aws
diff --git a/‎package.json
Lines changed: 2 additions & 2 deletions b/‎package.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/package.json
Lines changed: 1 addition & 1 deletion b/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-autoscaling/README.md
Lines changed: 26 additions & 0 deletions b/‎packages/@aws-cdk/aws-autoscaling/README.md
Lines changed: 26 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts
Lines changed: 12 additions & 0 deletions b/‎packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-autoscaling/lib/index.ts
Lines changed: 2 additions & 1 deletion b/‎packages/@aws-cdk/aws-autoscaling/lib/index.ts
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-autoscaling/lib/termination-policy.ts
Lines changed: 42 additions & 0 deletions b/‎packages/@aws-cdk/aws-autoscaling/lib/termination-policy.ts
Lines changed: 42 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts
Lines changed: 25 additions & 0 deletions b/‎packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts
Lines changed: 25 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package.json
Lines changed: 1 addition & 1 deletion b/‎packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-cloudformation/package.json
Lines changed: 1 addition & 1 deletion b/‎packages/@aws-cdk/aws-cloudformation/package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
Lines changed: 9 additions & 10 deletions b/‎packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
Lines changed: 9 additions & 10 deletions
@@ -16,6 +16,7 @@
   },
   "devDependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
+    "cdk-generate-synthetic-examples": "^0.1.1",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.8",
@@ -27,8 +28,7 @@
     "lerna": "^4.0.0",
     "patch-package": "^6.4.7",
     "standard-version": "^9.3.2",
-    "typescript": "~3.9.10",
-    "cdk-generate-synthetic-examples": "^0.1.1"
+    "typescript": "~3.9.10"
   },
   "resolutions": {
     "string-width": "^4.2.3"
 
@@ -85,7 +85,7 @@
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/cdk-integ-tools": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
-    "@types/aws-lambda": "^8.10.88",
+    "@types/aws-lambda": "^8.10.89",
     "@types/jest": "^27.0.3"
   },
   "dependencies": {
 
@@ -400,6 +400,32 @@ new autoscaling.AutoScalingGroup(this, 'ASG', {
 });
 ```
 
+## Termination policies
+
+Auto Scaling uses [termination policies](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html)
+to determine which instances it terminates first during scale-in events. You
+can specify one or more termination policies with the `terminationPolicies`
+property:
+
+```ts
+declare const vpc: ec2.Vpc;
+declare const instanceType: ec2.InstanceType;
+declare const machineImage: ec2.IMachineImage;
+
+new autoscaling.AutoScalingGroup(this, 'ASG', {
+  vpc,
+  instanceType,
+  machineImage,
+
+  // ...
+
+  terminationPolicies: [
+    autoscaling.TerminationPolicy.OLDEST_INSTANCE,
+    autoscaling.TerminationPolicy.DEFAULT,
+  ],
+});
+```
+
 ## Protecting new instances from being terminated on scale-in
 
 By default, Auto Scaling can terminate an instance at any time after launch when
 
@@ -21,6 +21,7 @@ import { BasicLifecycleHookProps, LifecycleHook } from './lifecycle-hook';
 import { BasicScheduledActionProps, ScheduledAction } from './scheduled-action';
 import { BasicStepScalingPolicyProps, StepScalingPolicy } from './step-scaling-policy';
 import { BaseTargetTrackingProps, PredefinedMetric, TargetTrackingScalingPolicy } from './target-tracking-scaling-policy';
+import { TerminationPolicy } from './termination-policy';
 import { BlockDevice, BlockDeviceVolume, EbsDeviceVolumeType } from './volume';
 
 /**
@@ -314,6 +315,16 @@ export interface CommonAutoScalingGroupProps {
    * @default - Auto generated by CloudFormation
    */
   readonly autoScalingGroupName?: string;
+
+  /**
+   * A policy or a list of policies that are used to select the instances to
+   * terminate. The policies are executed in the order that you list them.
+   *
+   * @see https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html
+   *
+   * @default - `TerminationPolicy.DEFAULT`
+   */
+  readonly terminationPolicies?: TerminationPolicy[];
 }
 
 /**
@@ -1052,6 +1063,7 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
       healthCheckGracePeriod: props.healthCheck && props.healthCheck.gracePeriod && props.healthCheck.gracePeriod.toSeconds(),
       maxInstanceLifetime: this.maxInstanceLifetime ? this.maxInstanceLifetime.toSeconds() : undefined,
       newInstancesProtectedFromScaleIn: Lazy.any({ produce: () => this.newInstancesProtectedFromScaleIn }),
+      terminationPolicies: props.terminationPolicies,
     };
 
     if (!hasPublic && props.associatePublicIpAddress) {
 
@@ -7,7 +7,8 @@ export * from './scheduled-action';
 export * from './step-scaling-action';
 export * from './step-scaling-policy';
 export * from './target-tracking-scaling-policy';
+export * from './termination-policy';
 export * from './volume';
 
 // AWS::AutoScaling CloudFormation Resources:
-export * from './autoscaling.generated';
+export * from './autoscaling.generated';
@@ -0,0 +1,42 @@
+/**
+ * Specifies the termination criteria to apply before Amazon EC2 Auto Scaling
+ * chooses an instance for termination.
+ */
+export enum TerminationPolicy {
+  /**
+   * Terminate instances in the Auto Scaling group to align the remaining
+   * instances to the allocation strategy for the type of instance that is
+   * terminating (either a Spot Instance or an On-Demand Instance).
+   */
+  ALLOCATION_STRATEGY = 'AllocationStrategy',
+
+  /**
+   * Terminate instances that are closest to the next billing hour.
+   */
+  CLOSEST_TO_NEXT_INSTANCE_HOUR = 'ClosestToNextInstanceHour',
+
+  /**
+   * Terminate instances according to the default termination policy.
+   */
+  DEFAULT = 'Default',
+
+  /**
+   * Terminate the newest instance in the group.
+   */
+  NEWEST_INSTANCE = 'NewestInstance',
+
+  /**
+   * Terminate the oldest instance in the group.
+   */
+  OLDEST_INSTANCE = 'OldestInstance',
+
+  /**
+   * Terminate instances that have the oldest launch configuration.
+   */
+  OLDEST_LAUNCH_CONFIGURATION = 'OldestLaunchConfiguration',
+
+  /**
+   * Terminate instances that have the oldest launch template.
+   */
+  OLDEST_LAUNCH_TEMPLATE = 'OldestLaunchTemplate',
+}
@@ -1382,6 +1382,31 @@ describe('auto scaling group', () => {
       },
     });
   });
+
+  test('supports termination policies', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = mockVpc(stack);
+
+    // WHEN
+    new autoscaling.AutoScalingGroup(stack, 'MyASG', {
+      vpc,
+      instanceType: new ec2.InstanceType('t2.micro'),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      terminationPolicies: [
+        autoscaling.TerminationPolicy.OLDEST_INSTANCE,
+        autoscaling.TerminationPolicy.DEFAULT,
+      ],
+    });
+
+    // THEN
+    expect(stack).toHaveResource('AWS::AutoScaling::AutoScalingGroup', {
+      TerminationPolicies: [
+        'OldestInstance',
+        'Default',
+      ],
+    });
+  });
 });
 
 function mockVpc(stack: cdk.Stack) {
 
@@ -29,7 +29,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@types/aws-lambda": "^8.10.88",
+    "@types/aws-lambda": "^8.10.89",
     "@types/sinon": "^9.0.11",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "aws-sdk": "^2.596.0",
 
@@ -79,7 +79,7 @@
     "@aws-cdk/cdk-integ-tools": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
-    "@types/aws-lambda": "^8.10.88",
+    "@types/aws-lambda": "^8.10.89",
     "@types/jest": "^27.0.3",
     "jest": "^27.4.5"
   },
 
@@ -73,17 +73,16 @@ class S3BucketOrigin extends cloudfront.OriginBase {
       this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, {
         comment: `Identity for ${options.originId}`,
       });
-
-      // Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
-      // Only GetObject is needed to retrieve objects for the distribution.
-      // This also excludes KMS permissions; currently, OAI only supports SSE-S3 for buckets.
-      // Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
-      this.bucket.addToResourcePolicy(new iam.PolicyStatement({
-        resources: [this.bucket.arnForObjects('*')],
-        actions: ['s3:GetObject'],
-        principals: [this.originAccessIdentity.grantPrincipal],
-      }));
     }
+    // Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
+    // Only GetObject is needed to retrieve objects for the distribution.
+    // This also excludes KMS permissions; currently, OAI only supports SSE-S3 for buckets.
+    // Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
+    this.bucket.addToResourcePolicy(new iam.PolicyStatement({
+      resources: [this.bucket.arnForObjects('*')],
+      actions: ['s3:GetObject'],
+      principals: [this.originAccessIdentity.grantPrincipal],
+    }));
     return super.bind(scope, options);
   }