feat(s3-deployment): support securityGroups in BucketDeploymentProps

[drduhe]

Issue # (if applicable)

closes #33229

Reason for this change

The BucketDeployment construct in AWS CDK allows deploying assets to S3 buckets, often requiring a Lambda function to perform the deployment. Currently, users can specify a custom VPC via BucketDeploymentProps, ensuring the deployment happens within a restricted network.

However, many organizations require more granular network security control. While specifying a VPC is helpful, allowing custom security groups would enable teams to define specific ingress/egress rules, meeting stricter compliance and security requirements.

Description of changes

• Updated BucketDeploymentProps to include an optional securityGroups?: ec2.ISecurityGroup[] property.
• Modified BucketDeployment constructor to pass securityGroups to the Lambda function.
• Ensured backward compatibility by keeping securityGroups optional.
• Updated README to include guidance on setting vpc, vpcSubnets, and securityGroups parameters.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Added unit tests to the relevant code modules to cover feature usage.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[drduhe]

Exemption Request - I don't think this requires a change to integration tests, per other similar PR guidance. There is also no integration tests for this module it seems.

[drduhe]

Any traction on getting this one looked at reviewed? I can't see the build logs as to why it is failing.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: e70acf6
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.84%. Comparing base (fd9462c) to head (e70acf6).
Report is 26 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33233   +/-   ##
=======================================
  Coverage   80.84%   80.84%           
=======================================
  Files         236      236           
  Lines       14230    14230           
  Branches     2487     2487           
=======================================
  Hits        11504    11504           
  Misses       2442     2442           
  Partials      284      284           

Flag	Coverage Δ
suite.unit	80.84% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.64% <ø> (ø)
packages/aws-cdk-lib/core	82.14% <ø> (ø)

[pahud]

Any traction on getting this one looked at reviewed? I can't see the build logs as to why it is failing.

The CI is still failing. Looks like this is the start of the failing point

aws-cdk-lib: FAIL aws-s3-deployment/test/bucket-deployment.test.ts (20.454 s)
aws-cdk-lib:   â—� different security groups create different Lambdas and single CLI
aws-cdk-lib:     Cannot find asset at /codebuild/output/src1875233622/src/github.com/aws/aws-cdk/packages/aws-cdk-lib/aws-s3-deployment/test/my-website-2
aws-cdk-lib:       173 |
aws-cdk-lib:       174 |     if (!fs.existsSync(this.sourcePath)) {
aws-cdk-lib:     > 175 |       throw new Error(`Cannot find asset at ${this.sourcePath}`);
aws-cdk-lib:           |             ^
aws-cdk-lib:       176 |     }
aws-cdk-lib:       177 |
aws-cdk-lib:       178 |     this.sourceStats = fs.statSync(this.sourcePath);
aws-cdk-lib:       at new AssetStaging (core/lib/asset-staging.ts:175:13)
aws-cdk-lib:       at new Asset (aws-s3-assets/lib/asset.ts:153:21)
aws-cdk-lib:       at Object.bind (aws-s3-deployment/lib/source.ts:132:23)
aws-cdk-lib:       at bind (aws-s3-deployment/lib/bucket-deployment.ts:395:66)
aws-cdk-lib:           at Array.map (<anonymous>)
aws-cdk-lib:       at new map (aws-s3-deployment/lib/bucket-deployment.ts:395:34)
aws-cdk-lib:       at Object.<anonymous> (aws-s3-deployment/test/bucket-deployment.test.ts:1175:3)

[aaythapa]

Thank you for the PR! The integration tests for this construct is included in this this dir. Could you add integ tests with assertions there? For more info about integ tests you can use this doc

[aaythapa]

really nice README, thanks for adding

[aaythapa]

there's another securityGroup prop?

[aaythapa]

should we throw err if this is supplied without vpc?

[aaythapa]

I'm not too familiar with this area of the codebase. Can you give me a short explainer on what this is doing and why we need it?

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 7 days if no action is taken.