Skip to content

Commit 993ee48

Browse files
msambolmsambol
authored
fix(firehose): remove unused role during DeliveryStream creation (#26930)
When a DeliveryStream is created without `sourceStream` or `encryptionKey`, an extra role is being created that is unused. This PR removes creation of that role. I also learned that the role created for `encryptionKey` is used "indirectly" for a grant put on the KMS key...interesting. Closes #26927. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent e628e6e commit 993ee48

21 files changed

+519
-397
lines changed

packages/@aws-cdk/aws-iot-actions-alpha/test/kinesis-firehose/integ.firehose-put-record-action.js.snapshot/manifest.json

+10-7
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
"validateOnSynth": false,
1818
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
1919
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cf636658ec15133bceba498f25c92e3b2a42f090f11883a69d8fd68b873600a1.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f75ab8f9b4f9b4569a43902e069684cc217226d66b42e025930c87f6f6dd1cb4.json",
2121
"requiresBootstrapStackVersion": 6,
2222
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2323
"additionalDependencies": [
@@ -57,12 +57,6 @@
5757
"data": "MyBucketF68F3FF0"
5858
}
5959
],
60-
"/test-stack/MyStream/Service Role/Resource": [
61-
{
62-
"type": "aws:cdk:logicalId",
63-
"data": "MyStreamServiceRole8C50608A"
64-
}
65-
],
6660
"/test-stack/MyStream/S3 Destination Role/Resource": [
6761
{
6862
"type": "aws:cdk:logicalId",
@@ -110,6 +104,15 @@
110104
"type": "aws:cdk:logicalId",
111105
"data": "CheckBootstrapVersion"
112106
}
107+
],
108+
"MyStreamServiceRole8C50608A": [
109+
{
110+
"type": "aws:cdk:logicalId",
111+
"data": "MyStreamServiceRole8C50608A",
112+
"trace": [
113+
"!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
114+
]
115+
}
113116
]
114117
},
115118
"displayName": "test-stack"

packages/@aws-cdk/aws-iot-actions-alpha/test/kinesis-firehose/integ.firehose-put-record-action.js.snapshot/test-stack.assets.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
22
"version": "34.0.0",
33
"files": {
4-
"cf636658ec15133bceba498f25c92e3b2a42f090f11883a69d8fd68b873600a1": {
4+
"f75ab8f9b4f9b4569a43902e069684cc217226d66b42e025930c87f6f6dd1cb4": {
55
"source": {
66
"path": "test-stack.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "cf636658ec15133bceba498f25c92e3b2a42f090f11883a69d8fd68b873600a1.json",
12+
"objectKey": "f75ab8f9b4f9b4569a43902e069684cc217226d66b42e025930c87f6f6dd1cb4.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

packages/@aws-cdk/aws-iot-actions-alpha/test/kinesis-firehose/integ.firehose-put-record-action.js.snapshot/test-stack.template.json

-17
Original file line numberDiff line numberDiff line change
@@ -77,23 +77,6 @@
7777
"UpdateReplacePolicy": "Delete",
7878
"DeletionPolicy": "Delete"
7979
},
80-
"MyStreamServiceRole8C50608A": {
81-
"Type": "AWS::IAM::Role",
82-
"Properties": {
83-
"AssumeRolePolicyDocument": {
84-
"Statement": [
85-
{
86-
"Action": "sts:AssumeRole",
87-
"Effect": "Allow",
88-
"Principal": {
89-
"Service": "firehose.amazonaws.com"
90-
}
91-
}
92-
],
93-
"Version": "2012-10-17"
94-
}
95-
}
96-
},
9780
"MyStreamS3DestinationRole5E0BA960": {
9881
"Type": "AWS::IAM::Role",
9982
"Properties": {

packages/@aws-cdk/aws-iot-actions-alpha/test/kinesis-firehose/integ.firehose-put-record-action.js.snapshot/tree.json

+49-92
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@
4242
}
4343
},
4444
"constructInfo": {
45-
"fqn": "aws-cdk-lib.aws_iot.CfnTopicRule",
46-
"version": "0.0.0"
45+
"fqn": "constructs.Construct",
46+
"version": "10.2.70"
4747
}
4848
},
4949
"TopicRuleActionRole": {
@@ -54,8 +54,8 @@
5454
"id": "ImportTopicRuleActionRole",
5555
"path": "test-stack/TopicRule/TopicRuleActionRole/ImportTopicRuleActionRole",
5656
"constructInfo": {
57-
"fqn": "aws-cdk-lib.Resource",
58-
"version": "0.0.0"
57+
"fqn": "constructs.Construct",
58+
"version": "10.2.70"
5959
}
6060
},
6161
"Resource": {
@@ -79,8 +79,8 @@
7979
}
8080
},
8181
"constructInfo": {
82-
"fqn": "aws-cdk-lib.aws_iam.CfnRole",
83-
"version": "0.0.0"
82+
"fqn": "constructs.Construct",
83+
"version": "10.2.70"
8484
}
8585
},
8686
"DefaultPolicy": {
@@ -120,20 +120,20 @@
120120
}
121121
},
122122
"constructInfo": {
123-
"fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
124-
"version": "0.0.0"
123+
"fqn": "constructs.Construct",
124+
"version": "10.2.70"
125125
}
126126
}
127127
},
128128
"constructInfo": {
129-
"fqn": "aws-cdk-lib.aws_iam.Policy",
130-
"version": "0.0.0"
129+
"fqn": "constructs.Construct",
130+
"version": "10.2.70"
131131
}
132132
}
133133
},
134134
"constructInfo": {
135-
"fqn": "aws-cdk-lib.aws_iam.Role",
136-
"version": "0.0.0"
135+
"fqn": "constructs.Construct",
136+
"version": "10.2.70"
137137
}
138138
}
139139
},
@@ -154,63 +154,20 @@
154154
"aws:cdk:cloudformation:props": {}
155155
},
156156
"constructInfo": {
157-
"fqn": "aws-cdk-lib.aws_s3.CfnBucket",
158-
"version": "0.0.0"
157+
"fqn": "constructs.Construct",
158+
"version": "10.2.70"
159159
}
160160
}
161161
},
162162
"constructInfo": {
163-
"fqn": "aws-cdk-lib.aws_s3.Bucket",
164-
"version": "0.0.0"
163+
"fqn": "constructs.Construct",
164+
"version": "10.2.70"
165165
}
166166
},
167167
"MyStream": {
168168
"id": "MyStream",
169169
"path": "test-stack/MyStream",
170170
"children": {
171-
"Service Role": {
172-
"id": "Service Role",
173-
"path": "test-stack/MyStream/Service Role",
174-
"children": {
175-
"ImportService Role": {
176-
"id": "ImportService Role",
177-
"path": "test-stack/MyStream/Service Role/ImportService Role",
178-
"constructInfo": {
179-
"fqn": "aws-cdk-lib.Resource",
180-
"version": "0.0.0"
181-
}
182-
},
183-
"Resource": {
184-
"id": "Resource",
185-
"path": "test-stack/MyStream/Service Role/Resource",
186-
"attributes": {
187-
"aws:cdk:cloudformation:type": "AWS::IAM::Role",
188-
"aws:cdk:cloudformation:props": {
189-
"assumeRolePolicyDocument": {
190-
"Statement": [
191-
{
192-
"Action": "sts:AssumeRole",
193-
"Effect": "Allow",
194-
"Principal": {
195-
"Service": "firehose.amazonaws.com"
196-
}
197-
}
198-
],
199-
"Version": "2012-10-17"
200-
}
201-
}
202-
},
203-
"constructInfo": {
204-
"fqn": "aws-cdk-lib.aws_iam.CfnRole",
205-
"version": "0.0.0"
206-
}
207-
}
208-
},
209-
"constructInfo": {
210-
"fqn": "aws-cdk-lib.aws_iam.Role",
211-
"version": "0.0.0"
212-
}
213-
},
214171
"S3 Destination Role": {
215172
"id": "S3 Destination Role",
216173
"path": "test-stack/MyStream/S3 Destination Role",
@@ -219,8 +176,8 @@
219176
"id": "ImportS3 Destination Role",
220177
"path": "test-stack/MyStream/S3 Destination Role/ImportS3 Destination Role",
221178
"constructInfo": {
222-
"fqn": "aws-cdk-lib.Resource",
223-
"version": "0.0.0"
179+
"fqn": "constructs.Construct",
180+
"version": "10.2.70"
224181
}
225182
},
226183
"Resource": {
@@ -244,8 +201,8 @@
244201
}
245202
},
246203
"constructInfo": {
247-
"fqn": "aws-cdk-lib.aws_iam.CfnRole",
248-
"version": "0.0.0"
204+
"fqn": "constructs.Construct",
205+
"version": "10.2.70"
249206
}
250207
},
251208
"DefaultPolicy": {
@@ -322,20 +279,20 @@
322279
}
323280
},
324281
"constructInfo": {
325-
"fqn": "aws-cdk-lib.aws_iam.CfnPolicy",
326-
"version": "0.0.0"
282+
"fqn": "constructs.Construct",
283+
"version": "10.2.70"
327284
}
328285
}
329286
},
330287
"constructInfo": {
331-
"fqn": "aws-cdk-lib.aws_iam.Policy",
332-
"version": "0.0.0"
288+
"fqn": "constructs.Construct",
289+
"version": "10.2.70"
333290
}
334291
}
335292
},
336293
"constructInfo": {
337-
"fqn": "aws-cdk-lib.aws_iam.Role",
338-
"version": "0.0.0"
294+
"fqn": "constructs.Construct",
295+
"version": "10.2.70"
339296
}
340297
},
341298
"LogGroup": {
@@ -352,8 +309,8 @@
352309
}
353310
},
354311
"constructInfo": {
355-
"fqn": "aws-cdk-lib.aws_logs.CfnLogGroup",
356-
"version": "0.0.0"
312+
"fqn": "constructs.Construct",
313+
"version": "10.2.70"
357314
}
358315
},
359316
"S3Destination": {
@@ -372,20 +329,20 @@
372329
}
373330
},
374331
"constructInfo": {
375-
"fqn": "aws-cdk-lib.aws_logs.CfnLogStream",
376-
"version": "0.0.0"
332+
"fqn": "constructs.Construct",
333+
"version": "10.2.70"
377334
}
378335
}
379336
},
380337
"constructInfo": {
381-
"fqn": "aws-cdk-lib.aws_logs.LogStream",
382-
"version": "0.0.0"
338+
"fqn": "constructs.Construct",
339+
"version": "10.2.70"
383340
}
384341
}
385342
},
386343
"constructInfo": {
387-
"fqn": "aws-cdk-lib.aws_logs.LogGroup",
388-
"version": "0.0.0"
344+
"fqn": "constructs.Construct",
345+
"version": "10.2.70"
389346
}
390347
},
391348
"Resource": {
@@ -421,58 +378,58 @@
421378
}
422379
},
423380
"constructInfo": {
424-
"fqn": "aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream",
425-
"version": "0.0.0"
381+
"fqn": "constructs.Construct",
382+
"version": "10.2.70"
426383
}
427384
}
428385
},
429386
"constructInfo": {
430-
"fqn": "@aws-cdk/aws-kinesisfirehose-alpha.DeliveryStream",
431-
"version": "0.0.0"
387+
"fqn": "constructs.Construct",
388+
"version": "10.2.70"
432389
}
433390
},
434391
"@aws-cdk--aws-kinesisfirehose.CidrBlocks": {
435392
"id": "@aws-cdk--aws-kinesisfirehose.CidrBlocks",
436393
"path": "test-stack/@aws-cdk--aws-kinesisfirehose.CidrBlocks",
437394
"constructInfo": {
438-
"fqn": "aws-cdk-lib.CfnMapping",
439-
"version": "0.0.0"
395+
"fqn": "constructs.Construct",
396+
"version": "10.2.70"
440397
}
441398
},
442399
"BootstrapVersion": {
443400
"id": "BootstrapVersion",
444401
"path": "test-stack/BootstrapVersion",
445402
"constructInfo": {
446-
"fqn": "aws-cdk-lib.CfnParameter",
447-
"version": "0.0.0"
403+
"fqn": "constructs.Construct",
404+
"version": "10.2.70"
448405
}
449406
},
450407
"CheckBootstrapVersion": {
451408
"id": "CheckBootstrapVersion",
452409
"path": "test-stack/CheckBootstrapVersion",
453410
"constructInfo": {
454-
"fqn": "aws-cdk-lib.CfnRule",
455-
"version": "0.0.0"
411+
"fqn": "constructs.Construct",
412+
"version": "10.2.70"
456413
}
457414
}
458415
},
459416
"constructInfo": {
460-
"fqn": "aws-cdk-lib.Stack",
461-
"version": "0.0.0"
417+
"fqn": "constructs.Construct",
418+
"version": "10.2.70"
462419
}
463420
},
464421
"Tree": {
465422
"id": "Tree",
466423
"path": "Tree",
467424
"constructInfo": {
468425
"fqn": "constructs.Construct",
469-
"version": "10.2.69"
426+
"version": "10.2.70"
470427
}
471428
}
472429
},
473430
"constructInfo": {
474-
"fqn": "aws-cdk-lib.App",
475-
"version": "0.0.0"
431+
"fqn": "constructs.Construct",
432+
"version": "10.2.70"
476433
}
477434
}
478435
}

packages/@aws-cdk/aws-kinesisfirehose-alpha/README.md

+9-7
Original file line numberDiff line numberDiff line change
@@ -430,13 +430,15 @@ The DeliveryStream class automatically creates IAM service roles with all the mi
430430
necessary permissions for Kinesis Data Firehose to access the resources referenced by your
431431
delivery stream. One service role is created for the delivery stream that allows Kinesis
432432
Data Firehose to read from a Kinesis data stream (if one is configured as the delivery
433-
stream source) and for server-side encryption. Another service role is created for each
434-
destination, which gives Kinesis Data Firehose write access to the destination resource,
435-
as well as the ability to invoke data transformers and read schemas for record format
436-
conversion. If you wish, you may specify your own IAM role for either the delivery stream
437-
or the destination service role, or both. It must have the correct trust policy (it must
438-
allow Kinesis Data Firehose to assume it) or delivery stream creation or data delivery
439-
will fail. Other required permissions to destination resources, encryption keys, etc.,
433+
stream source) and for server-side encryption. Note that if the DeliveryStream is created
434+
without specifying `sourceStream` or `encryptionKey`, this role is not created as it is not needed.
435+
436+
Another service role is created for each destination, which gives Kinesis Data Firehose write
437+
access to the destination resource, as well as the ability to invoke data transformers and
438+
read schemas for record format conversion. If you wish, you may specify your own IAM role for
439+
either the delivery stream or the destination service role, or both. It must have the correct
440+
trust policy (it must allow Kinesis Data Firehose to assume it) or delivery stream creation or
441+
data delivery will fail. Other required permissions to destination resources, encryption keys, etc.,
440442
will be provided automatically.
441443

442444
```ts

0 commit comments

Comments
 (0)