in source/patterns/@aws-solutions-constructs/aws-kinesisfirehose-s3/lib/index.ts [90:207]
constructor(scope: Construct, id: string, props: KinesisFirehoseToS3Props) {
super(scope, id);
defaults.CheckProps(props);
let bucket: s3.IBucket;
// Setup S3 Bucket
if (!props.existingBucketObj) {
let bucketProps = props.bucketProps ?? {};
bucketProps = props.existingLoggingBucketObj ?
overrideProps(bucketProps, { serverAccessLogsBucket: props.existingLoggingBucketObj }) :
bucketProps;
// Setup logging S3 Bucket
[this.s3Bucket, this.s3LoggingBucket] = defaults.buildS3Bucket(this, {
bucketProps,
loggingBucketProps: props.loggingBucketProps,
logS3AccessLogs: props.logS3AccessLogs,
});
bucket = this.s3Bucket;
} else {
bucket = props.existingBucketObj;
}
this.s3BucketInterface = bucket;
// Setup Cloudwatch Log group & stream for Kinesis Firehose
this.kinesisFirehoseLogGroup = defaults.buildLogGroup(
this,
"firehose-log-group",
props.logGroupProps
);
const cwLogStream: logs.LogStream = this.kinesisFirehoseLogGroup.addStream(
"firehose-log-stream"
);
// Setup the IAM Role for Kinesis Firehose
this.kinesisFirehoseRole = new iam.Role(this, "KinesisFirehoseRole", {
assumedBy: new iam.ServicePrincipal("firehose.amazonaws.com"),
});
// Setup the IAM policy for Kinesis Firehose
const firehosePolicy = new iam.Policy(this, "KinesisFirehosePolicy", {
statements: [
new iam.PolicyStatement({
actions: [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
],
resources: [`${bucket.bucketArn}`, `${bucket.bucketArn}/*`],
}),
new iam.PolicyStatement({
actions: ["logs:PutLogEvents"],
resources: [
`arn:${cdk.Aws.PARTITION}:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:${this.kinesisFirehoseLogGroup.logGroupName}:log-stream:${cwLogStream.logStreamName}`,
],
}),
],
});
// Attach policy to role
firehosePolicy.attachToRole(this.kinesisFirehoseRole);
const awsManagedKey: kms.IKey = kms.Alias.fromAliasName(
scope,
"aws-managed-key",
"alias/aws/s3"
);
// Setup the default Kinesis Firehose props
let defaultKinesisFirehoseProps: kinesisfirehose.CfnDeliveryStreamProps = defaults.DefaultCfnDeliveryStreamProps(
bucket.bucketArn,
this.kinesisFirehoseRole.roleArn,
this.kinesisFirehoseLogGroup.logGroupName,
cwLogStream.logStreamName,
awsManagedKey
);
printWarning(`kinesisFirehoseProps: ${JSON.stringify(props.kinesisFirehoseProps, null, 2)}`);
// if the client didn't explicity say it was a Kinesis client, then turn on encryption
if (!props.kinesisFirehoseProps ||
!props.kinesisFirehoseProps.deliveryStreamType ||
props.kinesisFirehoseProps.deliveryStreamType !== 'KinesisStreamAsSource'
) {
defaultKinesisFirehoseProps = defaults.overrideProps(
defaultKinesisFirehoseProps,
{
deliveryStreamEncryptionConfigurationInput: {
keyType: "AWS_OWNED_CMK",
},
}
);
}
// Override with the input props
if (props.kinesisFirehoseProps) {
const kinesisFirehoseProps = overrideProps(
defaultKinesisFirehoseProps,
props.kinesisFirehoseProps
);
this.kinesisFirehose = new kinesisfirehose.CfnDeliveryStream(
this,
"KinesisFirehose",
kinesisFirehoseProps
);
} else {
this.kinesisFirehose = new kinesisfirehose.CfnDeliveryStream(
this,
"KinesisFirehose",
defaultKinesisFirehoseProps
);
}
}