Issue creating cloudwatch subscription filter for firehose - Could not deliver test message to specified Firehose stream. User: XXXXX is not authorized to perform: firehose:PutRecord

[john-gobl-hilabs]

hello,

I am facing an error creating a cloudwatch logs subscription filter to an aws firehose stream. The error suggests a permissions issue when cdk is trying to deliver a test message.
Invalid request provided: AWS::Logs::SubscriptionFilter. Could not deliver test message to specified Firehose stream. User: XXXX is not authorized to perform: firehose:PutRecord on resource: arn:aws:firehose:XXXXX no identity-based policy allows the firehose:PutRecord action (Service: CloudWatchLogs, Status Code: 400, Reques t ID: 17f4b74f-fea6-4872-963b-7bbc2aebe65a) (SDK Attempt Count: 1)" (RequestToken: 3cd65428-5b35-3137-0e8f-bb2d7d3b8cda, HandlerErrorCode: InvalidRequest)
(identifers replaced with XXXX)

Is this an issue with the account the cdk deploy is running against? It has administrator access so should not have issues I think. And a role and policy is created to give the firehose:PutRecord permissions. See sample code

const params = new URLSearchParams({
      'dd-protocol': 'aws-kinesis-firehose',
    });

    const DD_DESTINATION_ENDPOINT = `https://aws-kinesis-http-intake.logs.us3.datadoghq.com/api/v2/logs?${params.toString()}`;

    const firehoseRole = new aws_iam.Role(this, 'FirehoseRole', {
      assumedBy: new aws_iam.ServicePrincipal('firehose.amazonaws.com'),
    });

    const failedDeliveryBucket = new aws_s3.Bucket(this, 'FailedFirehoseDeliveryBucket', {
      bucketName: 'test',
      blockPublicAccess: aws_s3.BlockPublicAccess.BLOCK_ALL,
      encryption: aws_s3.BucketEncryption.S3_MANAGED,
      lifecycleRules: [
        {
          expiration: Duration.days(30),
        },
      ],
      removalPolicy: RemovalPolicy.DESTROY,
    });

    failedDeliveryBucket.grantWrite(firehoseRole);

    const commonAttributes = [{
      attributeName: 'source',
      attributeValue: 'chat-advisor-service-lambda'
    }, {
      attributeName: 'env',
      attributeValue: 'staging',
    }];

    const firehose = new cdk.aws_kinesisfirehose.CfnDeliveryStream(this, 'FirehoseStream', {
      deliveryStreamType: 'DirectPut',
      httpEndpointDestinationConfiguration: {
        retryOptions: {
          durationInSeconds: 60,
        },
        bufferingHints: {
          intervalInSeconds: 60,
          sizeInMBs: 4,
        },
        roleArn: firehoseRole.roleArn,
        endpointConfiguration: {
          url: DD_DESTINATION_ENDPOINT,
          accessKey: ddApiKeySecret.secretValue.unsafeUnwrap(),
        },
        requestConfiguration: {
          commonAttributes: commonAttributes,
        },
        s3Configuration: {
          roleArn: firehoseRole.roleArn,
          bucketArn: failedDeliveryBucket.bucketArn,
          prefix: '',
        },
      },
      
    });

    const firehoseSubscriptionRole = new aws_iam.Role(this, `FirehoseSubscriptionRole`, {
      assumedBy: new aws_iam.ServicePrincipal('logs.amazonaws.com'),
    });

    firehoseSubscriptionRole.addToPolicy(
      new aws_iam.PolicyStatement({
        actions: [
          'firehose:PutRecord',
          'firehose:PutRecordBatch',
          'kinesis:PutRecord',
          'kinesis:PutRecords',
        ],
        resources: [firehose.attrArn],
      }),
    );

    new aws_logs.CfnSubscriptionFilter(this, `${testLambdaFunction.node.id}-firehose-subscription-filter`, {
      destinationArn: firehose.attrArn,
      filterPattern: '',
      logGroupName: testLambdaFunction.logGroup.logGroupName,
      roleArn: firehoseSubscriptionRole.roleArn,
    });

Using nodejs 22, aws cdk v2.

Any help appreciated. thank you

[john-gobl-hilabs]

I figured this out. cdk/cloudformation was not automatically inferring ordering/dependencies between some of the resources. I added a couple of dependencies explicitly in the cdk code and it started working.

firehoseSubscriptionRole.node.addDependency(firehose);
subscriptionFilter.node.addDependency(firehoseSubscriptionRole);

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.