feat(s3-deployment): support securityGroups in BucketDeploymentProps

Author: drduhe

packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts

@@ -282,6 +282,17 @@ export interface BucketDeploymentProps {
    * @default true
    */
   readonly outputObjectKeys?: boolean;
+
+  /**
+   * The list of security groups to associate with the lambda handlers network interfaces.
+   *
+   * Only used if 'vpc' is supplied.
+   *
+   * @default undefined - If the function is placed within a VPC and a security group is
+   * not specified, either by this or securityGroup prop, a dedicated security
+   * group will be created for this function.
+   */
+  readonly securityGroups?: ec2.ISecurityGroup[];
 }
 
 /**
@@ -366,6 +377,7 @@ export class BucketDeployment extends Construct {
       ephemeralStorageSize: props.ephemeralStorageSize,
       vpc: props.vpc,
       vpcSubnets: props.vpcSubnets,
+      securityGroups: props.securityGroups ? props.securityGroups : undefined,
       filesystem: accessPoint ? lambda.FileSystem.fromEfsAccessPoint(
         accessPoint,
         mountPath,

packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts

@@ -1123,6 +1123,36 @@ test('deployment allows vpc and subnets to be implicitly supplied to lambda', ()
   });
 });
 
+test('deployment allows security groups to be explicitly supplied to lambda', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const bucket = new s3.Bucket(stack, 'Dest');
+  const vpc = new ec2.Vpc(stack, 'SomeVpc', {});
+  const securityGroup = new ec2.SecurityGroup(stack, 'SomeSecurityGroup', { vpc });
+
+  // WHEN
+  new s3deploy.BucketDeployment(stack, 'DeployWithVpc1', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website'))],
+    destinationBucket: bucket,
+    vpc,
+    securityGroups: [securityGroup],
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
+    VpcConfig: Match.objectLike({
+      SecurityGroupIds: Match.arrayWith([
+        {
+          'Fn::GetAtt': Match.arrayWith([
+            Match.stringLikeRegexp('SomeSecurityGroup'), // Matches dynamically generated SG name
+            'GroupId',
+          ]),
+        },
+      ]),
+    }),
+  });
+});
+
 test('s3 deployment bucket is identical to destination bucket', () => {
   // GIVEN
   const stack = new cdk.Stack();

packages/aws-cdk/lib/cli/parse-command-line-arguments.ts

@@ -733,7 +733,7 @@ export function parseCommandLineArguments(args: Array<string>): any {
           type: 'string',
           alias: 'l',
           desc: 'The language to be used for the new project (default can be configured in ~/.cdk.json)',
-          choices: ['csharp', 'fsharp', 'go', 'java', 'javascript', 'python', 'typescript'],
+          choices: ['app.iml', 'csharp', 'fsharp', 'go', 'java', 'javascript', 'python', 'typescript'],
         })
         .option('list', {
           default: undefined,