fix(kinesis): read permissions for stream do not include `kinesis:Des…

…cribeStreamConsumer` (#22794) reopen [22727](#22727) Grant Read(Write) Permission Action "kinesis:DescribeStreamConsumer" It appears that the following actions had already been added "kinesis:SubscribeToShard", ref. https://docs.aws.amazon.com/streams/latest/dev/tutorial-stock-data-kplkcl2-iam.html Fixes #22184 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Nov 25, 2022 · e53352d · e53352d
1 parent d13b64a
commit e53352d
Show file tree

Hide file tree

Showing 32 changed files with 246 additions and 133 deletions.
diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts
@@ -14,6 +14,7 @@ const READ_OPERATIONS = [
   'kinesis:SubscribeToShard',
   'kinesis:DescribeStream',
   'kinesis:ListStreams',
+  'kinesis:DescribeStreamConsumer',
 ];
 
 const WRITE_OPERATIONS = [

diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/cdk.out b/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}
diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ-kinesis-stream.assets.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ-kinesis-stream.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "3ad098f5c98b05c98dae3ab17e026e847d893a37bfb1b6f11947f8bcd4d590f1": {
+    "7e1b7553b1023955c746737c40526eec80647a61c7c3d6e5b414a50d72ef99f5": {
       "source": {
         "path": "integ-kinesis-stream.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "3ad098f5c98b05c98dae3ab17e026e847d893a37bfb1b6f11947f8bcd4d590f1.json",
+          "objectKey": "7e1b7553b1023955c746737c40526eec80647a61c7c3d6e5b414a50d72ef99f5.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...ges/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ-kinesis-stream.template.json b/...ges/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ-kinesis-stream.template.json
@@ -40,6 +40,7 @@
       {
        "Action": [
         "kinesis:DescribeStream",
+        "kinesis:DescribeStreamConsumer",
         "kinesis:DescribeStreamSummary",
         "kinesis:GetRecords",
         "kinesis:GetShardIterator",

diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.stream": {
       "stacks": [

diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/manifest.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-kinesis-stream.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3ad098f5c98b05c98dae3ab17e026e847d893a37bfb1b6f11947f8bcd4d590f1.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7e1b7553b1023955c746737c40526eec80647a61c7c3d6e5b414a50d72ef99f5.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -77,6 +71,12 @@
         ]
       },
       "displayName": "integ-kinesis-stream"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/tree.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "integ-kinesis-stream": {
         "id": "integ-kinesis-stream",
         "path": "integ-kinesis-stream",
@@ -75,6 +67,7 @@
                             {
                               "Action": [
                                 "kinesis:DescribeStream",
+                                "kinesis:DescribeStreamConsumer",
                                 "kinesis:DescribeStreamSummary",
                                 "kinesis:GetRecords",
                                 "kinesis:GetShardIterator",
@@ -164,20 +157,44 @@
             "id": "AwsCdkKinesisEncryptedStreamsUnsupportedRegions",
             "path": "integ-kinesis-stream/AwsCdkKinesisEncryptedStreamsUnsupportedRegions",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnCondition",
+              "version": "0.0.0"
+            }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "integ-kinesis-stream/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "integ-kinesis-stream/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
             }
           }
         },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.140"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-kinesis/test/stream.test.ts b/packages/@aws-cdk/aws-kinesis/test/stream.test.ts
@@ -603,6 +603,7 @@ describe('Kinesis data streams', () => {
                     'kinesis:SubscribeToShard',
                     'kinesis:DescribeStream',
                     'kinesis:ListStreams',
+                    'kinesis:DescribeStreamConsumer',
                   ],
                   Effect: 'Allow',
                   Resource: {
@@ -775,6 +776,7 @@ describe('Kinesis data streams', () => {
                     'kinesis:SubscribeToShard',
                     'kinesis:DescribeStream',
                     'kinesis:ListStreams',
+                    'kinesis:DescribeStreamConsumer',
                     'kinesis:PutRecord',
                     'kinesis:PutRecords',
                   ],

diff --git a/...ream.source-stream.js.snapshot/aws-cdk-firehose-delivery-stream-source-stream.assets.json b/...ream.source-stream.js.snapshot/aws-cdk-firehose-delivery-stream-source-stream.assets.json
@@ -1,15 +1,15 @@
 {
   "version": "21.0.0",
   "files": {
-    "a29f224cc0c6a912790804d03fd575433b70747d51ecaee20fdca915ad05b006": {
+    "2f4e60312984ef4ca44937d8f3e578fa321f70ee8539a44440450bb169a0cadb": {
       "source": {
         "path": "aws-cdk-firehose-delivery-stream-source-stream.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "a29f224cc0c6a912790804d03fd575433b70747d51ecaee20fdca915ad05b006.json",
+          "objectKey": "2f4e60312984ef4ca44937d8f3e578fa321f70ee8539a44440450bb169a0cadb.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...am.source-stream.js.snapshot/aws-cdk-firehose-delivery-stream-source-stream.template.json b/...am.source-stream.js.snapshot/aws-cdk-firehose-delivery-stream-source-stream.template.json
@@ -122,6 +122,7 @@
       {
        "Action": [
         "kinesis:DescribeStream",
+        "kinesis:DescribeStreamConsumer",
         "kinesis:DescribeStreamSummary",
         "kinesis:GetRecords",
         "kinesis:GetShardIterator",

diff --git a/...dk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.js.snapshot/manifest.json b/...dk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
   "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "aws-cdk-firehose-delivery-stream-source-stream.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a29f224cc0c6a912790804d03fd575433b70747d51ecaee20fdca915ad05b006.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2f4e60312984ef4ca44937d8f3e578fa321f70ee8539a44440450bb169a0cadb.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -107,6 +101,12 @@
         ]
       },
       "displayName": "aws-cdk-firehose-delivery-stream-source-stream"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/...ws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.js.snapshot/tree.json b/...ws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.129"
-        }
-      },
       "aws-cdk-firehose-delivery-stream-source-stream": {
         "id": "aws-cdk-firehose-delivery-stream-source-stream",
         "path": "aws-cdk-firehose-delivery-stream-source-stream",
@@ -240,6 +232,7 @@
                                 {
                                   "Action": [
                                     "kinesis:DescribeStream",
+                                    "kinesis:DescribeStreamConsumer",
                                     "kinesis:DescribeStreamSummary",
                                     "kinesis:GetRecords",
                                     "kinesis:GetShardIterator",
@@ -338,12 +331,36 @@
               "fqn": "@aws-cdk/core.CfnMapping",
               "version": "0.0.0"
             }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "aws-cdk-firehose-delivery-stream-source-stream/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "aws-cdk-firehose-delivery-stream-source-stream/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
+            }
           }
         },
         "constructInfo": {
           "fqn": "@aws-cdk/core.Stack",
           "version": "0.0.0"
         }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
+        "constructInfo": {
+          "fqn": "constructs.Construct",
+          "version": "10.1.140"
+        }
       }
     },
     "constructInfo": {

diff --git a/...g.kinesis-at-timestamp.js.snapshot/AtTimestampDefaultTestDeployAssert8000E9DC.assets.json b/...g.kinesis-at-timestamp.js.snapshot/AtTimestampDefaultTestDeployAssert8000E9DC.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

diff --git a/...ges/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/cdk.out b/...ges/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}
diff --git a/.../@aws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/integ.json b/.../@aws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/integ.json
@@ -1,11 +1,12 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "AtTimestamp/DefaultTest": {
       "stacks": [
         "lambda-event-source-kinesis-at-timestamp"
       ],
-      "assertionStack": "AtTimestamp/DefaultTest/DeployAssert"
+      "assertionStack": "AtTimestamp/DefaultTest/DeployAssert",
+      "assertionStackName": "AtTimestampDefaultTestDeployAssert8000E9DC"
     }
   }
 }
diff --git a/...teg.kinesis-at-timestamp.js.snapshot/lambda-event-source-kinesis-at-timestamp.assets.json b/...teg.kinesis-at-timestamp.js.snapshot/lambda-event-source-kinesis-at-timestamp.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "c03d3d9d3bc82eedad69a8123bdb9624a92ff2623eac5d10b4213127be4942f5": {
+    "fbcc195635fd8f1904f29d439573540020d8140bbc21d9a9d07071986b13cd44": {
       "source": {
         "path": "lambda-event-source-kinesis-at-timestamp.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "c03d3d9d3bc82eedad69a8123bdb9624a92ff2623eac5d10b4213127be4942f5.json",
+          "objectKey": "fbcc195635fd8f1904f29d439573540020d8140bbc21d9a9d07071986b13cd44.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...g.kinesis-at-timestamp.js.snapshot/lambda-event-source-kinesis-at-timestamp.template.json b/...g.kinesis-at-timestamp.js.snapshot/lambda-event-source-kinesis-at-timestamp.template.json
@@ -39,6 +39,7 @@
       {
        "Action": [
         "kinesis:DescribeStream",
+        "kinesis:DescribeStreamConsumer",
         "kinesis:DescribeStreamSummary",
         "kinesis:GetRecords",
         "kinesis:GetShardIterator",

diff --git a/...ws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/manifest.json b/...ws-cdk/aws-lambda-event-sources/test/integ.kinesis-at-timestamp.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "lambda-event-source-kinesis-at-timestamp.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c03d3d9d3bc82eedad69a8123bdb9624a92ff2623eac5d10b4213127be4942f5.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/fbcc195635fd8f1904f29d439573540020d8140bbc21d9a9d07071986b13cd44.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -136,6 +130,12 @@
         ]
       },
       "displayName": "AtTimestamp/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }