feat(aws-logs-destinations): add Firehose Log Subscription Destination #14918
Conversation
|
|
BenChaimberg
added
@aws-cdk/aws-kinesisfirehose
|
Thank you very much for your contribution (especially the documentation)! We are currently working on the design for the Firehose L2 (see #10810) which should be used here. To avoid rewriting the API in the future, I am going to mark this as blocked for now. Please reach out here if you have questions! |
BenChaimberg
added
the
pr/blocked
| A short description here. | ||
| This library supplies constructs for working with CloudWatch Logs Subscription Destinations. | ||
|
|
||
| ## Logs Destinations |
There was a problem hiding this comment.
If you're feeling up for it, it would be great to have these snippets compile in their first iteration. I'm thinking an initial snippet showing how to set up a log group, then each individual destination uses a fixture seeded with a log group to create the destination. Though ellipses are supported, giving a full specification of the destination resource would be ideal. See: CONTRIBUTING#documentation
| assumedBy: new iam.ServicePrincipal(`logs.${region}.amazonaws.com`), | ||
| }); | ||
|
|
||
| iam.Grant.addToPrincipal({ |
There was a problem hiding this comment.
Shouldn't be necessary when the L2 is created, but I'd prefer
role.addToPrincipalPolicy({ ... })
packages/@aws-cdk/aws-logs-destinations/test/integ.kinesisfirehose-to-s3.ts
Show resolved
Hide resolved
| }); | ||
|
|
||
| // THEN: we have a single role to write to the Firehose | ||
| expect(stack).toCountResources('AWS::IAM::Role', 2); // TODO: Fix to 1 - somehow it still creates 2 roles... |
There was a problem hiding this comment.
Please change this to 1 so the build will fail until this has been fixed.
There was a problem hiding this comment.
Any tips on what might be the issue here? I have no idea...
There was a problem hiding this comment.
Oh this is actually correct, since you create two separate log groups and create the role under the log group scope. You should create a separate test that attaches two destinations to the same log group and asserts that only one role is created.
There was a problem hiding this comment.
But in my first revision it was not working when I used scope of Stack.
My initial intention was to have a single role for each Firehose destination. (i.e. 2 log groups will re-use the same role). What scope is the correct one to use for this role?
mergify
bot
dismissed
BenChaimberg’s stale review
Pull request has been modified.
|
In the future, please add more commits onto your working branch instead of amending the old commit and force-pushing. This makes it easier to see what you've changed :) |
Will do, thanks. I presumed github can do diffs between revisions. So, do I still need to squash commits after approval? |
|
One would hope but doesn't seem to be the case...or I just haven't found the right buttons to click. No need to squash or manually merge – our workflows will take care of that. |
|
@BenChaimberg any ETA for Firehose L2? I saw #14860 got closed. Is it possible to merge this PR without Firehose L2? Thanks |
|
The PR in question was closed in favour of a different branch, but the work is still actively ongoing! We are hoping to open a first PR for review by 6/17. Because the changes in this PR would be immediately overwritten and aws-logs-destinations is a stable module, we will not be merging this in its current state. Thanks for your patience! |
There was a problem hiding this comment.
we're almost there! #15544 is nearing completion and we can restart this work when it's complete
requesting changes just to get this off my queue
|
Hello! #15544 has been merged and the DeliveryStream L2 is ready and raring to go! Please go take a look – it should have all we need to complete this PR. |
BenChaimberg
removed
pr/blocked
|
Awesome! Thanks, will post an update in a few days |
mergify
bot
dismissed
BenChaimberg’s stale review
Pull request has been modified.
| * Use a Kinesis Firehose as the destination for a log subscription | ||
| */ | ||
| export class KinesisFirehoseDestination implements logs.ILogSubscriptionDestination { | ||
| constructor(private readonly deliveryStream: firehose.DeliveryStream) { |
There was a problem hiding this comment.
| constructor(private readonly deliveryStream: firehose.DeliveryStream) { | |
| constructor(private readonly deliveryStream: firehose.IDeliveryStream) { |
| } | ||
|
|
||
| public bind(_scope: Construct, _sourceLogGroup: logs.ILogGroup): logs.LogSubscriptionDestinationConfig { | ||
| const { region } = Stack.of(this.deliveryStream); |
There was a problem hiding this comment.
| const { region } = Stack.of(this.deliveryStream); | |
| const region = this.deliveryStream.env.region; |
| const role = this.deliveryStream.node.tryFindChild(roleId) as iam.IRole ?? | ||
| new iam.Role(this.deliveryStream, roleId, { |
There was a problem hiding this comment.
| const role = this.deliveryStream.node.tryFindChild(roleId) as iam.IRole ?? | |
| new iam.Role(this.deliveryStream, roleId, { | |
| const role = scope.node.tryFindChild(roleId) as iam.IRole ?? | |
| new iam.Role(scope, roleId, { |
There was a problem hiding this comment.
With your suggested change we would create 2 identical IAM roles that will fail my unit test in https://github.com/aws/aws-cdk/pull/14918/files#diff-4dab4ab34393d725389edf0c2c55b924e6e9c569d86f78b21ad5d36b8f29b076R104
Do we really want to create 2 identical roles in that unit test case?
There was a problem hiding this comment.
I think we do. There should be a logical mapping between the actor and the role, which would be violated if we create one role per delivery stream (as that is the resource). The test case can be modified to demonstrate that we re-use the role if there are multiple Firehose subscriptions from the same log group
There was a problem hiding this comment.
The test case can be modified to demonstrate that we re-use the role if there are multiple Firehose subscriptions from the same log group
This would still create 2 separate roles because scope would be different for 2 separate subscriptions even if they are applied to the same log group.
So, it looks like scope.node.tryFindChild(roleId) as iam.IRole ?? is a redundant check as that condition will never be true.
Anyway, I will just remove this unit test case for now as it's impossible to test that condition.
There was a problem hiding this comment.
Ah because the destination is bound under SubscriptionFilter, not LogGroup. Okay, no problem with having multiple roles then
There was a problem hiding this comment.
To be clear, yes we should remove the tryFindChild and always create a new role
| constructor(private readonly deliveryStream: firehose.DeliveryStream) { | ||
| } | ||
|
|
||
| public bind(_scope: Construct, _sourceLogGroup: logs.ILogGroup): logs.LogSubscriptionDestinationConfig { |
There was a problem hiding this comment.
| public bind(_scope: Construct, _sourceLogGroup: logs.ILogGroup): logs.LogSubscriptionDestinationConfig { | |
| public bind(scope: Construct, _sourceLogGroup: logs.ILogGroup): logs.LogSubscriptionDestinationConfig { |
| removalPolicy: cdk.RemovalPolicy.DESTROY, | ||
| }); | ||
|
|
||
| // TODO: For some reason creation of this resource fails: `Subscription (Subscription391C9821) destinationArn for vendor firehose cannot be used with roleArn (Service: AWSLogs; Status Code: 400; Error Code: InvalidParameterException; Request ID: 0e598426-5fcb-4fde-b9d3-11b14c129eb6; Proxy: null)` |
There was a problem hiding this comment.
CloudWatch Logs currently has a bug where destination ARNs that contain the string "destination" are rejected from creating a subscription. Workaround is to change the stack name below to remove the "destination" – maybe replace with "dests"
Internal reference: P48761216
There was a problem hiding this comment.
What a weird bug! Thanks for digging into this.
mergify
bot
dismissed
BenChaimberg’s stale review
Pull request has been modified.
|
@BenChaimberg , could you please help me with CodeBuild failure above? Thanks |
|
aws-cdk-lib is the v2 library which removes experimental modules (except for the L1s), meaning stable modules that are included cannot currently depend on experimental modules. The team is currently working on this issue so we may have a fix in the pipeline, but this PR will be blocked until then. |
BenChaimberg
added
the
pr/blocked
RomainMuller
force-pushed
the
master
branch
from
924c117
to
ebfd5f2
Compare
|
@BenChaimberg, is there anything that one could do to get this merged? – The issue with experimental modules with v2 is, in my understanding, solved. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@nikovirtala I've just merged latest stuff from master and, as you see above, the build still fails with the same error message. How do you know that the issue is solved? Maybe I am missing some config |
|
@kaizen3031593 can you please respond to the query above -- I have not been following the developments on experimental modules. |
|
@nikovirtala my quick understanding of the issue is that stable modules cannot depend on experimental modules; this is by design. In that sense, there is nothing to resolve. Instead, we are waiting for |
It is not an option to release these changes as experimental too? – If that (release an experimental version of a currently stable package) is not possible we are going to find ourselves in this situation over and over again. |
|
@nikovirtala we can release changes as experimental in a stable module by using the I am going to remove my assignment from this for now but feel free to ping me if you want my attention. When |
|
This PR has been in BUILD FAILING for 21 days, and looks abandoned. It will be closed in 10 days if no further commits are pushed to it. |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
github-actions
bot
added
the
closed-for-staleness
Add FIrehose CW Logs Subscription Destination for delivering logs from CW directly into Firehose (in batches, gziped).
Currently, this package contains only Kinesis Logs Subscription Destination, but it's possible to send directly to Firehose without Kinesis stream. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#FirehoseExample
Implementation is based on these official instructions.
Also, Firehose does not have high level CDK constructs, so I used native Cfn level stuff.Tested by deploying test stack and sending logs to the log stream. Validated that logs are delivered to S3 via Firehose.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license