fix(logs-destinations): missing dependency to Policy created by KinesisDestination (#24811)

Fixes #21827

All credit to @pv93 for [their fix](#21827 (comment)).

Author: joel-aws

packages/@aws-cdk/aws-logs-destinations/lib/kinesis.ts

@@ -36,6 +36,17 @@ export class KinesisDestination implements logs.ILogSubscriptionDestination {
     });
     this.stream.grantWrite(role);
     role.grantPassRole(role);
+
+    const policy = role.node.tryFindChild('DefaultPolicy') as iam.CfnPolicy;
+    if (policy) {
+      // Remove circular dependency
+      const cfnRole = role.node.defaultChild as iam.CfnRole;
+      cfnRole.addOverride('DependsOn', undefined);
+
+      // Ensure policy is created before subscription filter
+      scope.node.addDependency(policy);
+    }
+
     return { arn: this.stream.streamArn, role };
   }
 }

packages/@aws-cdk/aws-logs-destinations/package.json

@@ -75,6 +75,7 @@
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.5.2",

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/KinesisIntegDefaultTestDeployAssertE6E3ADDB.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "KinesisIntegDefaultTestDeployAssertE6E3ADDB.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/KinesisIntegDefaultTestDeployAssertE6E3ADDB.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"31.0.0"}

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/integ.json

@@ -0,0 +1,12 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "KinesisInteg/DefaultTest": {
+      "stacks": [
+        "kinesis-logsubscription-integ"
+      ],
+      "assertionStack": "KinesisInteg/DefaultTest/DeployAssert",
+      "assertionStackName": "KinesisIntegDefaultTestDeployAssertE6E3ADDB"
+    }
+  }
+}

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/kinesis-logsubscription-integ.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "c32b075cf703af59a0711e440bc11930c01e91f7de8d901334778493c7c28263": {
+      "source": {
+        "path": "kinesis-logsubscription-integ.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "c32b075cf703af59a0711e440bc11930c01e91f7de8d901334778493c7c28263.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-logs-destinations/test/integ.kinesis.js.snapshot/kinesis-logsubscription-integ.template.json

@@ -0,0 +1,171 @@
+{
+ "Resources": {
+  "MyStream5C050E93": {
+   "Type": "AWS::Kinesis::Stream",
+   "Properties": {
+    "RetentionPeriodHours": 24,
+    "ShardCount": 1,
+    "StreamEncryption": {
+     "Fn::If": [
+      "AwsCdkKinesisEncryptedStreamsUnsupportedRegions",
+      {
+       "Ref": "AWS::NoValue"
+      },
+      {
+       "EncryptionType": "KMS",
+       "KeyId": "alias/aws/kinesis"
+      }
+     ]
+    },
+    "StreamModeDetails": {
+     "StreamMode": "PROVISIONED"
+    }
+   }
+  },
+  "LogGroupF5B46931": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "SubscriptionCloudWatchLogsCanPutRecords9C1223EC": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "logs.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "SubscriptionCloudWatchLogsCanPutRecordsDefaultPolicy50D4970F": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "kinesis:ListShards",
+        "kinesis:PutRecord",
+        "kinesis:PutRecords"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "MyStream5C050E93",
+         "Arn"
+        ]
+       }
+      },
+      {
+       "Action": "iam:PassRole",
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "SubscriptionCloudWatchLogsCanPutRecords9C1223EC",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "SubscriptionCloudWatchLogsCanPutRecordsDefaultPolicy50D4970F",
+    "Roles": [
+     {
+      "Ref": "SubscriptionCloudWatchLogsCanPutRecords9C1223EC"
+     }
+    ]
+   }
+  },
+  "Subscription391C9821": {
+   "Type": "AWS::Logs::SubscriptionFilter",
+   "Properties": {
+    "DestinationArn": {
+     "Fn::GetAtt": [
+      "MyStream5C050E93",
+      "Arn"
+     ]
+    },
+    "FilterPattern": "",
+    "LogGroupName": {
+     "Ref": "LogGroupF5B46931"
+    },
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "SubscriptionCloudWatchLogsCanPutRecords9C1223EC",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "SubscriptionCloudWatchLogsCanPutRecordsDefaultPolicy50D4970F"
+   ]
+  }
+ },
+ "Conditions": {
+  "AwsCdkKinesisEncryptedStreamsUnsupportedRegions": {
+   "Fn::Or": [
+    {
+     "Fn::Equals": [
+      {
+       "Ref": "AWS::Region"
+      },
+      "cn-north-1"
+     ]
+    },
+    {
+     "Fn::Equals": [
+      {
+       "Ref": "AWS::Region"
+      },
+      "cn-northwest-1"
+     ]
+    }
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}