logs: Allow overriding Role in `addSubscriptionFilter`

[jordanst3wart]

I'm trying to add a boundary permission to the IAM role created here:
https://github.com/aws/aws-cdk/blob/v1.36.0/packages/@aws-cdk/aws-logs-destinations/lib/kinesis.ts#L17

My code looks something like:

item.addSubscriptionFilter(generateID(),{destination: dest, filterPattern: log.FilterPattern.allEvents()} )

This creates an IAM role in the background.

It looks like you should be able to override the role like with the id:

        const id = 'CloudWatchLogsCanPutRecords';
        new iam.Role(this, id, {
            assumedBy: new iam.ServicePrincipal('logs.amazonaws.com'),
            permissionsBoundary: boundary
        });

But the scope (or this) used by addSubscriptionFilter is actually inaccessible.

aws-cdk/packages/@aws-cdk/aws-logs/lib/log-group.ts

Line 107 in 47c9919

public addSubscriptionFilter(id: string, props: SubscriptionFilterOptions): SubscriptionFilter {

Use Case

To add boundary permission to IAM role

Proposed Solution

Allow optional iam role to be passed in with addSubscriptionFilter

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[arnulfojr]

Hi, I'd like to add that if the kinesis stream has SSE encryption the role also requires permissions to generate data key.
Right now this can't be easily done by using this abstractions.
Is there an approx date for it?