in source/cdk-deployment-samples/deployment_samples/deployment_samples_stack.py [0:0]
def __init__(self, scope: cdk.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
log_bucket_name = cdk.CfnParameter(
self, 'siemLogBucketName',
description='S3 Bucket to put workspaces inventory',
default='aes-siem-111111111111-log')
role_name_cwl_to_kdf = cdk.CfnParameter(
self, 'kdfToS3RoleName',
description=('role name for CloudWatch Logs to send data to '
'Kinsis Data Firehose. Replace YOUR-REGION'),
default='siem-role-cwl-to-firehose-YOUR-REGION')
role_name_kdf_to_s3 = cdk.CfnParameter(
self, 'roleNameKdfToS3',
description=('role name for Kinesis Data Firehose to send data '
'to S3. Replace YOUR-REGION'),
default='siem-role-firehose-to-s3-YOUR-REGION')
bucket_arn = f'arn:aws:s3:::{log_bucket_name.value_as_string}'
role_cwl_to_kdf = aws_iam.Role(
self, 'cwlRole',
role_name=role_name_cwl_to_kdf.value_as_string,
inline_policies={
'cwl-to-firehose': aws_iam.PolicyDocument(
statements=[
aws_iam.PolicyStatement(
actions=["firehose:*"],
resources=[(f'arn:aws:firehose:{cdk.Aws.REGION}:'
f'{cdk.Aws.ACCOUNT_ID}:*')],
sid='CwlToFirehosePolicyGeneratedBySeimCfn'
)
]
)
},
assumed_by=aws_iam.ServicePrincipal(
f'logs.{cdk.Aws.REGION}.amazonaws.com'))
role_kdf_to_s3 = aws_iam.Role(
self, 'firehoseRole', path='/service-role/',
role_name=role_name_kdf_to_s3.value_as_string,
inline_policies={
'firehose-to-s3': aws_iam.PolicyDocument(
statements=[
aws_iam.PolicyStatement(
sid='FirehoseToS3PolicyGeneratedBySiemCfn',
actions=["s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"],
resources=[f'{bucket_arn}',
f'{bucket_arn}/*'])]),
'for-logigng': aws_iam.PolicyDocument(
statements=[
aws_iam.PolicyStatement(
sid='LoggingPolicyGeneratedBySiemCfn',
actions=["logs:PutLogEvents"],
resources=[(f'arn:aws:logs:{cdk.Aws.REGION}:'
f'{cdk.Aws.ACCOUNT_ID}:log-group:/aws/'
f'kinesisfirehose/*:log-stream:*')])],
),
},
assumed_by=aws_iam.ServicePrincipal('firehose.amazonaws.com'))
######################################################################
# output for cross stack
######################################################################
cdk.CfnOutput(self, 'logBucketName',
export_name='sime-log-bucket-name',
value=log_bucket_name.value_as_string)
cdk.CfnOutput(self, 'cwlRoleName',
export_name='siem-cwl-to-kdf-role-name',
value=role_cwl_to_kdf.role_name)
cdk.CfnOutput(self, 'kdfRoleName',
export_name='siem-kdf-to-s3-role-name',
value=role_kdf_to_s3.role_name)