-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathfastly-kinesis-log.ts
54 lines (49 loc) · 1.78 KB
/
fastly-kinesis-log.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import { AccountPrincipal } from "aws-cdk-lib/aws-iam";
import { FASTLY_AWS_ACCOUNT_ID } from "../../../../constants/fastly-aws-account-id";
import type { GuStack } from "../../../../constructs/core";
import { GuFastlyCustomerIdParameter } from "../../../../constructs/core";
import { GuRole } from "../../../../constructs/iam";
import type { GuKinesisStream } from "../../../../constructs/kinesis";
import { GuKinesisPutRecordsPolicyExperimental } from "../../policies/kinesis-put-records";
export interface GuFastlyKinesisLogRoleProps {
/**
* The Kinesis stream into which Fastly will put records
*/
stream: GuKinesisStream;
/**
* The name of the IAM role
*/
roleName?: string;
/**
* The name of the policy attached to this role which allows writing to the Kinesis stream
*/
policyName?: string;
}
/**
* A construct to create an IAM Role for Fastly to assume in order to write to a
* specific Kinesis stream.
*
* In order to use this construct, an SSM parameter named `/account/external/fastly/customer.id`
* needs to exist in the AWS account's parameter store, and the value should be
* the Guardian's Fastly customer id.
*
*/
export class GuFastlyKinesisLogRoleExperimental extends GuRole {
constructor(scope: GuStack, id: string, props: GuFastlyKinesisLogRoleProps) {
const fastlyCustomerId = GuFastlyCustomerIdParameter.getInstance(scope).valueAsString;
const { policyName, roleName, stream } = props;
super(scope, id, {
roleName,
assumedBy: new AccountPrincipal(FASTLY_AWS_ACCOUNT_ID),
externalIds: [fastlyCustomerId],
});
const policy = new GuKinesisPutRecordsPolicyExperimental(
scope,
policyName ?? "GuKinesisPutRecordsPolicyExperimental",
{
stream,
},
);
policy.attachToRole(this);
}
}