PLT-503: added optional key prefix and suffix for bucket event notifi…

…cations (#1)
techfromsage · Mar 18, 2024 · 8e4b0e7 · 8e4b0e7
1 parent 91df838
commit 8e4b0e7
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/src/index.ts b/src/index.ts
@@ -32,7 +32,7 @@ import {
   EventBridgeDestination,
   SqsDestination,
 } from 'aws-cdk-lib/aws-lambda-destinations';
-import { Bucket, BucketEncryption, EventType, IBucket, ObjectOwnership } from 'aws-cdk-lib/aws-s3';
+import { Bucket, BucketEncryption, EventType, IBucket, ObjectOwnership, NotificationKeyFilter } from 'aws-cdk-lib/aws-s3';
 import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
 import { Queue, QueueEncryption } from 'aws-cdk-lib/aws-sqs';
 import { Construct } from 'constructs';
@@ -51,6 +51,11 @@ export interface ServerlessClamscanLoggingProps {
   readonly logsPrefix?: string;
 }
 
+export interface BucketEventNotificationProps {
+  readonly bucketName: string;
+  readonly notificationKeyFilters?: NotificationKeyFilter[];
+}
+
 /**
  * Interface for creating a ServerlessClamscan.
  */
@@ -59,6 +64,10 @@ export interface ServerlessClamscanProps {
    * An optional list of S3 buckets to configure for ClamAV Virus Scanning; buckets can be added later by calling addSourceBucket.
    */
   readonly buckets?: IBucket[];
+  /**
+   * An optional list of additional S3 buckets properties for creating event notifications
+   */
+  readonly bucketsEventNotificationOptions?: BucketEventNotificationProps[];
   /**
    * Optionally set a reserved concurrency for the virus scanning Lambda.
    * @see https://docs.aws.amazon.com/lambda/latest/operatorguide/reserved-concurrency.html
@@ -482,10 +491,10 @@ export class ServerlessClamscan extends Construct {
         FnName: download_defs.functionName,
       },
     });
-
     if (props.buckets) {
       props.buckets.forEach((bucket) => {
-        this.addSourceBucket(bucket);
+        const bucketEventNotificationOptions = props.bucketsEventNotificationOptions?.find(x => x.bucketName === bucket.bucketName);
+        this.addSourceBucket(bucket, bucketEventNotificationOptions);
       });
     }
   }
@@ -544,10 +553,11 @@ export class ServerlessClamscan extends Construct {
      Adds a bucket policy to disallow GetObject operations on files that are tagged 'IN PROGRESS', 'INFECTED', or 'ERROR'.
    * @param bucket The bucket to add the scanning bucket policy and s3:ObjectCreate* trigger to.
    */
-  addSourceBucket(bucket: IBucket) {
+  addSourceBucket(bucket: IBucket, bucketEventNotificationOptions?: BucketEventNotificationProps) {
     bucket.addEventNotification(
       EventType.OBJECT_CREATED,
       new LambdaDestination(this._scanFunction),
+      ...(bucketEventNotificationOptions?.notificationKeyFilters ?? [])
     );
 
     bucket.grantRead(this._scanFunction);