From 58aae30011514f8acb45223ccfa07e099a8a5683 Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Fri, 5 Nov 2021 13:37:12 +0200 Subject: [PATCH 1/6] Add required rights to trigger Lambda from Kinesis. Fixes issue #17312. --- packages/@aws-cdk/aws-kinesis/lib/stream.ts | 2 ++ packages/@aws-cdk/aws-kinesis/test/stream.test.ts | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/packages/@aws-cdk/aws-kinesis/lib/stream.ts b/packages/@aws-cdk/aws-kinesis/lib/stream.ts index b2fed1eb10329..8cc08fa70bfdc 100644 --- a/packages/@aws-cdk/aws-kinesis/lib/stream.ts +++ b/packages/@aws-cdk/aws-kinesis/lib/stream.ts @@ -12,6 +12,8 @@ const READ_OPERATIONS = [ 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ]; const WRITE_OPERATIONS = [ diff --git a/packages/@aws-cdk/aws-kinesis/test/stream.test.ts b/packages/@aws-cdk/aws-kinesis/test/stream.test.ts index 089261c6ebdae..dee29db89d384 100644 --- a/packages/@aws-cdk/aws-kinesis/test/stream.test.ts +++ b/packages/@aws-cdk/aws-kinesis/test/stream.test.ts @@ -503,6 +503,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ], Effect: 'Allow', Resource: { @@ -811,6 +813,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', 'kinesis:PutRecord', 'kinesis:PutRecords', ], @@ -884,6 +888,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', ], Effect: 'Allow', Resource: { @@ -1050,6 +1056,8 @@ describe('Kinesis data streams', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams', 'kinesis:PutRecord', 'kinesis:PutRecords', ], From a55bff3e446980e87138b1b0bc615b2dfa9f37e4 Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Mon, 8 Nov 2021 11:31:13 +0200 Subject: [PATCH 2/6] Fix test --- packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json index 15055271413a2..41230acc599a2 100644 --- a/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json +++ b/packages/@aws-cdk/aws-kinesis/test/integ.stream.expected.json @@ -44,6 +44,8 @@ "kinesis:GetShardIterator", "kinesis:ListShards", "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams", "kinesis:PutRecord", "kinesis:PutRecords" ], From b9178000abff0040770e9cdbed9101055b7046f2 Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Mon, 8 Nov 2021 21:25:57 +0200 Subject: [PATCH 3/6] Remove extra addAction, fix test --- .../@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts | 7 ------- .../test/integ.delivery-stream.source-stream.expected.json | 3 ++- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts b/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts index 7dfaed8eb384b..35230fc284bd9 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts +++ b/packages/@aws-cdk/aws-kinesisfirehose/lib/delivery-stream.ts @@ -358,13 +358,6 @@ export class DeliveryStream extends DeliveryStreamBase { roleArn: role.roleArn, } : undefined; const readStreamGrant = props.sourceStream?.grantRead(role); - /* - * Firehose still uses the deprecated DescribeStream API instead of the modern DescribeStreamSummary API. - * kinesis.IStream.grantRead does not provide DescribeStream permissions so we add it manually here. - */ - if (readStreamGrant && readStreamGrant.principalStatement) { - readStreamGrant.principalStatement.addActions('kinesis:DescribeStream'); - } const destinationConfig = props.destinations[0].bind(this, {}); diff --git a/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json b/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json index eb46541a1cdf2..896d0487a091c 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json +++ b/packages/@aws-cdk/aws-kinesisfirehose/test/integ.delivery-stream.source-stream.expected.json @@ -119,7 +119,8 @@ "kinesis:GetShardIterator", "kinesis:ListShards", "kinesis:SubscribeToShard", - "kinesis:DescribeStream" + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": { From 12b9429e45693cb994c0e30da20c696e9f69912f Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Mon, 8 Nov 2021 21:50:38 +0200 Subject: [PATCH 4/6] Another test fix --- packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts index 96701d6c83f7a..634236ff95b8b 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts @@ -30,6 +30,8 @@ describe('KinesisEventSource', () => { 'kinesis:GetShardIterator', 'kinesis:ListShards', 'kinesis:SubscribeToShard', + 'kinesis:DescribeStream', + 'kinesis:ListStreams' ], 'Effect': 'Allow', 'Resource': { From a27470efb118785ded6f71480aaf3a22c9a54d2e Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Mon, 8 Nov 2021 22:56:07 +0200 Subject: [PATCH 5/6] Fix missing comma dangle --- packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts index 634236ff95b8b..e77fec71e5079 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/kinesis.test.ts @@ -31,7 +31,7 @@ describe('KinesisEventSource', () => { 'kinesis:ListShards', 'kinesis:SubscribeToShard', 'kinesis:DescribeStream', - 'kinesis:ListStreams' + 'kinesis:ListStreams', ], 'Effect': 'Allow', 'Resource': { From 6659415d98d4fe04f0b3473264936b24f75ee80f Mon Sep 17 00:00:00 2001 From: Massimo Prencipe Date: Tue, 9 Nov 2021 07:14:57 +0200 Subject: [PATCH 6/6] Fix more tests --- .../aws-lambda-event-sources/test/integ.kinesis.expected.json | 4 +++- .../test/integ.kinesiswithdlq.expected.json | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json index aafb84ca19c72..c1690f2f03aac 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesis.expected.json @@ -42,7 +42,9 @@ "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", - "kinesis:SubscribeToShard" + "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": { diff --git a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json index 4d0a6c1a54707..616adaef6a86a 100644 --- a/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json +++ b/packages/@aws-cdk/aws-lambda-event-sources/test/integ.kinesiswithdlq.expected.json @@ -56,7 +56,9 @@ "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:ListShards", - "kinesis:SubscribeToShard" + "kinesis:SubscribeToShard", + "kinesis:DescribeStream", + "kinesis:ListStreams" ], "Effect": "Allow", "Resource": {