(kinesisfirehose): DeliveryStream creates useless role

[peterwoodworth]

Describe the bug

The DeliveryStream construct always creates a role

aws-cdk/packages/@aws-cdk/aws-kinesisfirehose-alpha/lib/delivery-stream.ts

Line 325 in 724bd01

const role = props.role ?? new iam.Role(this, 'Service Role', {

However, this role ends up with no permissions, and no reason to exist if no source stream or encryption key are used:

  "DeliveryStreamServiceRole0CF4E414": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "firehose.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "Metadata": {
    "aws:cdk:path": "EipFailTagsStack/DeliveryStream/Service Role/Resource"
   }
  },

Expected Behavior

I expect no role to be created

Current Behavior

An unnecessary role is created

Reproduction Steps

Create a DeliveryStream without an encryptionKey, encryption, or sourceStream prop.

    new firehose.DeliveryStream(this, 'DeliveryStream', { 
      destinations: [new destinations.S3Bucket(new s3.Bucket(this, 'Bucket'))]
    });

Possible Solution

In this case, will need to check for appropriate props before creating the role

Additional Information/Context

No response

CDK CLI Version

current

Framework Version

No response

Node.js Version

16

OS

mac

Language

Typescript

Language Version

No response

Other information

Can workaround for now with the following escape hatch:

stream.node.tryRemoveChild('Service Role')

[msambol]

@peterwoodworth I'll take this.

[peterwoodworth]

Thanks!

[SimardeepSingh-zsh]

const deliveryStream = new firehose.DeliveryStream(this, 'DeliveryStream', {
destinations: [new destinations.S3Bucket(new s3.Bucket(this, 'Bucket'))],
});

// Check if encryptionKey, encryption, or sourceStream props are specified
if (!deliveryStream.encryptionKey && !deliveryStream.encryption && !deliveryStream.sourceStream) {
// If none of these props are specified, do not create the IAM role
deliveryStream.node.tryRemoveChild('ServiceRole');
}

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[rehanvdm]

This introduces a new error for existing components: Error: There is already a Construct with name 'Service Role' in DeliveryStream

It is because the role is being created again here while it was already created in the constructor here. The solution for now is to just specify the role explicitly, like:

    const deliveryStream = new kdfAlpha.DeliveryStream(this, idPrefix + 'Firehose', {
      deliveryStreamName,
      destinations: [destinationBucket],
      role: new iam.Role(this, 'Service Role', {
        assumedBy: new iam.ServicePrincipal('firehose.amazonaws.com'),
      })
    })

This workaround works for the current logic in the component. Just commenting for when others also experience it. Don't think it is high priority since no one has picked it up. Just happens that we do the logic paths that create the role twice.