From 8e4b0e78464a8c0aadd91c15e2f358852d81a1a1 Mon Sep 17 00:00:00 2001
From: nemanja-kovacevic-thinkit
 <159933010+nemanja-kovacevic-thinkit@users.noreply.github.com>
Date: Mon, 18 Mar 2024 15:57:49 +0100
Subject: [PATCH] PLT-503: added optional key prefix and suffix for bucket
 event notifications (#1)

---
 src/index.ts | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/index.ts b/src/index.ts
index d0e3b40a..fe3b765f 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -32,7 +32,7 @@ import {
   EventBridgeDestination,
   SqsDestination,
 } from 'aws-cdk-lib/aws-lambda-destinations';
-import { Bucket, BucketEncryption, EventType, IBucket, ObjectOwnership } from 'aws-cdk-lib/aws-s3';
+import { Bucket, BucketEncryption, EventType, IBucket, ObjectOwnership, NotificationKeyFilter } from 'aws-cdk-lib/aws-s3';
 import { LambdaDestination } from 'aws-cdk-lib/aws-s3-notifications';
 import { Queue, QueueEncryption } from 'aws-cdk-lib/aws-sqs';
 import { Construct } from 'constructs';
@@ -51,6 +51,11 @@ export interface ServerlessClamscanLoggingProps {
   readonly logsPrefix?: string;
 }
 
+export interface BucketEventNotificationProps {
+  readonly bucketName: string;
+  readonly notificationKeyFilters?: NotificationKeyFilter[];
+}
+
 /**
  * Interface for creating a ServerlessClamscan.
  */
@@ -59,6 +64,10 @@ export interface ServerlessClamscanProps {
    * An optional list of S3 buckets to configure for ClamAV Virus Scanning; buckets can be added later by calling addSourceBucket.
    */
   readonly buckets?: IBucket[];
+  /**
+   * An optional list of additional S3 buckets properties for creating event notifications
+   */
+  readonly bucketsEventNotificationOptions?: BucketEventNotificationProps[];
   /**
    * Optionally set a reserved concurrency for the virus scanning Lambda.
    * @see https://docs.aws.amazon.com/lambda/latest/operatorguide/reserved-concurrency.html
@@ -482,10 +491,10 @@ export class ServerlessClamscan extends Construct {
         FnName: download_defs.functionName,
       },
     });
-
     if (props.buckets) {
       props.buckets.forEach((bucket) => {
-        this.addSourceBucket(bucket);
+        const bucketEventNotificationOptions = props.bucketsEventNotificationOptions?.find(x => x.bucketName === bucket.bucketName);
+        this.addSourceBucket(bucket, bucketEventNotificationOptions);
       });
     }
   }
@@ -544,10 +553,11 @@ export class ServerlessClamscan extends Construct {
      Adds a bucket policy to disallow GetObject operations on files that are tagged 'IN PROGRESS', 'INFECTED', or 'ERROR'.
    * @param bucket The bucket to add the scanning bucket policy and s3:ObjectCreate* trigger to.
    */
-  addSourceBucket(bucket: IBucket) {
+  addSourceBucket(bucket: IBucket, bucketEventNotificationOptions?: BucketEventNotificationProps) {
     bucket.addEventNotification(
       EventType.OBJECT_CREATED,
       new LambdaDestination(this._scanFunction),
+      ...(bucketEventNotificationOptions?.notificationKeyFilters ?? [])
     );
 
     bucket.grantRead(this._scanFunction);