Create reusable construct for S3 Lambda notifications using custom resources

Author: kris-szlapa

packages/cdk/constructs/S3LambdaNotification.ts

@@ -0,0 +1,88 @@
+import {Construct} from "constructs"
+import {Duration} from "aws-cdk-lib"
+import {PolicyStatement} from "aws-cdk-lib/aws-iam"
+import {Bucket} from "aws-cdk-lib/aws-s3"
+import {Function as LambdaFunction} from "aws-cdk-lib/aws-lambda"
+import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources"
+
+export interface S3LambdaNotificationProps {
+  bucket: Bucket
+  lambdaFunction: LambdaFunction
+  events?: Array<string>
+}
+
+export class S3LambdaNotification extends Construct {
+  constructor(scope: Construct, id: string, props: S3LambdaNotificationProps) {
+    super(scope, id)
+
+    const events = props.events ?? ["s3:ObjectCreated:*"]
+
+    // Create S3 bucket notification using custom resource
+    new AwsCustomResource(this, "BucketNotification", {
+      onCreate: {
+        service: "S3",
+        action: "putBucketNotificationConfiguration",
+        parameters: {
+          Bucket: props.bucket.bucketName,
+          NotificationConfiguration: {
+            LambdaConfigurations: [{
+              Id: "LambdaNotification",
+              LambdaFunctionArn: props.lambdaFunction.functionArn,
+              Events: events
+            }]
+          }
+        },
+        physicalResourceId: PhysicalResourceId.of(`${props.bucket.bucketName}-notification`)
+      },
+      onDelete: {
+        service: "S3",
+        action: "putBucketNotificationConfiguration",
+        parameters: {
+          Bucket: props.bucket.bucketName,
+          NotificationConfiguration: {}
+        }
+      },
+      policy: AwsCustomResourcePolicy.fromStatements([
+        new PolicyStatement({
+          actions: ["s3:PutBucketNotification", "s3:GetBucketNotification"],
+          resources: [props.bucket.bucketArn]
+        }),
+        new PolicyStatement({
+          actions: ["lambda:AddPermission", "lambda:RemovePermission"],
+          resources: [props.lambdaFunction.functionArn]
+        })
+      ]),
+      timeout: Duration.minutes(5)
+    })
+
+    // Add Lambda permission for S3 to invoke the function
+    new AwsCustomResource(this, "LambdaPermission", {
+      onCreate: {
+        service: "Lambda",
+        action: "addPermission",
+        parameters: {
+          FunctionName: props.lambdaFunction.functionName,
+          StatementId: "S3InvokePermission",
+          Action: "lambda:InvokeFunction",
+          Principal: "s3.amazonaws.com",
+          SourceArn: props.bucket.bucketArn
+        },
+        physicalResourceId: PhysicalResourceId.of(`${props.lambdaFunction.functionName}-s3-permission`)
+      },
+      onDelete: {
+        service: "Lambda",
+        action: "removePermission",
+        parameters: {
+          FunctionName: props.lambdaFunction.functionName,
+          StatementId: "S3InvokePermission"
+        }
+      },
+      policy: AwsCustomResourcePolicy.fromStatements([
+        new PolicyStatement({
+          actions: ["lambda:AddPermission", "lambda:RemovePermission"],
+          resources: [props.lambdaFunction.functionArn]
+        })
+      ])
+    })
+  }
+}

packages/cdk/nagSuppressions.ts

@@ -214,60 +214,35 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress AWS managed policy usage in BucketNotificationsHandler
+  // Suppress custom resource IAM permissions for S3 Lambda notification
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource",
+    "/EpsAssistMeStack/S3ToSyncKnowledgeBase/BucketNotification/CustomResourcePolicy/Resource",
     [
       {
-        id: "AwsSolutions-IAM4",
-        reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",
+        id: "AwsSolutions-IAM5",
+        reason: "Custom resource requires wildcard permissions to manage S3 bucket notifications and Lambda permissions.",
         appliesTo: [
-          "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+          "Resource::*"
         ]
       }
     ]
   )
 
-  // Suppress wildcard permissions for BucketNotificationsHandler default policy
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource",
+    "/EpsAssistMeStack/S3ToSyncKnowledgeBase/LambdaPermission/CustomResourcePolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications.",
+        reason: "Custom resource requires wildcard permissions to manage Lambda permissions.",
         appliesTo: [
           "Resource::*"
         ]
       }
     ]
   )
 
-  // Suppress Lambda function public access for S3 service principal
-  safeAddNagSuppression(
-    stack,
-    "/EpsAssistMeStack/S3ToSyncKnowledgeBaseLambdaPermission",
-    [
-      {
-        id: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
-        reason: "S3 service principal access is required for bucket notifications to trigger Lambda function."
-      }
-    ]
-  )
-
-  // Suppress Lambda function public access for S3 bucket notifications
-  safeAddNagSuppression(
-    stack,
-    `/EpsAssistMeStack/Storage/DocsBucket/${stackName}-Docs/AllowBucketNotificationsToEpsAssistMeStackFunctionsSyncKnowledgeBaseFunctionepsamSyncKnowledgeBaseFunction94D011F3`,
-    [
-      {
-        id: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
-        reason: "S3 service principal access is required for bucket notifications to trigger Lambda function."
-      }
-    ]
-  )
-
   // Suppress Lambda function public access for API Gateway permissions
   safeAddNagSuppression(
     stack,

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -4,8 +4,6 @@ import {
   StackProps,
   CfnOutput
 } from "aws-cdk-lib"
-import {EventType} from "aws-cdk-lib/aws-s3"
-import {LambdaDestination} from "aws-cdk-lib/aws-s3-notifications"
 import {nagSuppressions} from "../nagSuppressions"
 import {Apis} from "../resources/Apis"
 import {Functions} from "../resources/Functions"
@@ -15,6 +13,7 @@ import {OpenSearchResources} from "../resources/OpenSearchResources"
 import {VectorKnowledgeBaseResources} from "../resources/VectorKnowledgeBaseResources"
 import {IamResources} from "../resources/IamResources"
 import {VectorIndex} from "../resources/VectorIndex"
+import {S3LambdaNotification} from "../constructs/S3LambdaNotification"
 
 const VECTOR_INDEX_NAME = "eps-assist-os-index"
 
@@ -133,12 +132,6 @@ export class EpsAssistMeStack extends Stack {
       vectorKB.dataSource.attrDataSourceId
     )
 
-    // Add S3 event notification to trigger sync function
-    storage.kbDocsBucket.bucket.addEventNotification(
-      EventType.OBJECT_CREATED,
-      new LambdaDestination(functions.functions.syncKnowledgeBase.function)
-    )
-
     // Create Apis and pass the Lambda function
     const apis = new Apis(this, "Apis", {
       stackName: props.stackName,
@@ -149,6 +142,12 @@ export class EpsAssistMeStack extends Stack {
       }
     })
 
+    // Setup S3 to Lambda notification
+    new S3LambdaNotification(this, "S3ToSyncKnowledgeBase", {
+      bucket: storage.kbDocsBucket.bucket,
+      lambdaFunction: functions.functions.syncKnowledgeBase.function
+    })
+
     // Output: SlackBot Endpoint
     new CfnOutput(this, "SlackBotEndpoint", {
       value: `https://${apis.apis["api"].api.domainName?.domainName}/slack/ask-eps`