Skip to content

Commit

Permalink
feat(firehose): allow creation of writer role
Browse files Browse the repository at this point in the history
It is convenient to create a role that has access to writing to the
firehose we create within our app. We don't necessarily know what
service will be assuming the role however. Gate the creation of such a
role on the user providing a service.
  • Loading branch information
jta committed Nov 20, 2023
1 parent 9c6ce40 commit 80f26c0
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 2 deletions.
42 changes: 42 additions & 0 deletions apps/firehose/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,20 @@ Parameters:
Description: |
Buffer incoming data to the specified size, in MiBs, before delivering it
to the destination.
WriterRoleService:
Type: String
Description: |
Optional service to create writer role for.
Default: ''

Conditions:
UseStackName: !Equals
- !Ref NameOverride
- ''
CreateWriterRole: !Not
- !Equals
- !Ref WriterRoleService
- ''

Resources:
Role:
Expand Down Expand Up @@ -125,8 +134,41 @@ Resources:
Enabled: true
LogGroupName: !Ref LogGroup
LogStreamName: !Ref LogStream
WriterRole:
Type: 'AWS::IAM::Role'
Condition: CreateWriterRole
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- !Ref WriterRoleService
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: firehose
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- firehose:DescribeDeliveryStream
- firehose:ListDeliveryStreams
- firehose:ListTagsForDeliveryStream
- firehose:PutRecord
- firehose:PutRecordBatch
Resource: !GetAtt 'DeliveryStream.Arn'

Outputs:
Firehose:
Description: 'Firehose ARN'
Value: !GetAtt 'DeliveryStream.Arn'
WriterRole:
Description: 'Writer role ARN'
Value: !If
- CreateWriterRole
- !GetAtt 'WriterRole.Arn'
- ''
5 changes: 3 additions & 2 deletions integration/tests/firehose.tftest.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,9 @@ run "set_prefix" {
name = run.setup.id
app = "firehose"
parameters = {
BucketARN = "arn:aws:s3:::${run.setup.access_point.bucket}"
Prefix = "${run.setup.id}/"
BucketARN = "arn:aws:s3:::${run.setup.access_point.bucket}"
Prefix = "${run.setup.id}/"
WriterRoleService = "logs.amazonaws.com"
}
capabilities = [
"CAPABILITY_IAM",
Expand Down

0 comments on commit 80f26c0

Please sign in to comment.