Skip to content

feat(ec2): support Firehose IDeliveryStreamRef as flow log destination #36278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tietew wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(ec2): support Firehose IDeliveryStreamRef as flow log destination #36278

Tietew wants to merge 3 commits into from

Conversation

@Tietew
Copy link
Contributor

@Tietew Tietew commented Dec 3, 2025

Issue # (if applicable)

Re-drive of #33883 and #34596.
Related to #33757.

Reason for this change

FlowLogDestination.toKinesisDataFirehoseDestination() includes the former service name Kinesis and receives the string ARN.

Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html

Description of changes

  • Added FlowLogDestination.toFirehose() with an optional IAM role.
  • Deprecate toKinesisDataFirehoseDestination()

Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it.

Changes from previous PRs

This PR refers the new reference interface IDeliveryStreamRef (defined in interfaces submodule) to avoid cyclic dependency.

BEFORE

graph TD;
  A1(aws-ec2)--IDeliveryStream-->B1;
  B1(aws-kinesisfirehose)--Connections,Peer,IConnectable-->A1;
Loading

AFTER

graph TD;
  A1(aws-ec2)--IDeliveryStreamRef-->C1;
  B1(aws-kinesisfirehose)--Connections,Peer,IConnecttable-->A1;
  B1(aws-kinesisfirehose)--IDeliveryStreamRef-->C1;
  C1(interfaces);
Loading

Describe any new or updated permissions being added

N/A - Users must specify IAM roles for cross account delivery.

Description of how you validated changes

Unit tests and integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team December 3, 2025 07:50
@github-actions github-actions bot added distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 labels Dec 3, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tietew @aws-cdk-automation