feat(aws-s3-notifications): add option to skip permissions for LambdaDestination

Closes #34747

Author: dirkluijk

packages/aws-cdk-lib/aws-s3-notifications/README.md

@@ -44,3 +44,9 @@ const fn = new lambda.Function(this, 'MyFunction', {
 
 bucket.addEventNotification(s3.EventType.OBJECT_CREATED, new s3n.LambdaDestination(fn));
 ```
+
+You can also skip the creation of arranging permissions:
+
+```ts
+new s3n.LambdaDestination(fn, { addPermissions: false });
+```

packages/aws-cdk-lib/aws-s3-notifications/lib/lambda.ts

@@ -5,11 +5,21 @@ import * as s3 from '../../aws-s3';
 import { CfnResource, Names, Stack } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 
+/**
+ * Options that may be provided to LambdaDestination
+ */
+export interface LambdaDestinationOptions {
+  /** Whether or not to add Lambda Permissions.
+   * @default true
+   */
+  readonly addPermissions?: boolean;
+}
+
 /**
  * Use a Lambda function as a bucket notification destination
  */
 export class LambdaDestination implements s3.IBucketNotificationDestination {
-  constructor(private readonly fn: lambda.IFunction) {
+  constructor(private readonly fn: lambda.IFunction, private readonly options: LambdaDestinationOptions = {}) {
   }
 
   public bind(scope: Construct, bucket: s3.IBucket): s3.BucketNotificationDestinationConfig {
@@ -20,7 +30,7 @@ export class LambdaDestination implements s3.IBucketNotificationDestination {
         bucket construct (Bucket ${bucket.bucketName})`, scope);
     }
 
-    if (bucket.node.tryFindChild(permissionId) === undefined) {
+    if (this.options.addPermissions !== false && bucket.node.tryFindChild(permissionId) === undefined) {
       this.fn.addPermission(permissionId, {
         sourceAccount: Stack.of(bucket).account,
         principal: new iam.ServicePrincipal('s3.amazonaws.com'),

packages/aws-cdk-lib/aws-s3-notifications/test/lambda/lambda.test.ts

@@ -222,3 +222,20 @@ test('add multiple event notifications using a singleton function', () => {
     }),
   });
 });
+
+test('lambda permissions are not added when addPermissions is false', () => {
+  const stack = new Stack();
+  const bucket = new s3.Bucket(stack, 'MyBucket');
+  const fn = new lambda.Function(stack, 'MyFunction1', {
+    runtime: lambda.Runtime.NODEJS_LATEST,
+    handler: 'index.handler',
+    code: lambda.Code.fromInline('foo'),
+  });
+
+  const lambdaDestination = new s3n.LambdaDestination(fn, { addPermissions: false });
+
+  bucket.addEventNotification(s3.EventType.OBJECT_CREATED, lambdaDestination, { prefix: 'v1/' });
+
+  // expecting one permission for each function
+  Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0);
+});