feat(appconfig): environment deletion protection (#32737)

### Issue # (if applicable)

None

### Reason for this change

AWS AppConfig environment supports [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) and this feature is not configurable from AWS CDK.

### Description of changes

- Add `DeletionProtectionCheck` enum
- Add `deletionProtectionCheck` prop to `EnvironmentOption`

There are two entities, `EnvironmentOptions` and `EnvironmentProps`, where `EnvironmentProps` is designed as an extension of `EnvironmentOptions` with the addition of an `application` prop.

```ts
export interface EnvironmentProps extends EnvironmentOptions {
  /**
   * The application to be associated with the environment.
   */
  readonly application: IApplication;
}

abstract class ApplicationBase extends cdk.Resource implements IApplication, IExtensible {
  public addEnvironment(id: string, options: EnvironmentOptions = {}): IEnvironment {
    return new Environment(this, id, {
      application: this,
      ...options,
    });
  }
```
Therefore, the current argument addition has also been made to `EnvironmentOptions`.

### Describe any new or updated permissions being added

None

### Description of how you validated changes

Add both unit and integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: badmintoncryer

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/appconfigenvironmentDefaultTestDeployAssert75BD28E7.assets.json

@@ -126,6 +126,7 @@
     "ApplicationId": {
      "Ref": "MyApplicationForEnv1F597ED9"
     },
+    "DeletionProtectionCheck": "ACCOUNT_DEFAULT",
     "Description": "This is the environment for integ testing",
     "Monitors": [
      {

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.assets.json

@@ -2,7 +2,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import { App, Duration, PhysicalName, Stack } from 'aws-cdk-lib';
 import { Alarm, ComparisonOperator, CompositeAlarm, Metric, TreatMissingData } from 'aws-cdk-lib/aws-cloudwatch';
 import { Role, ServicePrincipal, Effect, PolicyStatement, PolicyDocument } from 'aws-cdk-lib/aws-iam';
-import { Application, ConfigurationContent, DeploymentStrategy, Environment, HostedConfiguration, Monitor, RolloutStrategy } from 'aws-cdk-lib/aws-appconfig';
+import { Application, ConfigurationContent, DeletionProtectionCheck, DeploymentStrategy, Environment, HostedConfiguration, Monitor, RolloutStrategy } from 'aws-cdk-lib/aws-appconfig';
 
 const app = new App();
 
@@ -54,6 +54,7 @@ const compositeAlarm = new CompositeAlarm(stack, 'MyCompositeAlarm', {
 const env = new Environment(stack, 'MyEnvironment', {
   application: appForEnv,
   description: 'This is the environment for integ testing',
+  deletionProtectionCheck: DeletionProtectionCheck.ACCOUNT_DEFAULT,
   monitors: [
     Monitor.fromCloudWatchAlarm(alarm),
     Monitor.fromCfnMonitorsProperty({

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.template.json

@@ -96,6 +96,24 @@ const user = new iam.User(this, 'MyUser');
 env.grantReadConfig(user);
 ```
 
+### Deletion Protection Check
+
+You can enable [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) on the environment by setting the `deletionProtectionCheck` property.
+
+- ACCOUNT_DEFAULT: The default setting, which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API.
+- APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. APPLY also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks.
+- BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete an environment even if deletion protection would have otherwise prevented it.
+
+```ts
+declare const application: appconfig.Application;
+declare const alarm: cloudwatch.Alarm;
+declare const compositeAlarm: cloudwatch.CompositeAlarm;
+
+new appconfig.Environment(this, 'MyEnvironment', {
+  application,
+  deletionProtectionCheck: appconfig.DeletionProtectionCheck.APPLY,
+});
+```
 
 ## Deployment Strategy
 

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/cdk.out

@@ -4,6 +4,7 @@ import { IApplication } from './application';
 import { IConfiguration } from './configuration';
 import { ActionPoint, IEventDestination, ExtensionOptions, IExtension, IExtensible, ExtensibleBase } from './extension';
 import { getHash } from './private/hash';
+import { DeletionProtectionCheck } from './util';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
 import { Resource, IResource, Stack, ArnFormat, PhysicalName, Names } from '../../core';
@@ -165,6 +166,13 @@ export interface EnvironmentOptions {
    * @default - No monitors.
    */
   readonly monitors?: Monitor[];
+
+  /**
+   * A property to prevent accidental deletion of active environments.
+   *
+   * @default undefined - AppConfig default is ACCOUNT_DEFAULT
+   */
+  readonly deletionProtectionCheck?: DeletionProtectionCheck;
 }
 
 /**
@@ -309,6 +317,7 @@ export class Environment extends EnvironmentBase {
       applicationId: this.applicationId,
       name: this.name,
       description: this.description,
+      deletionProtectionCheck: props.deletionProtectionCheck,
       monitors: this.monitors?.map((monitor) => {
         return {
           alarmArn: monitor.alarmArn,

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/integ.json

@@ -3,6 +3,7 @@ export * from './deployment-strategy';
 export * from './extension';
 export * from './application';
 export * from './configuration';
+export * from './util';
 
 // AWS::AppConfig CloudFormation Resources:
 export * from './appconfig.generated';

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/manifest.json

@@ -0,0 +1,25 @@
+/**
+ * The deletion protection check options.
+ */
+export enum DeletionProtectionCheck {
+  /**
+   * The default setting,
+   * which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API.
+   */
+  ACCOUNT_DEFAULT = 'ACCOUNT_DEFAULT',
+
+  /**
+   * Instructs the deletion protection check to run,
+   * even if deletion protection is disabled at the account level.
+   *
+   * APPLY also forces the deletion protection check to run against resources created in the past hour,
+   * which are normally excluded from deletion protection checks.
+   */
+  APPLY = 'APPLY',
+
+  /**
+   * Instructs AWS AppConfig to bypass the deletion protection check and delete an environment or a configuration profile
+   * even if deletion protection would have otherwise prevented it.
+   */
+  BYPASS = 'BYPASS',
+}

packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/tree.json

@@ -2,7 +2,7 @@ import { Template } from '../../assertions';
 import { Alarm, CompositeAlarm, Metric } from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
 import * as cdk from '../../core';
-import { Application, ConfigurationContent, Environment, HostedConfiguration, Monitor } from '../lib';
+import { Application, ConfigurationContent, DeletionProtectionCheck, Environment, HostedConfiguration, Monitor } from '../lib';
 
 describe('environment', () => {
   test('default environment', () => {
@@ -20,6 +20,27 @@ describe('environment', () => {
     });
   });
 
+  test.each([
+    DeletionProtectionCheck.ACCOUNT_DEFAULT,
+    DeletionProtectionCheck.APPLY,
+    DeletionProtectionCheck.BYPASS,
+  ])('environment with deletion protection check', (deletionProtectionCheck) => {
+    const stack = new cdk.Stack();
+    const app = new Application(stack, 'MyAppConfig');
+    new Environment(stack, 'MyEnvironment', {
+      application: app,
+      deletionProtectionCheck,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::AppConfig::Environment', {
+      Name: 'MyEnvironment',
+      ApplicationId: {
+        Ref: 'MyAppConfigB4B63E75',
+      },
+      DeletionProtectionCheck: deletionProtectionCheck,
+    });
+  });
+
   test('environment with name', () => {
     const stack = new cdk.Stack();
     const app = new Application(stack, 'MyAppConfig');