feat(lambda): function log removal policy (#34723)

### Issue # (if applicable)

Closes #34669

### Reason for this change
Support configuring function log removal policy

### Description of changes
Expose log group removal policy to function props

### Describe any new or updated permissions being added




### Description of how you validated changes
Unit + Integ

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: phuhung273

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/LambdaLogRetentionIntegDefaultTestDeployAssert90E53934.assets.json

@@ -70,7 +70,8 @@
       ]
      ]
     },
-    "RetentionInDays": 7
+    "RetentionInDays": 7,
+    "RemovalPolicy": "destroy"
    }
   },
   "LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRole9741ECFB": {
@@ -116,6 +117,84 @@
        ],
        "Effect": "Allow",
        "Resource": "*"
+      },
+      {
+       "Action": "logs:DeleteLogGroup",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":logs:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":log-group:/aws/lambda/",
+           {
+            "Ref": "OneMonth64E966BF"
+           },
+           ":*"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":logs:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":log-group:/aws/lambda/",
+           {
+            "Ref": "OneWeekFE56F6A4"
+           },
+           ":*"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":logs:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":log-group:/aws/lambda/",
+           {
+            "Ref": "OneYearA82EBDA9"
+           },
+           ":*"
+          ]
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -230,7 +309,8 @@
       ]
      ]
     },
-    "RetentionInDays": 30
+    "RetentionInDays": 30,
+    "RemovalPolicy": "destroy"
    }
   },
   "OneYearServiceRole24D47762": {
@@ -303,7 +383,8 @@
       ]
      ]
     },
-    "RetentionInDays": 365
+    "RetentionInDays": 365,
+    "RemovalPolicy": "destroy"
    }
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.assets.json

@@ -13,24 +13,26 @@ new lambda.Function(stack, 'OneWeek', {
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_WEEK,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new lambda.Function(stack, 'OneMonth', {
   code: new lambda.InlineCode('exports.handler = (event) => console.log(JSON.stringify(event));'),
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_MONTH,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new lambda.Function(stack, 'OneYear', {
   code: new lambda.InlineCode('exports.handler = (event) => console.log(JSON.stringify(event));'),
   handler: 'index.handler',
   runtime: STANDARD_NODEJS_RUNTIME,
   logRetention: logs.RetentionDays.ONE_YEAR,
+  logRemovalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new IntegTest(app, 'LambdaLogRetentionInteg', {
   testCases: [stack],
   diffAssets: true,
 });
-app.synth();

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.template.json

@@ -281,6 +281,21 @@ const fn = new lambda.Function(this, 'MyFunctionWithFFTrue', {
 cdk.Tags.of(fn).add('env', 'dev'); // the tag is also added to the log group
 ```
 
+### Log removal policy
+
+When using the deprecated `logRetention` property for creating a LogGroup, you can configure log removal policy:
+```ts
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+const fn = new lambda.Function(this, 'MyFunctionWithFFTrue', {
+  runtime: lambda.Runtime.NODEJS_LATEST,
+  handler: 'handler.main',
+  code: lambda.Code.fromAsset('lambda'),
+  logRetention: logs.RetentionDays.INFINITE,
+  logRemovalPolicy: RemovalPolicy.RETAIN,
+});
+```
+
 ## Resource-based Policies
 
 AWS Lambda supports resource-based policies for controlling access to Lambda

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/cdk.out

@@ -31,7 +31,7 @@ import * as sns from '../../aws-sns';
 import * as sqs from '../../aws-sqs';
 import {
   Annotations, ArnFormat, CfnResource, Duration, FeatureFlags, Fn, IAspect, Lazy,
-  Names, Size, Stack, Token,
+  Names, RemovalPolicy, Size, Stack, Token,
 } from '../../core';
 import { UnscopedValidationError, ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
@@ -456,10 +456,24 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * myLogGroup.logGroupName;
    * ```
    *
+   * @deprecated use `logGroup` instead
    * @default logs.RetentionDays.INFINITE
    */
   readonly logRetention?: logs.RetentionDays;
 
+  /**
+   * Determine the removal policy of the log group that is auto-created by this construct.
+   *
+   * Normally you want to retain the log group so you can diagnose issues
+   * from logs even after a deployment that no longer includes the log group.
+   * In that case, use the normal date-based retention policy to age out your
+   * logs.
+   *
+   * @deprecated use `logGroup` instead
+   * @default RemovalPolicy.Retain
+   */
+  readonly logRemovalPolicy?: RemovalPolicy;
+
   /**
    * The IAM role for the Lambda function associated with the custom resource
    * that sets the retention policy.
@@ -1120,6 +1134,14 @@ export class Function extends FunctionBase {
     }
 
     // Log retention
+    if (props.logRemovalPolicy) {
+      if (props.logGroup) {
+        throw new ValidationError('Cannot use `logRemovalPolicy` and `logGroup` together. Please set the removal policy on the logGroup directly', this);
+      } else if (FeatureFlags.of(this).isEnabled(USE_CDK_MANAGED_LAMBDA_LOGGROUP)) {
+        throw new ValidationError('Cannot use `logRemovalPolicy` and `@aws-cdk/aws-lambda:useCdkManagedLogGroup` flag together. Please set the removal policy on the automatically created log group directly', this);
+      }
+    }
+
     if (props.logRetention) {
       if (props.logGroup) {
         throw new ValidationError('CDK does not support setting logRetention and logGroup', this);
@@ -1129,6 +1151,7 @@ export class Function extends FunctionBase {
         retention: props.logRetention,
         role: props.logRetentionRole,
         logRetentionRetryOptions: props.logRetentionRetryOptions as logs.LogRetentionRetryOptions,
+        removalPolicy: props.logRemovalPolicy,
       });
       this._logGroup = logs.LogGroup.fromLogGroupArn(this, 'LogGroup', logRetention.logGroupArn);
       this._logRetention = logRetention;