(s3-deployment): Add securityGroups to BucketDeploymentProps

[drduhe]

Describe the feature

Allow users to specify custom security groups throughBucketDeploymentProps for enhanced network control. This enhancement ensures that teams operating in restricted environments can safely use BucketDeployment while maintaining strict security controls. 🚀

Use Case

The BucketDeployment construct in AWS CDK allows deploying assets to S3 buckets, often requiring a Lambda function to perform the deployment. Currently, users can specify a custom VPC via BucketDeploymentProps, ensuring the deployment happens within a restricted network.

However, many organizations require more granular network security control. While specifying a VPC is helpful, allowing custom security groups would enable teams to define specific ingress/egress rules, meeting stricter compliance and security requirements.

Proposed Solution

Modify BucketDeploymentProps in bucket-deployment.ts to include an optional securityGroups property.

1. Extend BucketDeploymentProps

export interface BucketDeploymentProps {
    ...
    readonly vpc?: ec2.IVpc;
    readonly securityGroups?: ec2.ISecurityGroup[]; // New property
}

2. Pass securityGroups to the deployment Lambda

Modify the BucketDeployment constructor to ensure the security groups are assigned when the Lambda function is created.

export class BucketDeployment extends cdk.Construct {
  constructor(scope: Construct, id: string, props: BucketDeploymentProps) {
    ...
    const handler = new lambda.SingletonFunction(this, 'CustomResourceHandler', {
      uuid: this.renderSingletonUuid(props.memoryLimit),
      code: lambda.Code.fromAsset(handlerCodeBundle, { assetHash }),
      runtime: lambda.Runtime.PYTHON_3_6,
      handler: 'index.handler',
      lambdaPurpose: 'Custom::CDKBucketDeployment',
      timeout: cdk.Duration.minutes(15),
      role: props.role,
      memorySize: props.memoryLimit,
      vpc: props.vpc,
      securityGroups: props.securityGroups, // Pass security groups here
    });
    ...
  }

}

3. Allow Users to Define Security Groups in BucketDeployment

Developers should be able to instantiate BucketDeployment with explicitly defined security groups.

const securityGroup = new ec2.SecurityGroup(this, 'CustomSecurityGroup', { vpc });

new s3deployment.BucketDeployment(this, 'IFA-Cloud-Frontend-Deploy', {
    destinationBucket: bucket,
    vpc: customVpc,
    securityGroups: [securityGroup],  // Set custom security group
    sources: [
        s3deployment.Source.asset('../frontend', {
            bundling: {
                image: cdk.BundlingDockerImage.fromRegistry(`${env?.account}.dkr.ecr.${env?.region}.amazonaws.com/node:latest`),
                command: [
                    'bash', '-c', [
                        'npm i',
                        `export REACT_APP_API_URL=${apiUrl}`,
                        'npm run build',
                        'cp -r /asset-input/build/* /asset-output/',
                    ].join(' && '),
                ],
            },
        }),
    ],
});

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.177.0

Environment details (OS name and version, etc.)

MacOS Sequoia 15.2

[pahud]

Sounds good. Thank you for your PR!

[drduhe]

Sounds good. Thank you for your PR!

@pahud when might I expect my PR to get reviewed and merged? Is there a standard SLA for such things? I appreciate you taking the time to look at this request!