feat(kinesisfirehose): support HTTP endpoint destination

[Tietew]

Issue # (if applicable)

Closes #15502.
Closes #33585.

Reason for this change

Amazon Data Firehose delivery stream can deliver records to a custom HTTP endpoint destination.
Some destinations, e.g. Colalogix, Datadog, New Relic, etc., are based on HTTP endpoint destination.

See also:

• Configure destination settings for HTTP Endpoint
• Understand HTTP endpoint delivery request and response specifications
• Authenticate with AWS Secrets Manager in Amazon Data Firehose

Description of changes

Added the HttpEndpoint destination class.

Usage:

const httpDestination = new firehose.HttpEndpoint({
  // Endpoint configuration
  url: 'https://example.com/',
  name: 'MyEndpointName', // The endpoint name - optional
  // Authentication - optional
  authentication: firehose.HttpEndpointAuthentication.accessKey('my-access-key'), // Access key
  authentication: firehose.HttpEndpointAuthentication.secretsManager({ secret }), // Secret from AWS Secrets Manager
  // Request configuration - optional
  parameters: {
    'deployment-context': 'pre-prod-gamma',
  },
  contentEncoding: firehose.ContentEncoding.GZIP,
  retryDuration: Duration.minutes(60),
  bufferingInterval: Duration.seconds(300),
  bufferingSize: Size.mebibytes(5),
  // Data Processor - optional
  processors: [lambdaProcessor], // In management console, only one lambda processor is allowed
  // Logging configuration - optional
  loggingConfig: new firehose.LoggingEnabled(),
  // S3 backup configuration - optional
  s3Backup: {
    mode: firehose.BackupMode.FAILED, // default - backup failed records
    mode: firehose.BackupMode.ALL, // backup all records
    bucket: backupBucket, // S3 backup bucket is automatically created by default
  },
});

Describe any new or updated permissions being added

The HTTP endpoint destination will grant following accesses to the destination role:

• Read access to the secret if present using secret.grantRead()
• Read/Write access to the backup bucket using bucket.grantReadWrite()
• Write access to the log group using logGroup.grantWrite()

Description of how you validated changes

Added unit tests and an Integ test.
The integ test also asserts the http endpoint (with access key) is invoked correctly.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[badmintoncryer]

Thank you for your contribution. I've added some minor comments.

[badmintoncryer]

nit: typo

Suggested change

	class HttpEndpointAccesKeyAuthentication extends HttpEndpointAuthentication {
	class HttpEndpointAccessKeyAuthentication extends HttpEndpointAuthentication {

[badmintoncryer]

nit: typo

Suggested change

	/** No content-encoing */
	/** No content-encoding */

[badmintoncryer]

nit: It may be slightly better to show a unit.

Suggested change

	throw new cdk.ValidationError(`Retry duration must be less than or equal to 7200 seconds, got ${this.props.retryDuration.toSeconds()}.`, scope);
	throw new cdk.ValidationError(`Retry duration must be less than or equal to 7200 seconds, got ${this.props.retryDuration.toSeconds()} seconds.`, scope);

[badmintoncryer]

Could you please add a validation to check the url prop begins with https://?

https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html#create-destination-http

[badmintoncryer]

Error class now needs a error code.

#36934

[badmintoncryer]

Is this feature flag condition needed?

[badmintoncryer]

Do we actually need this parameter? One alternative worth considering would be to make secret a required field, and derive the enabled state from it, treating a provided secret as enabled = true. If there are any concrete use cases where explicitly setting enabled = false is necessary, it would be helpful to understand what those look like.

[badmintoncryer]

Could you please confirm to use the reference interface instead of L2 interface?
This applies equally to all other arguments that accept an Interface.

https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md#consuming-construct-interfaces-what-interface-type-to-choose

Suggested change

	readonly role?: iam.IRole;
	readonly role?: iam.IRoleRef;