aws · samson-keung · May 24, 2024 · May 24, 2024 · May 24, 2024 · May 25, 2024
diff --git a/packages/aws-cdk-lib/aws-s3/README.md b/packages/aws-cdk-lib/aws-s3/README.md
@@ -624,10 +624,16 @@ enable the`autoDeleteObjects` option.
 
 When `autoDeleteObjects` is enabled, `s3:PutBucketPolicy` is added to the bucket policy. This is done to allow the custom resource this feature is built on to add a deny policy for `s3:PutObject` to the bucket policy when a delete stack event occurs. Adding this deny policy prevents new objects from being written to the bucket. Doing this prevents race conditions with external bucket writers during the deletion process.
 
+Pass a custom log group via the `autoDeleteObjectsLogGroup` option, which will be used by the custom resource lambda.
+
 ```ts
 const bucket = new s3.Bucket(this, 'MyTempFileBucket', {
   removalPolicy: cdk.RemovalPolicy.DESTROY,
   autoDeleteObjects: true,
+  autoDeleteObjectsLogGroup: new LogGroup(stack, 'LogGroup', {
+    logGroupName: 'MyLogGroup',
+    retention: RetentionDays.TWO_YEARS
+  })
 });
 ```
 

diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts
@@ -10,6 +10,7 @@ import { parseBucketArn, parseBucketName } from './util';
 import * as events from '../../aws-events';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
+import * as logs from '../../aws-logs/index';
 import {
   CustomResource,
   Duration,
@@ -1464,6 +1465,8 @@ export interface BucketProps {
    * Whether all objects should be automatically deleted when the bucket is
    * removed from the stack or when the stack is deleted.
    *
+   * A custom resource will be created when set to `true`.
+   *
    * Requires the `removalPolicy` to be set to `RemovalPolicy.DESTROY`.
    *
    * **Warning** if you have deployed a bucket with `autoDeleteObjects: true`,
@@ -1480,6 +1483,16 @@ export interface BucketProps {
    */
   readonly autoDeleteObjects?: boolean;
 
+  /**
+   * The log group to use for the custom resource lambda backing the `autoDeleteObjects` feature
+   *
+   * When `autoDeleteObjects` is set to true, a customer resource backed by a Lambda function
+   * is created. The lambda will use the log group passed in to this prop if defined.
+   *
+   * @default the default log group created by Lambda
+   */
+  readonly autoDeleteObjectsLogGroup?: logs.ILogGroup;
+
   /**
    * Whether this bucket should have versioning turned on or not.
    *
@@ -2008,7 +2021,7 @@ export class Bucket extends BucketBase {
         throw new Error('Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'.');
       }
 
-      this.enableAutoDeleteObjects();
+      this.enableAutoDeleteObjects(props.autoDeleteObjectsLogGroup);
     }
 
     if (this.eventBridgeEnabled) {
@@ -2541,10 +2554,11 @@ export class Bucket extends BucketBase {
     });
   }
 
-  private enableAutoDeleteObjects() {
+  private enableAutoDeleteObjects(logGroup?: logs.ILogGroup) {
     const provider = AutoDeleteObjectsProvider.getOrCreateProvider(this, AUTO_DELETE_OBJECTS_RESOURCE_TYPE, {
       useCfnResponseWrapper: false,
       description: `Lambda function for auto-deleting objects in ${this.bucketName} S3 bucket.`,
+      logGroupName: logGroup?.logGroupName,
     });
 
     // Use a bucket policy to allow the custom resource to delete

diff --git a/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts b/packages/aws-cdk-lib/aws-s3/test/bucket.test.ts
@@ -3,6 +3,7 @@ import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { Annotations, Match, Template } from '../../assertions';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
+import { LogGroup } from '../../aws-logs';
 import * as cdk from '../../core';
 import * as s3 from '../lib';
 
@@ -3463,6 +3464,26 @@ describe('bucket', () => {
     Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1);
   });
 
+  test('with autoDeleteObjectsLogGroup', () => {
+    const stack = new cdk.Stack();
+
+    new s3.Bucket(stack, 'MyBucket', {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      autoDeleteObjectsLogGroup: new LogGroup(stack, 'LogGroup1', {
+        logGroupName: 'MyLogGroup',
+      }),
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
+      LoggingConfig: {
+        LogGroup: {
+          'Ref': 'LogGroup106AAD846',
+        },
+      },
+    });
+  });
+
   test('autoDeleteObjects throws if RemovalPolicy is not DESTROY', () => {
     const stack = new cdk.Stack();
 

@@ -140,6 +140,7 @@ export abstract class CustomResourceProviderBase extends Construct {
         Runtime: props.runtimeName,
         Environment: this.renderEnvironmentVariables(props.environment),
         Description: props.description ?? undefined,
+        LoggingConfig: props.logGroupName ? { LogGroup: props.logGroupName } : undefined,
       },
     });
 

@@ -69,4 +69,11 @@ export interface CustomResourceProviderOptions {
    * @default - No description.
    */
   readonly description?: string;
+
+  /**
+   * Name of the Cloudwatch log group to be used by the provider AWS Lambda function.
+   *
+   * @default - a default log group created by AWS Lambda.
+   */
+  readonly logGroupName?: string;
 }
@@ -391,7 +391,7 @@ describe('custom resource provider', () => {
     }]);
   });
 
-  test('memorySize, timeout and description', () => {
+  test('memorySize, timeout, description and logGroupName', () => {
     // GIVEN
     const stack = new Stack();
 
@@ -402,6 +402,7 @@ describe('custom resource provider', () => {
       memorySize: Size.gibibytes(2),
       timeout: Duration.minutes(5),
       description: 'veni vidi vici',
+      logGroupName: 'some log group name',
     });
 
     // THEN
@@ -410,7 +411,7 @@ describe('custom resource provider', () => {
     expect(lambda.Properties.MemorySize).toEqual(2048);
     expect(lambda.Properties.Timeout).toEqual(300);
     expect(lambda.Properties.Description).toEqual('veni vidi vici');
-
+    expect(lambda.Properties.LoggingConfig).toEqual({ LogGroup: 'some log group name' });
   });
 
   test('environment variables', () => {