diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js new file mode 100644 index 0000000000000..1002ba018e9fb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js @@ -0,0 +1 @@ +"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb/index.js b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb/index.js new file mode 100644 index 0000000000000..8baba1c5a9bf1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/asset.52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb/index.js @@ -0,0 +1,39 @@ +"use strict"; +var __defProp = Object.defineProperty; +var __getOwnPropDesc = Object.getOwnPropertyDescriptor; +var __getOwnPropNames = Object.getOwnPropertyNames; +var __hasOwnProp = Object.prototype.hasOwnProperty; +var __export = (target, all) => { + for (var name in all) + __defProp(target, name, { get: all[name], enumerable: true }); +}; +var __copyProps = (to, from, except, desc) => { + if (from && typeof from === "object" || typeof from === "function") { + for (let key of __getOwnPropNames(from)) + if (!__hasOwnProp.call(to, key) && key !== except) + __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); + } + return to; +}; +var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod); + +// packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/lambda-data-processor.js +var lambda_data_processor_exports = {}; +__export(lambda_data_processor_exports, { + handler: () => handler +}); +module.exports = __toCommonJS(lambda_data_processor_exports); +async function handler(event, context) { + const output = event.records.map((record) => ({ + /* This transformation is the "identity" transformation, the data is left intact */ + recordId: record.recordId, + result: "Ok", + data: record.data + })); + console.log(`Processing completed. Successful records ${output.length}.`); + return { records: output }; +} +// Annotate the CommonJS export names for ESM import in node: +0 && (module.exports = { + handler +}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.assets.json new file mode 100644 index 0000000000000..9d5eadc71c6d5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.assets.json @@ -0,0 +1,48 @@ +{ + "version": "48.0.0", + "files": { + "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { + "displayName": "firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider Code", + "source": { + "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region-094cbf39": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb": { + "displayName": "DataProcessorFunction/Code", + "source": { + "path": "asset.52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb", + "packaging": "zip" + }, + "destinations": { + "current_account-current_region-23cacdcb": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb.zip", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + }, + "28a32f5574fd63b35403ff3164687b822bb273b920050765d1f6be533fed73d3": { + "displayName": "firehose-delivery-stream-cloudwatch-logs-processors Template", + "source": { + "path": "firehose-delivery-stream-cloudwatch-logs-processors.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-0395ff06": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "28a32f5574fd63b35403ff3164687b822bb273b920050765d1f6be533fed73d3.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.template.json new file mode 100644 index 0000000000000..241b138560565 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/firehose-delivery-stream-cloudwatch-logs-processors.template.json @@ -0,0 +1,770 @@ +{ + "Resources": { + "DestinationBucket4BECDB47": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "DestinationBucketPolicyFCD81088": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DestinationBucket4BECDB47" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "DestinationBucketAutoDeleteObjectsCustomResource8ECA4428": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "DestinationBucket4BECDB47" + } + }, + "DependsOn": [ + "DestinationBucketPolicyFCD81088" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs22.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "DestinationBucket4BECDB47" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, + "DataProcessorFunctionServiceRole12E05500": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "DataProcessorFunctionAD472B9A": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb.zip" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "DataProcessorFunctionServiceRole12E05500", + "Arn" + ] + }, + "Runtime": "nodejs22.x", + "Timeout": 60 + }, + "DependsOn": [ + "DataProcessorFunctionServiceRole12E05500" + ] + }, + "DataProcessorFunctionLogGroup81545B5B": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Join": [ + "", + [ + "/aws/lambda/", + { + "Ref": "DataProcessorFunctionAD472B9A" + } + ] + ] + }, + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "firehose.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "DecompressCloudWatchLogsEntryS3DestinationRoleDefaultPolicy3DEF606B": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "DecompressCloudWatchLogsEntryLogGroup9D3B0DB2", + "Arn" + ] + } + }, + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "DecompressCloudWatchLogsEntryS3DestinationRoleDefaultPolicy3DEF606B", + "Roles": [ + { + "Ref": "DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0" + } + ] + } + }, + "DecompressCloudWatchLogsEntryLogGroup9D3B0DB2": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "DecompressCloudWatchLogsEntryLogGroupS3DestinationF2791191": { + "Type": "AWS::Logs::LogStream", + "Properties": { + "LogGroupName": { + "Ref": "DecompressCloudWatchLogsEntryLogGroup9D3B0DB2" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "DecompressCloudWatchLogsEntryA427F80B": { + "Type": "AWS::KinesisFirehose::DeliveryStream", + "Properties": { + "DeliveryStreamType": "DirectPut", + "ExtendedS3DestinationConfiguration": { + "BucketARN": { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + "CloudWatchLoggingOptions": { + "Enabled": true, + "LogGroupName": { + "Ref": "DecompressCloudWatchLogsEntryLogGroup9D3B0DB2" + }, + "LogStreamName": { + "Ref": "DecompressCloudWatchLogsEntryLogGroupS3DestinationF2791191" + } + }, + "ProcessingConfiguration": { + "Enabled": true, + "Processors": [ + { + "Parameters": [ + { + "ParameterName": "CompressionFormat", + "ParameterValue": "GZIP" + } + ], + "Type": "Decompression" + }, + { + "Parameters": [], + "Type": "AppendDelimiterToRecord" + }, + { + "Parameters": [ + { + "ParameterName": "RoleArn", + "ParameterValue": { + "Fn::GetAtt": [ + "DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0", + "Arn" + ] + } + }, + { + "ParameterName": "LambdaArn", + "ParameterValue": { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + } + } + ], + "Type": "Lambda" + } + ] + }, + "RoleARN": { + "Fn::GetAtt": [ + "DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0", + "Arn" + ] + } + } + }, + "DependsOn": [ + "DecompressCloudWatchLogsEntryS3DestinationRoleDefaultPolicy3DEF606B" + ] + }, + "ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "firehose.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "ExtractCloudWatchLogsEntryS3DestinationRoleDefaultPolicy871DDE3C": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ExtractCloudWatchLogsEntryLogGroupE6853E20", + "Arn" + ] + } + }, + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ExtractCloudWatchLogsEntryS3DestinationRoleDefaultPolicy871DDE3C", + "Roles": [ + { + "Ref": "ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D" + } + ] + } + }, + "ExtractCloudWatchLogsEntryLogGroupE6853E20": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 731 + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "ExtractCloudWatchLogsEntryLogGroupS3Destination4FD652D8": { + "Type": "AWS::Logs::LogStream", + "Properties": { + "LogGroupName": { + "Ref": "ExtractCloudWatchLogsEntryLogGroupE6853E20" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "ExtractCloudWatchLogsEntry83BCF7DC": { + "Type": "AWS::KinesisFirehose::DeliveryStream", + "Properties": { + "DeliveryStreamType": "DirectPut", + "ExtendedS3DestinationConfiguration": { + "BucketARN": { + "Fn::GetAtt": [ + "DestinationBucket4BECDB47", + "Arn" + ] + }, + "CloudWatchLoggingOptions": { + "Enabled": true, + "LogGroupName": { + "Ref": "ExtractCloudWatchLogsEntryLogGroupE6853E20" + }, + "LogStreamName": { + "Ref": "ExtractCloudWatchLogsEntryLogGroupS3Destination4FD652D8" + } + }, + "ProcessingConfiguration": { + "Enabled": true, + "Processors": [ + { + "Parameters": [ + { + "ParameterName": "CompressionFormat", + "ParameterValue": "GZIP" + } + ], + "Type": "Decompression" + }, + { + "Parameters": [ + { + "ParameterName": "DataMessageExtraction", + "ParameterValue": "true" + } + ], + "Type": "CloudWatchLogProcessing" + }, + { + "Parameters": [ + { + "ParameterName": "RoleArn", + "ParameterValue": { + "Fn::GetAtt": [ + "ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D", + "Arn" + ] + } + }, + { + "ParameterName": "LambdaArn", + "ParameterValue": { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + } + } + ], + "Type": "Lambda" + } + ] + }, + "RoleARN": { + "Fn::GetAtt": [ + "ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D", + "Arn" + ] + } + } + }, + "DependsOn": [ + "ExtractCloudWatchLogsEntryS3DestinationRoleDefaultPolicy871DDE3C" + ] + } + }, + "Mappings": { + "awscdkawskinesisfirehoseCidrBlocks": { + "af-south-1": { + "FirehoseCidrBlock": "13.244.121.224/27" + }, + "ap-east-1": { + "FirehoseCidrBlock": "18.162.221.32/27" + }, + "ap-east-2": { + "FirehoseCidrBlock": "43.212.53.160/27" + }, + "ap-northeast-1": { + "FirehoseCidrBlock": "13.113.196.224/27" + }, + "ap-northeast-2": { + "FirehoseCidrBlock": "13.209.1.64/27" + }, + "ap-northeast-3": { + "FirehoseCidrBlock": "13.208.177.192/27" + }, + "ap-south-1": { + "FirehoseCidrBlock": "13.232.67.32/27" + }, + "ap-south-2": { + "FirehoseCidrBlock": "18.60.192.128/27" + }, + "ap-southeast-1": { + "FirehoseCidrBlock": "13.228.64.192/27" + }, + "ap-southeast-2": { + "FirehoseCidrBlock": "13.210.67.224/27" + }, + "ap-southeast-3": { + "FirehoseCidrBlock": "108.136.221.64/27" + }, + "ap-southeast-4": { + "FirehoseCidrBlock": "16.50.161.128/27" + }, + "ap-southeast-5": { + "FirehoseCidrBlock": "43.216.58.0/27" + }, + "ap-southeast-7": { + "FirehoseCidrBlock": "43.208.112.96/27" + }, + "ca-central-1": { + "FirehoseCidrBlock": "35.183.92.128/27" + }, + "ca-west-1": { + "FirehoseCidrBlock": "40.176.98.192/27" + }, + "cn-north-1": { + "FirehoseCidrBlock": "52.81.151.32/27" + }, + "cn-northwest-1": { + "FirehoseCidrBlock": "161.189.23.64/27" + }, + "eu-central-1": { + "FirehoseCidrBlock": "35.158.127.160/27" + }, + "eu-central-2": { + "FirehoseCidrBlock": "16.62.183.32/27" + }, + "eu-north-1": { + "FirehoseCidrBlock": "13.53.63.224/27" + }, + "eu-south-1": { + "FirehoseCidrBlock": "15.161.135.128/27" + }, + "eu-south-2": { + "FirehoseCidrBlock": "18.100.71.96/27" + }, + "eu-west-1": { + "FirehoseCidrBlock": "52.19.239.192/27" + }, + "eu-west-2": { + "FirehoseCidrBlock": "18.130.1.96/27" + }, + "eu-west-3": { + "FirehoseCidrBlock": "35.180.1.96/27" + }, + "il-central-1": { + "FirehoseCidrBlock": "51.16.102.0/27" + }, + "me-central-1": { + "FirehoseCidrBlock": "3.28.159.32/27" + }, + "me-south-1": { + "FirehoseCidrBlock": "15.185.91.0/27" + }, + "sa-east-1": { + "FirehoseCidrBlock": "18.228.1.128/27" + }, + "us-east-1": { + "FirehoseCidrBlock": "52.70.63.192/27" + }, + "us-east-2": { + "FirehoseCidrBlock": "13.58.135.96/27" + }, + "us-gov-east-1": { + "FirehoseCidrBlock": "18.253.138.96/27" + }, + "us-gov-west-1": { + "FirehoseCidrBlock": "52.61.204.160/27" + }, + "us-west-1": { + "FirehoseCidrBlock": "13.57.135.192/27" + }, + "us-west-2": { + "FirehoseCidrBlock": "52.89.255.224/27" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integ.json new file mode 100644 index 0000000000000..cf50c515cb53f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integ.json @@ -0,0 +1,13 @@ +{ + "version": "48.0.0", + "testCases": { + "integ-tests/DefaultTest": { + "stacks": [ + "firehose-delivery-stream-cloudwatch-logs-processors" + ], + "assertionStack": "integ-tests/DefaultTest/DeployAssert", + "assertionStackName": "integtestsDefaultTestDeployAssert44C8D370" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json new file mode 100644 index 0000000000000..8acd337d9d894 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "integtestsDefaultTestDeployAssert44C8D370 Template", + "source": { + "path": "integtestsDefaultTestDeployAssert44C8D370.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/integtestsDefaultTestDeployAssert44C8D370.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/manifest.json new file mode 100644 index 0000000000000..a7e68b51a265b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/manifest.json @@ -0,0 +1,1039 @@ +{ + "version": "48.0.0", + "artifacts": { + "firehose-delivery-stream-cloudwatch-logs-processors.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "firehose-delivery-stream-cloudwatch-logs-processors.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "firehose-delivery-stream-cloudwatch-logs-processors": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "firehose-delivery-stream-cloudwatch-logs-processors.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/28a32f5574fd63b35403ff3164687b822bb273b920050765d1f6be533fed73d3.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "firehose-delivery-stream-cloudwatch-logs-processors.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "firehose-delivery-stream-cloudwatch-logs-processors.assets" + ], + "metadata": { + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "removalPolicy": "destroy", + "autoDeleteObjects": true + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DestinationBucket4BECDB47" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Policy": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "bucket": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Policy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DestinationBucketPolicyFCD81088" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/AutoDeleteObjectsCustomResource": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/AutoDeleteObjectsCustomResource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "DestinationBucketAutoDeleteObjectsCustomResource8ECA4428" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider": [ + { + "type": "aws:cdk:is-custom-resource-handler-customResourceProvider", + "data": true + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ + { + "type": "aws:cdk:logicalId", + "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "entry": "*", + "timeout": "*", + "runtime": "*", + "code": "*", + "handler": "*" + } + }, + { + "type": "aws:cdk:analytics:construct", + "data": { + "entry": "*", + "timeout": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DataProcessorFunctionServiceRole12E05500" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DataProcessorFunctionAD472B9A" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/LogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "logGroupName": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DataProcessorFunctionLogGroup81545B5B" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "destination": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/ImportS3 Destination Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DecompressCloudWatchLogsEntryS3DestinationRoleDefaultPolicy3DEF606B" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DecompressCloudWatchLogsEntryLogGroup9D3B0DB2" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/S3Destination": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "logGroup": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/S3Destination/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DecompressCloudWatchLogsEntryLogGroupS3DestinationF2791191" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DecompressCloudWatchLogsEntryA427F80B" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/@aws-cdk--aws-kinesisfirehose.CidrBlocks": [ + { + "type": "aws:cdk:logicalId", + "data": "awscdkawskinesisfirehoseCidrBlocks" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "destination": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/ImportS3 Destination Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExtractCloudWatchLogsEntryS3DestinationRoleDefaultPolicy871DDE3C" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExtractCloudWatchLogsEntryLogGroupE6853E20" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/S3Destination": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "logGroup": "*" + } + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/S3Destination/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExtractCloudWatchLogsEntryLogGroupS3Destination4FD652D8" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ExtractCloudWatchLogsEntry83BCF7DC" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/firehose-delivery-stream-cloudwatch-logs-processors/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "firehose-delivery-stream-cloudwatch-logs-processors" + }, + "integtestsDefaultTestDeployAssert44C8D370.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "integtestsDefaultTestDeployAssert44C8D370.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "integtestsDefaultTestDeployAssert44C8D370": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "integtestsDefaultTestDeployAssert44C8D370.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "integtestsDefaultTestDeployAssert44C8D370.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "integtestsDefaultTestDeployAssert44C8D370.assets" + ], + "metadata": { + "/integ-tests/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "integ-tests/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/tree.json new file mode 100644 index 0000000000000..7b25e54314f1d --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"firehose-delivery-stream-cloudwatch-logs-processors":{"id":"firehose-delivery-stream-cloudwatch-logs-processors","path":"firehose-delivery-stream-cloudwatch-logs-processors","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"DestinationBucket":{"id":"DestinationBucket","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket","constructInfo":{"fqn":"aws-cdk-lib.aws_s3.Bucket","version":"0.0.0","metadata":[{"removalPolicy":"destroy","autoDeleteObjects":true}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_s3.CfnBucket","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::S3::Bucket","aws:cdk:cloudformation:props":{"tags":[{"key":"aws-cdk:auto-delete-objects","value":"true"}]}}},"Policy":{"id":"Policy","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Policy","constructInfo":{"fqn":"aws-cdk-lib.aws_s3.BucketPolicy","version":"0.0.0","metadata":[{"bucket":"*"}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/Policy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_s3.CfnBucketPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::S3::BucketPolicy","aws:cdk:cloudformation:props":{"bucket":{"Ref":"DestinationBucket4BECDB47"},"policyDocument":{"Statement":[{"Action":["s3:DeleteObject*","s3:GetBucket*","s3:List*","s3:PutBucketPolicy"],"Effect":"Allow","Principal":{"AWS":{"Fn::GetAtt":["CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092","Arn"]}},"Resource":[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},"/*"]]}]}],"Version":"2012-10-17"}}}}}},"AutoDeleteObjectsCustomResource":{"id":"AutoDeleteObjectsCustomResource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/AutoDeleteObjectsCustomResource","constructInfo":{"fqn":"aws-cdk-lib.CustomResource","version":"0.0.0","metadata":["*"]},"children":{"Default":{"id":"Default","path":"firehose-delivery-stream-cloudwatch-logs-processors/DestinationBucket/AutoDeleteObjectsCustomResource/Default","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}}}}}},"Custom::S3AutoDeleteObjectsCustomResourceProvider":{"id":"Custom::S3AutoDeleteObjectsCustomResourceProvider","path":"firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider","constructInfo":{"fqn":"aws-cdk-lib.CustomResourceProviderBase","version":"0.0.0"},"children":{"Staging":{"id":"Staging","path":"firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"Role":{"id":"Role","path":"firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}},"Handler":{"id":"Handler","path":"firehose-delivery-stream-cloudwatch-logs-processors/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler","constructInfo":{"fqn":"aws-cdk-lib.CfnResource","version":"0.0.0"}}}},"DataProcessorFunction":{"id":"DataProcessorFunction","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda_nodejs.NodejsFunction","version":"0.0.0","metadata":[{"entry":"*","timeout":"*","runtime":"*","code":"*","handler":"*"},{"entry":"*","timeout":"*"}]},"children":{"ServiceRole":{"id":"ServiceRole","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/ServiceRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Code":{"id":"Code","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/Code","constructInfo":{"fqn":"aws-cdk-lib.aws_s3_assets.Asset","version":"0.0.0"},"children":{"Stage":{"id":"Stage","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/Code/Stage","constructInfo":{"fqn":"aws-cdk-lib.AssetStaging","version":"0.0.0"}},"AssetBucket":{"id":"AssetBucket","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/Code/AssetBucket","constructInfo":{"fqn":"aws-cdk-lib.aws_s3.BucketBase","version":"0.0.0","metadata":[]}}}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"s3Bucket":{"Fn::Sub":"cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"},"s3Key":"52cf96d8e37139faa98832bfcf5d3af4afc4e7353b74595c3f179e45410e31cb.zip"},"handler":"index.handler","role":{"Fn::GetAtt":["DataProcessorFunctionServiceRole12E05500","Arn"]},"runtime":"nodejs22.x","timeout":60}}},"LogGroup":{"id":"LogGroup","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"logGroupName":"*"}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DataProcessorFunction/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"logGroupName":{"Fn::Join":["",["/aws/lambda/",{"Ref":"DataProcessorFunctionAD472B9A"}]]},"retentionInDays":731}}}}}}},"DecompressCloudWatchLogsEntry":{"id":"DecompressCloudWatchLogsEntry","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry","constructInfo":{"fqn":"aws-cdk-lib.aws_kinesisfirehose.DeliveryStream","version":"0.0.0","metadata":[{"destination":"*"}]},"children":{"S3 Destination Role":{"id":"S3 Destination Role","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportS3 Destination Role":{"id":"ImportS3 Destination Role","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/ImportS3 Destination Role","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"firehose.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["s3:Abort*","s3:DeleteObject*","s3:GetBucket*","s3:GetObject*","s3:List*","s3:PutObject","s3:PutObjectLegalHold","s3:PutObjectRetention","s3:PutObjectTagging","s3:PutObjectVersionTagging"],"Effect":"Allow","Resource":[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},"/*"]]}]},{"Action":["logs:CreateLogStream","logs:PutLogEvents"],"Effect":"Allow","Resource":{"Fn::GetAtt":["DecompressCloudWatchLogsEntryLogGroup9D3B0DB2","Arn"]}},{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":[{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]},":*"]]}]}],"Version":"2012-10-17"},"policyName":"DecompressCloudWatchLogsEntryS3DestinationRoleDefaultPolicy3DEF606B","roles":[{"Ref":"DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0"}]}}}}}}},"LogGroup":{"id":"LogGroup","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}},"S3Destination":{"id":"S3Destination","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/S3Destination","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogStream","version":"0.0.0","metadata":[{"logGroup":"*"}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/LogGroup/S3Destination/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogStream","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogStream","aws:cdk:cloudformation:props":{"logGroupName":{"Ref":"DecompressCloudWatchLogsEntryLogGroup9D3B0DB2"}}}}}}}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/DecompressCloudWatchLogsEntry/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::KinesisFirehose::DeliveryStream","aws:cdk:cloudformation:props":{"deliveryStreamType":"DirectPut","extendedS3DestinationConfiguration":{"cloudWatchLoggingOptions":{"enabled":true,"logGroupName":{"Ref":"DecompressCloudWatchLogsEntryLogGroup9D3B0DB2"},"logStreamName":{"Ref":"DecompressCloudWatchLogsEntryLogGroupS3DestinationF2791191"}},"processingConfiguration":{"enabled":true,"processors":[{"type":"Decompression","parameters":[{"parameterName":"CompressionFormat","parameterValue":"GZIP"}]},{"type":"AppendDelimiterToRecord","parameters":[]},{"type":"Lambda","parameters":[{"parameterName":"RoleArn","parameterValue":{"Fn::GetAtt":["DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0","Arn"]}},{"parameterName":"LambdaArn","parameterValue":{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]}}]}]},"roleArn":{"Fn::GetAtt":["DecompressCloudWatchLogsEntryS3DestinationRoleD9A9D5C0","Arn"]},"bucketArn":{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]}}}}}}},"@aws-cdk--aws-kinesisfirehose.CidrBlocks":{"id":"@aws-cdk--aws-kinesisfirehose.CidrBlocks","path":"firehose-delivery-stream-cloudwatch-logs-processors/@aws-cdk--aws-kinesisfirehose.CidrBlocks","constructInfo":{"fqn":"aws-cdk-lib.CfnMapping","version":"0.0.0"}},"ExtractCloudWatchLogsEntry":{"id":"ExtractCloudWatchLogsEntry","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry","constructInfo":{"fqn":"aws-cdk-lib.aws_kinesisfirehose.DeliveryStream","version":"0.0.0","metadata":[{"destination":"*"}]},"children":{"S3 Destination Role":{"id":"S3 Destination Role","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPrincipalPolicy":[{}]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportS3 Destination Role":{"id":"ImportS3 Destination Role","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/ImportS3 Destination Role","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"firehose.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/S3 Destination Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":["s3:Abort*","s3:DeleteObject*","s3:GetBucket*","s3:GetObject*","s3:List*","s3:PutObject","s3:PutObjectLegalHold","s3:PutObjectRetention","s3:PutObjectTagging","s3:PutObjectVersionTagging"],"Effect":"Allow","Resource":[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]},"/*"]]}]},{"Action":["logs:CreateLogStream","logs:PutLogEvents"],"Effect":"Allow","Resource":{"Fn::GetAtt":["ExtractCloudWatchLogsEntryLogGroupE6853E20","Arn"]}},{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":[{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]},":*"]]}]}],"Version":"2012-10-17"},"policyName":"ExtractCloudWatchLogsEntryS3DestinationRoleDefaultPolicy871DDE3C","roles":[{"Ref":"ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D"}]}}}}}}},"LogGroup":{"id":"LogGroup","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"retentionInDays":731}}},"S3Destination":{"id":"S3Destination","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/S3Destination","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogStream","version":"0.0.0","metadata":[{"logGroup":"*"}]},"children":{"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/LogGroup/S3Destination/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogStream","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogStream","aws:cdk:cloudformation:props":{"logGroupName":{"Ref":"ExtractCloudWatchLogsEntryLogGroupE6853E20"}}}}}}}},"Resource":{"id":"Resource","path":"firehose-delivery-stream-cloudwatch-logs-processors/ExtractCloudWatchLogsEntry/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::KinesisFirehose::DeliveryStream","aws:cdk:cloudformation:props":{"deliveryStreamType":"DirectPut","extendedS3DestinationConfiguration":{"cloudWatchLoggingOptions":{"enabled":true,"logGroupName":{"Ref":"ExtractCloudWatchLogsEntryLogGroupE6853E20"},"logStreamName":{"Ref":"ExtractCloudWatchLogsEntryLogGroupS3Destination4FD652D8"}},"processingConfiguration":{"enabled":true,"processors":[{"type":"Decompression","parameters":[{"parameterName":"CompressionFormat","parameterValue":"GZIP"}]},{"type":"CloudWatchLogProcessing","parameters":[{"parameterName":"DataMessageExtraction","parameterValue":"true"}]},{"type":"Lambda","parameters":[{"parameterName":"RoleArn","parameterValue":{"Fn::GetAtt":["ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D","Arn"]}},{"parameterName":"LambdaArn","parameterValue":{"Fn::GetAtt":["DataProcessorFunctionAD472B9A","Arn"]}}]}]},"roleArn":{"Fn::GetAtt":["ExtractCloudWatchLogsEntryS3DestinationRole108BAD0D","Arn"]},"bucketArn":{"Fn::GetAtt":["DestinationBucket4BECDB47","Arn"]}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"firehose-delivery-stream-cloudwatch-logs-processors/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"firehose-delivery-stream-cloudwatch-logs-processors/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"integ-tests":{"id":"integ-tests","path":"integ-tests","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"integ-tests/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"integ-tests/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"integ-tests/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"integ-tests/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"integ-tests/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.ts new file mode 100644 index 0000000000000..2809c51a3ff36 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.cloudwatch-logs-processors.ts @@ -0,0 +1,45 @@ +#!/usr/bin/env node +import * as path from 'path'; +import * as firehose from 'aws-cdk-lib/aws-kinesisfirehose'; +import * as lambdanodejs from 'aws-cdk-lib/aws-lambda-nodejs'; +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as cdk from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'firehose-delivery-stream-cloudwatch-logs-processors'); + +const bucket = new s3.Bucket(stack, 'DestinationBucket', { + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true, +}); + +const dataProcessorFunction = new lambdanodejs.NodejsFunction(stack, 'DataProcessorFunction', { + entry: path.join(__dirname, 'lambda-data-processor.js'), + timeout: cdk.Duration.minutes(1), +}); + +new firehose.DeliveryStream(stack, 'DecompressCloudWatchLogsEntry', { + destination: new firehose.S3Bucket(bucket, { + processors: [ + new firehose.DecompressionProcessor(), + new firehose.AppendDelimiterToRecordProcessor(), + new firehose.LambdaFunctionProcessor(dataProcessorFunction), + ], + }), +}); + +new firehose.DeliveryStream(stack, 'ExtractCloudWatchLogsEntry', { + destination: new firehose.S3Bucket(bucket, { + processors: [ + new firehose.DecompressionProcessor(), + new firehose.CloudWatchLogProcessor({ dataMessageExtraction: true }), + new firehose.LambdaFunctionProcessor(dataProcessorFunction), + ], + }), +}); + +new IntegTest(app, 'integ-tests', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/README.md b/packages/aws-cdk-lib/aws-kinesisfirehose/README.md index 5b49273701eec..ab51f222b115c 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/README.md +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/README.md @@ -483,8 +483,11 @@ Data can be transformed before being delivered to destinations. There are two ty data processing for delivery streams: record transformation with AWS Lambda, and record format conversion using a schema stored in an AWS Glue table. If both types of data processing are configured, then the Lambda transformation is performed first. By default, -no data processing occurs. This construct library currently only supports data -transformation with AWS Lambda. See [#15501](https://github.com/aws/aws-cdk/issues/15501) +no data processing occurs. + +This construct library currently only supports data +transformation with AWS Lambda and some built-in data processors. +See [#15501](https://github.com/aws/aws-cdk/issues/15501) to track the status of adding support for record format conversion. ### Data transformation with AWS Lambda @@ -520,7 +523,7 @@ const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction, { }); declare const bucket: s3.Bucket; const s3Destination = new firehose.S3Bucket(bucket, { - processor: lambdaProcessor, + processors: [lambdaProcessor], }); new firehose.DeliveryStream(this, 'Delivery Stream', { destination: s3Destination, @@ -532,6 +535,60 @@ new firehose.DeliveryStream(this, 'Delivery Stream', { See: [Data Transformation](https://docs.aws.amazon.com/firehose/latest/dev/data-transformation.html) in the *Amazon Data Firehose Developer Guide*. +### Add a new line delimiter when delivering data to Amazon S3 + +You can specify the `AppendDelimiterToRecordProcessor` built-in processor to add a new line delimiter between records in objects that are delivered to Amazon S3. This can be helpful for parsing objects in Amazon S3. +For details, see [Use Amazon S3 bucket prefix to deliver data](https://docs.aws.amazon.com/firehose/latest/dev/dynamic-partitioning-s3bucketprefix.html). + +```ts +declare const bucket: s3.Bucket; +const s3Destination = new firehose.S3Bucket(bucket, { + processors: [ + new firehose.AppendDelimiterToRecordProcessor(), + ], +}); +new firehose.DeliveryStream(this, 'Delivery Stream', { + destination: s3Destination, +}); +``` + +### Decompress and extract message of CloudWatch Logs + +CloudWatch Logs events are sent to Firehose in compressed gzip format. If you want to deliver decompressed log events to Firehose destinations, you can use the `DecompressionProcessor` to automatically decompress CloudWatch Logs. +For details, see [Send CloudWatch Logs to Firehose](https://docs.aws.amazon.com/firehose/latest/dev/writing-with-cloudwatch-logs.html). + +You may also needed to specify `AppendDelimiterToRecordProcessor` +because decompressed log events record has no trailing newline. + +```ts +declare const bucket: s3.Bucket; +const s3Destination = new firehose.S3Bucket(bucket, { + processors: [ + new firehose.DecompressionProcessor(), + new firehose.AppendDelimiterToRecordProcessor(), + ], +}); +new firehose.DeliveryStream(this, 'Delivery Stream', { + destination: s3Destination, +}); +``` + +When you enable decompression, you have the option to also enable message extraction. When using message extraction, Firehose filters out all metadata, such as owner, loggroup, logstream, and others from the decompressed CloudWatch Logs records and delivers only the content inside the message fields. + +```ts +declare const bucket: s3.Bucket; +const s3Destination = new firehose.S3Bucket(bucket, { + processors: [ + new firehose.DecompressionProcessor(), + new firehose.CloudWatchLogProcessor({ dataMessageExtraction: true }), + ], +}); +new firehose.DeliveryStream(this, 'Delivery Stream', { + destination: s3Destination, +}); +``` + + ## Specifying an IAM role The DeliveryStream class automatically creates IAM service roles with all the minimum diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/common.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/common.ts index ac257b4d1702c..ce6daa62d1d8a 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/common.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/common.ts @@ -181,9 +181,17 @@ export interface CommonDestinationProps extends DestinationLoggingProps { * The data transformation that should be performed on the data before writing to the destination. * * @default - no data transformation will occur. + * @deprecated Use `processors` instead. */ readonly processor?: IDataProcessor; + /** + * The data transformation that should be performed on the data before writing to the destination. + * + * @default - no data transformation will occur. + */ + readonly processors?: IDataProcessor[]; + /** * The configuration for backing up source records to S3. * diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts index e152de19b4407..928ca970de47e 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/index.ts @@ -2,8 +2,11 @@ export * from './delivery-stream'; export * from './source'; export * from './destination'; export * from './encryption'; -export * from './lambda-function-processor'; export * from './processor'; +export * from './processors/lambda-function-processor'; +export * from './processors/decompression-processor'; +export * from './processors/cloudwatch-log-processor'; +export * from './processors/append-delimiter-to-record-processor'; export * from './common'; export * from './s3-bucket'; export * from './logging-config'; diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/private/helpers.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/private/helpers.ts index 9ef3885496aef..ad682430812e0 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/private/helpers.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/private/helpers.ts @@ -107,14 +107,21 @@ export function createEncryptionConfig( export function createProcessingConfig( scope: Construct, role: iam.IRole, - dataProcessor?: IDataProcessor, + dataProcessors?: IDataProcessor[], ): CfnDeliveryStream.ProcessingConfigurationProperty | undefined { - return dataProcessor - ? { - enabled: true, - processors: [renderDataProcessor(dataProcessor, scope, role)], - } - : undefined; + if (!dataProcessors?.length) return undefined; + + const processors = dataProcessors.map((dp) => renderDataProcessor(dp, scope, role)); + const processorTypes = new Set(processors.map((p) => p.type)); + + if (processorTypes.has('CloudWatchLogProcessing') && !processorTypes.has('Decompression')) { + throw new cdk.ValidationError('CloudWatchLogProcessor can only be enabled with DecompressionProcessor', scope); + } + + return { + enabled: true, + processors, + }; } function renderDataProcessor( @@ -123,6 +130,14 @@ function renderDataProcessor( role: iam.IRole, ): CfnDeliveryStream.ProcessorProperty { const processorConfig = processor.bind(scope, { role }); + + if (processorConfig.parameters) { + return { + type: processorConfig.processorType, + parameters: processorConfig.parameters, + }; + } + const parameters = [{ parameterName: 'RoleArn', parameterValue: role.roleArn }]; parameters.push(processorConfig.processorIdentifier); if (processor.props.bufferInterval) { diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processor.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processor.ts index 41a6736de6435..01bc05b2f2600 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processor.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processor.ts @@ -1,9 +1,10 @@ import { Construct } from 'constructs'; +import { CfnDeliveryStream } from './kinesisfirehose.generated'; import * as iam from '../../aws-iam'; import { Duration, Size } from '../../core'; /** - * Configure the data processor. + * Configure the LambdaFunctionProcessor. */ export interface DataProcessorProps { /** @@ -36,8 +37,6 @@ export interface DataProcessorProps { export interface DataProcessorIdentifier { /** * The parameter name that corresponds to the processor resource's identifier. - * - * Must be an accepted value in `CfnDeliveryStream.ProcessoryParameterProperty.ParameterName`. */ readonly parameterName: string; @@ -49,21 +48,28 @@ export interface DataProcessorIdentifier { /** * The full configuration of a data processor. + * + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-kinesisfirehose-deliverystream-processor.html */ export interface DataProcessorConfig { /** - * The type of the underlying processor resource. - * - * Must be an accepted value in `CfnDeliveryStream.ProcessorProperty.Type`. - * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-kinesisfirehose-deliverystream-processor.html#cfn-kinesisfirehose-deliverystream-processor-type - * @example 'Lambda' + * The type of processor. */ readonly processorType: string; /** * The key-value pair that identifies the underlying processor resource. + * + * Ignored when the `parameters` is specified. */ readonly processorIdentifier: DataProcessorIdentifier; + + /** + * The processor parameters. + * + * @default - No processor parameters + */ + readonly parameters?: CfnDeliveryStream.ProcessorParameterProperty[]; } /** diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/append-delimiter-to-record-processor.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/append-delimiter-to-record-processor.ts new file mode 100644 index 0000000000000..8dbfb035c07f9 --- /dev/null +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/append-delimiter-to-record-processor.ts @@ -0,0 +1,21 @@ +import { Construct } from 'constructs'; +import { DataProcessorBindOptions, DataProcessorConfig, DataProcessorProps, IDataProcessor } from '../processor'; + +/** + * The data processor to append new line delimiter to each record. + * + * @see https://docs.aws.amazon.com/firehose/latest/dev/dynamic-partitioning-s3bucketprefix.html#dynamic-partitioning-new-line-delimiter + */ +export class AppendDelimiterToRecordProcessor implements IDataProcessor { + public readonly props: DataProcessorProps = {}; + + constructor() {} + + bind(_scope: Construct, _options: DataProcessorBindOptions): DataProcessorConfig { + return { + processorType: 'AppendDelimiterToRecord', + processorIdentifier: { parameterName: '', parameterValue: '' }, // Dummy value for backward compatibility + parameters: [], + }; + } +} diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/cloudwatch-log-processor.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/cloudwatch-log-processor.ts new file mode 100644 index 0000000000000..578d66d018de6 --- /dev/null +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/cloudwatch-log-processor.ts @@ -0,0 +1,40 @@ +import { Construct } from 'constructs'; +import { UnscopedValidationError } from '../../../core'; +import { DataProcessorBindOptions, DataProcessorConfig, DataProcessorProps, IDataProcessor } from '../processor'; + +/** + * Options for CloudWatchLogProcessor. + */ +export interface CloudWatchLogProcessorOptions { + /** + * Extract message from CloudWatch logs. + * This must be true. + */ + readonly dataMessageExtraction: boolean; +} + +/** + * The data processor to extract message after decompression of CloudWatch Logs. + * This processor must used with `DecompressionProcessor` + * + * @see https://docs.aws.amazon.com/firehose/latest/dev/Message_extraction.html + */ +export class CloudWatchLogProcessor implements IDataProcessor { + public readonly props: DataProcessorProps = {}; + + constructor(options: CloudWatchLogProcessorOptions) { + if (!options.dataMessageExtraction) { + throw new UnscopedValidationError('dataMessageExtraction must be true.'); + } + } + + bind(_scope: Construct, _options: DataProcessorBindOptions): DataProcessorConfig { + return { + processorType: 'CloudWatchLogProcessing', + processorIdentifier: { parameterName: '', parameterValue: '' }, // Dummy value for backward compatibility + parameters: [ + { parameterName: 'DataMessageExtraction', parameterValue: 'true' }, + ], + }; + } +} diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/decompression-processor.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/decompression-processor.ts new file mode 100644 index 0000000000000..016067ec3ba48 --- /dev/null +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/decompression-processor.ts @@ -0,0 +1,56 @@ +import { Construct } from 'constructs'; +import { DataProcessorBindOptions, DataProcessorConfig, DataProcessorProps, IDataProcessor } from '../processor'; + +/** + * Compression format for DecompressionProcessor. + */ +export class DecompressionProcessorCompressionFormat { + /** + * GZIP compression + */ + static readonly GZIP = DecompressionProcessorCompressionFormat.of('GZIP'); + + /** + * A custom compression format + */ + public static of(compressionFormat: string) { + return new DecompressionProcessorCompressionFormat(compressionFormat); + } + + /** + * @param compressionFormat The compression format string + */ + private constructor(public readonly compressionFormat: string) {} +} + +/** + * Options for DecompressionProcessor. + */ +export interface DecompressionProcessorOptions { + /** + * The input compression format + * @default DecompressionProcessorCompressionFormat.GZIP + */ + readonly compressionFormat?: DecompressionProcessorCompressionFormat; +} + +/** + * The data processor to decompress CloudWatch Logs. + * + * @see https://docs.aws.amazon.com/firehose/latest/dev/writing-with-cloudwatch-logs-decompression.html + */ +export class DecompressionProcessor implements IDataProcessor { + public readonly props: DataProcessorProps = {}; + + constructor(private readonly options: DecompressionProcessorOptions = {}) {} + + bind(_scope: Construct, _options: DataProcessorBindOptions): DataProcessorConfig { + return { + processorType: 'Decompression', + processorIdentifier: { parameterName: '', parameterValue: '' }, // Dummy value for backward compatibility + parameters: [ + { parameterName: 'CompressionFormat', parameterValue: this.options.compressionFormat?.compressionFormat ?? 'GZIP' }, + ], + }; + } +} diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/lambda-function-processor.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/lambda-function-processor.ts similarity index 75% rename from packages/aws-cdk-lib/aws-kinesisfirehose/lib/lambda-function-processor.ts rename to packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/lambda-function-processor.ts index 99c8141cc5ce4..bdf1f948a5b67 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/lambda-function-processor.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/processors/lambda-function-processor.ts @@ -1,6 +1,6 @@ import { Construct } from 'constructs'; -import { DataProcessorBindOptions, DataProcessorConfig, DataProcessorProps, IDataProcessor } from './processor'; -import * as lambda from '../../aws-lambda'; +import * as lambda from '../../../aws-lambda'; +import { DataProcessorBindOptions, DataProcessorConfig, DataProcessorProps, IDataProcessor } from '../processor'; /** * Use an AWS Lambda function to transform records. @@ -20,10 +20,7 @@ export class LambdaFunctionProcessor implements IDataProcessor { return { processorType: 'Lambda', - processorIdentifier: { - parameterName: 'LambdaArn', - parameterValue: this.lambdaFunction.functionArn, - }, + processorIdentifier: { parameterName: 'LambdaArn', parameterValue: this.lambdaFunction.functionArn }, }; } } diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/s3-bucket.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/s3-bucket.ts index 9891a11114124..3f55cd9cdfec7 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/lib/s3-bucket.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/lib/s3-bucket.ts @@ -96,6 +96,11 @@ export class S3Bucket implements IDestination { streamId: 'S3Destination', }) ?? {}; + if (this.props.processor && this.props.processors) { + throw new cdk.ValidationError("You can specify either 'processors' or 'processor', not both.", scope); + } + const dataProcessors = this.props.processor ? [this.props.processor] : this.props.processors; + const { backupConfig, dependables: backupDependables } = createBackupConfig(scope, role, this.props.s3Backup) ?? {}; const fileExtension = this.props.fileExtension; @@ -120,7 +125,7 @@ export class S3Bucket implements IDestination { return { extendedS3DestinationConfiguration: { cloudWatchLoggingOptions: loggingOptions, - processingConfiguration: createProcessingConfig(scope, role, this.props.processor), + processingConfiguration: createProcessingConfig(scope, role, dataProcessors), roleArn: role.roleArn, s3BackupConfiguration: backupConfig, s3BackupMode: this.getS3BackupMode(), diff --git a/packages/aws-cdk-lib/aws-kinesisfirehose/test/s3-bucket.test.ts b/packages/aws-cdk-lib/aws-kinesisfirehose/test/s3-bucket.test.ts index a98e1918ab350..e1f3afef0dbb9 100644 --- a/packages/aws-cdk-lib/aws-kinesisfirehose/test/s3-bucket.test.ts +++ b/packages/aws-cdk-lib/aws-kinesisfirehose/test/s3-bucket.test.ts @@ -228,7 +228,7 @@ describe('S3 destination', () => { }); }); - describe('processing configuration', () => { + describe('processing configuration with deprecated processor prop', () => { let lambdaFunction: lambda.IFunction; let basicLambdaProcessor: firehose.LambdaFunctionProcessor; let destinationWithBasicLambdaProcessor: firehose.S3Bucket; @@ -350,6 +350,201 @@ describe('S3 destination', () => { }); }); + describe('processing configuration with processors prop', () => { + it('creates configuration for LambdaFunctionProcessor', () => { + const lambdaFunction = new lambda.Function(stack, 'DataProcessorFunction', { + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromInline('foo'), + handler: 'bar', + }); + const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction); + const destination = new firehose.S3Bucket(bucket, { + role: destinationRole, + processors: [lambdaProcessor], + }); + new firehose.DeliveryStream(stack, 'DeliveryStream', { destination }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1); + Template.fromStack(stack).hasResourceProperties('AWS::KinesisFirehose::DeliveryStream', { + ExtendedS3DestinationConfiguration: { + ProcessingConfiguration: { + Enabled: true, + Processors: [{ + Type: 'Lambda', + Parameters: [ + { + ParameterName: 'RoleArn', + ParameterValue: stack.resolve(destinationRole.roleArn), + }, + { + ParameterName: 'LambdaArn', + ParameterValue: stack.resolve(lambdaFunction.functionArn), + }, + ], + }], + }, + }, + }); + }); + + it('set all optional parameters', () => { + const lambdaFunction = new lambda.Function(stack, 'DataProcessorFunction', { + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromInline('foo'), + handler: 'bar', + }); + const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction, { + bufferInterval: cdk.Duration.minutes(1), + bufferSize: cdk.Size.mebibytes(1), + retries: 5, + }); + const destination = new firehose.S3Bucket(bucket, { + role: destinationRole, + processors: [lambdaProcessor], + }); + new firehose.DeliveryStream(stack, 'DeliveryStream', { destination }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Function', 1); + Template.fromStack(stack).hasResourceProperties('AWS::KinesisFirehose::DeliveryStream', { + ExtendedS3DestinationConfiguration: { + ProcessingConfiguration: { + Enabled: true, + Processors: [{ + Type: 'Lambda', + Parameters: [ + { + ParameterName: 'RoleArn', + ParameterValue: stack.resolve(destinationRole.roleArn), + }, + { + ParameterName: 'LambdaArn', + ParameterValue: stack.resolve(lambdaFunction.functionArn), + }, + { + ParameterName: 'BufferIntervalInSeconds', + ParameterValue: '60', + }, + { + ParameterName: 'BufferSizeInMBs', + ParameterValue: '1', + }, + { + ParameterName: 'NumberOfRetries', + ParameterValue: '5', + }, + ], + }], + }, + }, + }); + }); + + it('grants invoke access to the lambda function and delivery stream depends on grant', () => { + const lambdaFunction = new lambda.Function(stack, 'DataProcessorFunction', { + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromInline('foo'), + handler: 'bar', + }); + const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction); + const destination = new firehose.S3Bucket(bucket, { + role: destinationRole, + processors: [lambdaProcessor], + }); + new firehose.DeliveryStream(stack, 'DeliveryStream', { destination }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyName: 'DestinationRoleDefaultPolicy1185C75D', + Roles: [stack.resolve(destinationRole.roleName)], + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: [ + stack.resolve(lambdaFunction.functionArn), + { 'Fn::Join': ['', [stack.resolve(lambdaFunction.functionArn), ':*']] }, + ], + }, + ]), + }, + }); + Template.fromStack(stack).hasResource('AWS::KinesisFirehose::DeliveryStream', { + DependsOn: ['DestinationRoleDefaultPolicy1185C75D'], + }); + }); + + it('creates configuration with built-in processors', () => { + const lambdaFunction = new lambda.Function(stack, 'DataProcessorFunction', { + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromInline('foo'), + handler: 'bar', + }); + const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction); + const destination = new firehose.S3Bucket(bucket, { + role: destinationRole, + processors: [ + new firehose.DecompressionProcessor(), + new firehose.CloudWatchLogProcessor({ dataMessageExtraction: true }), + lambdaProcessor, + new firehose.AppendDelimiterToRecordProcessor(), + ], + }); + new firehose.DeliveryStream(stack, 'DeliveryStream', { destination }); + + Template.fromStack(stack).hasResourceProperties('AWS::KinesisFirehose::DeliveryStream', { + ExtendedS3DestinationConfiguration: { + ProcessingConfiguration: { + Enabled: true, + Processors: [{ + Type: 'Decompression', + Parameters: [ + { ParameterName: 'CompressionFormat', ParameterValue: 'GZIP' }, + ], + }, { + Type: 'CloudWatchLogProcessing', + Parameters: [ + { ParameterName: 'DataMessageExtraction', ParameterValue: 'true' }, + ], + }, { + Type: 'Lambda', + Parameters: [ + { ParameterName: 'RoleArn', ParameterValue: stack.resolve(destinationRole.roleArn) }, + { ParameterName: 'LambdaArn', ParameterValue: stack.resolve(lambdaFunction.functionArn) }, + ], + }, { + Type: 'AppendDelimiterToRecord', + Parameters: [], + }], + }, + }, + }); + }); + + test('CloudWatchLogProcessor throws when dataMessageExtraction is false', () => { + expect(() => { + new firehose.CloudWatchLogProcessor({ dataMessageExtraction: false }); + }).toThrow('dataMessageExtraction must be true.'); + }); + }); + + it('throws when specified both processor and processors', () => { + const lambdaFunction = new lambda.Function(stack, 'DataProcessorFunction', { + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromInline('foo'), + handler: 'bar', + }); + const lambdaProcessor = new firehose.LambdaFunctionProcessor(lambdaFunction); + const destination = new firehose.S3Bucket(bucket, { + role: destinationRole, + processor: lambdaProcessor, + processors: [lambdaProcessor], + }); + + expect(() => { + new firehose.DeliveryStream(stack, 'DeliveryStream', { destination }); + }).toThrow("You can specify either 'processors' or 'processor', not both."); + }); + describe('compression', () => { it('configures when specified', () => { const destination = new firehose.S3Bucket(bucket, {