(kinesisfirehose): DeliveryStream creates useless role #26927
Description
Describe the bug
The DeliveryStream construct always creates a role
However, this role ends up with no permissions, and no reason to exist if no source stream or encryption key are used:
"DeliveryStreamServiceRole0CF4E414": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "EipFailTagsStack/DeliveryStream/Service Role/Resource"
}
},Expected Behavior
I expect no role to be created
Current Behavior
An unnecessary role is created
Reproduction Steps
Create a DeliveryStream without an encryptionKey, encryption, or sourceStream prop.
new firehose.DeliveryStream(this, 'DeliveryStream', {
destinations: [new destinations.S3Bucket(new s3.Bucket(this, 'Bucket'))]
});Possible Solution
In this case, will need to check for appropriate props before creating the role
Additional Information/Context
No response
CDK CLI Version
current
Framework Version
No response
Node.js Version
16
OS
mac
Language
Typescript
Language Version
No response
Other information
Can workaround for now with the following escape hatch:
stream.node.tryRemoveChild('Service Role')