mountPath,
@@ -559,7 +571,7 @@ export class BucketDeployment extends Construct {
     }
   }
 
-  private renderUniqueId(memoryLimit?: number, ephemeralStorageSize?: cdk.Size, vpc?: ec2.IVpc) {
+  private renderUniqueId(memoryLimit?: number, ephemeralStorageSize?: cdk.Size, vpc?: ec2.IVpc, securityGroups?: ec2.ISecurityGroup[]) {
     let uuid = '';
 
     // if the user specifes a custom memory limit, we define another singleton handler
@@ -592,13 +604,24 @@ export class BucketDeployment extends Construct {
       uuid += `-${vpc.node.addr}`;
     }
 
+    // if the user specifies security groups, we define another singleton handler
+    // with this configuration. otherwise, it won't be possible to use multiple
+    // configurations since we have a singleton.
+    if (securityGroups && securityGroups.length > 0) {
+      const sortedSecurityGroupIds = securityGroups
+        .map(sg => sg.securityGroupId)
+        .sort() // Ensure a consistent order
+        .join('-'); // Join into a single string
+      uuid += `-${sortedSecurityGroupIds}`;
+    }
+
     return uuid;
   }
 
-  private renderSingletonUuid(memoryLimit?: number, ephemeralStorageSize?: cdk.Size, vpc?: ec2.IVpc) {
+  private renderSingletonUuid(memoryLimit?: number, ephemeralStorageSize?: cdk.Size, vpc?: ec2.IVpc, securityGroups?: ec2.ISecurityGroup[]) {
     let uuid = '8693BB64-9689-44B6-9AAF-B0CC9EB8756C';
 
-    uuid += this.renderUniqueId(memoryLimit, ephemeralStorageSize, vpc);
+    uuid += this.renderUniqueId(memoryLimit, ephemeralStorageSize, vpc, securityGroups);
 
     return uuid;
   }

packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts

@@ -1,6 +1,7 @@
 import { readdirSync, readFileSync, existsSync } from 'fs';
 import * as path from 'path';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
+import { Construct } from 'constructs';
 import { Match, Template } from '../../assertions';
 import * as cloudfront from '../../aws-cloudfront';
 import * as ec2 from '../../aws-ec2';
@@ -1123,6 +1124,69 @@ test('deployment allows vpc and subnets to be implicitly supplied to lambda', ()
   });
 });
 
+test('deployment allows security groups to be explicitly supplied to lambda', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const bucket = new s3.Bucket(stack, 'Dest');
+  const vpc = new ec2.Vpc(stack, 'SomeVpc', {});
+  const sg = new ec2.SecurityGroup(stack, 'SomeSecurityGroup', { vpc });
+
+  // WHEN
+  new s3deploy.BucketDeployment(stack, 'DeployWithVpc1', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+    destinationBucket: bucket,
+    vpc: vpc,
+    securityGroups: [sg],
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
+    VpcConfig: Match.objectLike({
+      SecurityGroupIds: Match.arrayWith([
+        {
+          'Fn::GetAtt': Match.arrayWith([
+            Match.stringLikeRegexp('SomeSecurityGroup'), // Matches dynamically generated SG name
+            'GroupId',
+          ]),
+        },
+      ]),
+    }),
+  });
+});
+
+test('different security groups create different Lambdas and single CLI', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const bucket = new s3.Bucket(stack, 'Dest');
+  const c1 = new Construct(stack, 'Construct1');
+  const c2 = new Construct(stack, 'Construct2');
+  const vpc = new ec2.Vpc(stack, 'SomeVpc', {});
+  const sg1 = new ec2.SecurityGroup(stack, 'SomeSecurityGroup1', { vpc });
+  const sg2 = new ec2.SecurityGroup(stack, 'SomeSecurityGroup2', { vpc });
+
+  // WHEN
+  new s3deploy.BucketDeployment(c1, 'Deploy1', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+    destinationBucket: bucket,
+    destinationKeyPrefix: 'foo',
+    vpc: vpc,
+    securityGroups: [sg1],
+  });
+  new s3deploy.BucketDeployment(c2, 'Deploy2', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website-2'))],
+    destinationBucket: bucket,
+    destinationKeyPrefix: 'bar',
+    vpc: vpc,
+    securityGroups: [sg2],
+  });
+
+  // THEN
+  const template = Template.fromStack(stack);
+  template.resourceCountIs('AWS::Lambda::LayerVersion', 1);
+  template.resourceCountIs('AWS::Lambda::Function', 2);
+  template.resourceCountIs('Custom::CDKBucketDeployment', 2);
+});
+
 test('s3 deployment bucket is identical to destination bucket', () => {
   // GIVEN
   const stack = new cdk.Stack();