Aws-cdk: Support Kinesis Streams as an Event Rule target

Created on 21 Jun 2019  路  4Comments  路  Source: aws/aws-cdk

  • I'm submitting a ...

    • [ ] :beetle: bug report
    • [X] :rocket: feature request
    • [ ] :books: construct library gap
    • [ ] :phone: security issue or vulnerability => Please see policy
    • [ ] :question: support request => Please see note at the top of this template.

  • What is the expected behavior (or behavior of feature suggested)?
    CloudWatch Event Rules can send events to Kinesis Streams, as shown here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-events-rule-target.html#aws-properties-events-rule-target--examples--Target_with_KinesisParameters--yaml

The CDK does not yet support that, as shown here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-events.IRuleTarget.html

  • What is the motivation / use case for changing the behavior or adding this feature?
    I want to send CloudWatch Events to a Kinesis Stream. This is needed for GuardDuty event collection as shown here: https://summitroute.com/blog/2019/03/06/guardduty_event_collection_via_cloudwatch_events/

  • Please tell us about your environment:

    • CDK CLI Version: 0.35.0
    • Module Version: aws-events
    • OS: [all ]
    • Language: [ Javascript ]

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

@aws-cdaws-cloudwatch @aws-cdaws-events-targets @aws-cdaws-kinesis efformedium feature-request in-progress
Source
picture 0xdabbad00

Most helpful comment

@NicoSorrenti The following creates two CloudWatch Event rules. One for GuardDuty, Trusted Adisor, and test events, and one for CloudTrail events.

// Create IAM Role for CloudWatch Events to send to the Kinesis Stream
    const event_role = new iam.Role(this, "event_role", {
      assumedBy: new iam.ServicePrincipal('events.amazonaws.com')
    });

    event_role.addToPolicy(new iam.PolicyStatement({
      resources: [RECORDS_SOURCE],
      actions: ['kinesis:PutRecord*']
    }));

    // Create rule to send GuardDuty, TrustedAdvisor, heartbeat, and test_events to our Kinesis Stream
    // Some of the needed functionality does not exist in the CDK yet and must be over-ridden
    var guardduty_rule = new events.Rule(this, "guardduty_rule", {
      ruleName: "guardduty_rule",
      schedule: events.Schedule.expression("rate(30 minutes)"),  // Ignore this schedule, it will be over-ridden
      description: "Collects GuardDuty, TrustedAdvisor, heartbeat, and test events"
    });

    var guardduty_rule_resource = guardduty_rule.node.findChild('Resource');

    guardduty_rule_resource.addOverride('Properties.ScheduleExpression', undefined);
    guardduty_rule_resource.addOverride('Properties.EventPattern', 
      { source: [
        "aws.guardduty", 
        "aws.trustedadvisor",
        "event_test",
        "event_forwarder"]
      }
    );
    guardduty_rule_resource.addOverride('Properties.Targets', 
      [{
        Arn: RECORDS_SOURCE,
        Id: "target",
        RoleArn: event_role.roleArn
      }]
    );

    // Create rule to send CloudTrail events to our Kinesis Stream
    var cloudtrail_rule = new events.Rule(this, "cloudtrail_rule", {
      ruleName: "cloudtrail_rule",
      schedule: events.Schedule.expression("rate(30 minutes)"), // Ignore this schedule, it will be over-ridden
      description: "Collects CloudTrail events"
    });

    var cloudtrail_rule_resource = cloudtrail_rule.node.findChild('Resource');

    cloudtrail_rule_resource.addOverride('Properties.ScheduleExpression', undefined);
    cloudtrail_rule_resource.addOverride('Properties.EventPattern', 
      { "detail-type": ["AWS API Call via CloudTrail"] }
    );
    cloudtrail_rule_resource.addOverride('Properties.Targets', 
      [{
        Arn: RECORDS_SOURCE,
        Id: "target",
        RoleArn: event_role.roleArn
      }]
    );

RECORDS_SOURCE is a string for the ARN for the Kinesis Stream. I wrote this 4 months ago, so there may be some updates needed for newer versions of the CDK as it looks like I was using the CDK v0.34.0.

picture 0xdabbad00 on 17 Oct 2019
2

All 4 comments

Hi Scott, thank you for reaching out!

We are currently pausing work on most new FRs and community PRs for a few weeks while we work towards stabilization and tuning to meet our consistency guidelines. Please feel free to discuss here, or put in a PR if you feel this is a problem you can resolve.

NGL321 picture NGL321 on 21 Jun 2019

Thanks for the response. I was able to work around this for now using the "escape hatch" concept described here: https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html

0xdabbad00 picture 0xdabbad00 on 21 Jun 2019
👍1

@0xdabbad00 Scott, could you please give me a little insight on how you managed to do that? I'm looking on the link you sent, and the AWS Resource and Property Types Reference, but I can't find where that Kinesis event is. Thanks in advance

NicoSorrenti picture NicoSorrenti on 17 Oct 2019

@NicoSorrenti The following creates two CloudWatch Event rules. One for GuardDuty, Trusted Adisor, and test events, and one for CloudTrail events.

// Create IAM Role for CloudWatch Events to send to the Kinesis Stream
    const event_role = new iam.Role(this, "event_role", {
      assumedBy: new iam.ServicePrincipal('events.amazonaws.com')
    });

    event_role.addToPolicy(new iam.PolicyStatement({
      resources: [RECORDS_SOURCE],
      actions: ['kinesis:PutRecord*']
    }));

    // Create rule to send GuardDuty, TrustedAdvisor, heartbeat, and test_events to our Kinesis Stream
    // Some of the needed functionality does not exist in the CDK yet and must be over-ridden
    var guardduty_rule = new events.Rule(this, "guardduty_rule", {
      ruleName: "guardduty_rule",
      schedule: events.Schedule.expression("rate(30 minutes)"),  // Ignore this schedule, it will be over-ridden
      description: "Collects GuardDuty, TrustedAdvisor, heartbeat, and test events"
    });

    var guardduty_rule_resource = guardduty_rule.node.findChild('Resource');

    guardduty_rule_resource.addOverride('Properties.ScheduleExpression', undefined);
    guardduty_rule_resource.addOverride('Properties.EventPattern', 
      { source: [
        "aws.guardduty", 
        "aws.trustedadvisor",
        "event_test",
        "event_forwarder"]
      }
    );
    guardduty_rule_resource.addOverride('Properties.Targets', 
      [{
        Arn: RECORDS_SOURCE,
        Id: "target",
        RoleArn: event_role.roleArn
      }]
    );

    // Create rule to send CloudTrail events to our Kinesis Stream
    var cloudtrail_rule = new events.Rule(this, "cloudtrail_rule", {
      ruleName: "cloudtrail_rule",
      schedule: events.Schedule.expression("rate(30 minutes)"), // Ignore this schedule, it will be over-ridden
      description: "Collects CloudTrail events"
    });

    var cloudtrail_rule_resource = cloudtrail_rule.node.findChild('Resource');

    cloudtrail_rule_resource.addOverride('Properties.ScheduleExpression', undefined);
    cloudtrail_rule_resource.addOverride('Properties.EventPattern', 
      { "detail-type": ["AWS API Call via CloudTrail"] }
    );
    cloudtrail_rule_resource.addOverride('Properties.Targets', 
      [{
        Arn: RECORDS_SOURCE,
        Id: "target",
        RoleArn: event_role.roleArn
      }]
    );

RECORDS_SOURCE is a string for the ARN for the Kinesis Stream. I wrote this 4 months ago, so there may be some updates needed for newer versions of the CDK as it looks like I was using the CDK v0.34.0.

0xdabbad00 picture 0xdabbad00 on 17 Oct 2019
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

v-do picture v-do  路  3Comments
peterdeme picture peterdeme  路  3Comments
sudoforge picture sudoforge  路  3Comments
ababra picture ababra  路  3Comments
NukaCody picture NukaCody  路  3Comments