-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathcross-account-destination.ts
100 lines (85 loc) · 3.05 KB
/
cross-account-destination.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');
import { ILogGroup } from './log-group';
import { CfnDestination } from './logs.generated';
import { ILogSubscriptionDestination, LogSubscriptionDestination } from './subscription-filter';
export interface CrossAccountDestinationProps {
/**
* The name of the log destination.
*
* @default Automatically generated
*/
destinationName?: string;
/**
* The role to assume that grants permissions to write to 'target'.
*
* The role must be assumable by 'logs.{REGION}.amazonaws.com'.
*/
role: iam.Role;
/**
* The log destination target's ARN
*/
targetArn: string;
}
/**
* A new CloudWatch Logs Destination for use in cross-account scenarios
*
* Log destinations can be used to subscribe a Kinesis stream in a different
* account to a CloudWatch Subscription. A Kinesis stream in the same account
* can be subscribed directly.
*
* The @aws-cdk/aws-kinesis library takes care of this automatically; you shouldn't
* need to bother with this class.
*/
export class CrossAccountDestination extends cdk.Construct implements ILogSubscriptionDestination {
/**
* Policy object of this CrossAccountDestination object
*/
public readonly policyDocument: iam.PolicyDocument = new iam.PolicyDocument();
/**
* The name of this CrossAccountDestination object
*/
public readonly destinationName: string;
/**
* The ARN of this CrossAccountDestination object
*/
public readonly destinationArn: string;
/**
* The inner resource
*/
private readonly resource: CfnDestination;
constructor(scope: cdk.Construct, id: string, props: CrossAccountDestinationProps) {
super(scope, id);
// In the underlying model, the name is not optional, but we make it so anyway.
const destinationName = props.destinationName || new cdk.Token(() => this.generateUniqueName());
this.resource = new CfnDestination(this, 'Resource', {
destinationName,
// Must be stringified policy
destinationPolicy: new cdk.Token(() => this.stringifiedPolicyDocument()),
roleArn: props.role.roleArn,
targetArn: props.targetArn
});
this.destinationArn = this.resource.destinationArn;
this.destinationName = this.resource.destinationName;
}
public addToPolicy(statement: iam.PolicyStatement) {
this.policyDocument.addStatement(statement);
}
public logSubscriptionDestination(_sourceLogGroup: ILogGroup): LogSubscriptionDestination {
return { arn: this.destinationArn };
}
/**
* Generate a unique Destination name in case the user didn't supply one
*/
private generateUniqueName(): string {
// Combination of stack name and LogicalID, which are guaranteed to be unique.
const stack = cdk.Stack.find(this);
return stack.name + '-' + this.resource.logicalId;
}
/**
* Return a stringified JSON version of the PolicyDocument
*/
private stringifiedPolicyDocument() {
return this.policyDocument.isEmpty ? '' : cdk.CloudFormationJSON.stringify(this.node.resolve(this.policyDocument), this);
}
}