Skip to content

feat(kinesis): implement resource policies CRUD operations (#12488) #12961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 29, 2025
Merged

feat(kinesis): implement resource policies CRUD operations (#12488) #12961

merged 1 commit into from
Sep 29, 2025

Conversation

@dmacvicar
Copy link
Contributor

@dmacvicar dmacvicar commented Aug 6, 2025
edited
Loading

Motivation

The mock server does not implement resource policy operations, but the provider redirects to it, generating an AccessDenied exception. see the original bug for details.

Changes

The PR implements the resource policy crud operations and provides snapshot integration tests tested against AWS.

Testing

See the original bug for details #12488. You can test with terraform:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  required_version = ">= 1.0"
}

resource "aws_kinesis_stream" "kinesis_stream" {
  name             = "my-kinesis-stream"
  shard_count      = 1
  retention_period = 24
}

data "aws_iam_policy_document" "kinesis_data_stream_policy" {
  statement {
    actions = [
      "kinesis:PutRecord",
      "kinesis:PutRecords"
    ]

    resources = [
      aws_kinesis_stream.kinesis_stream.arn
    ]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    effect = "Allow"
  }
}

resource "aws_kinesis_resource_policy" "stream_policy" {
  resource_arn = aws_kinesis_stream.kinesis_stream.arn
  policy       = data.aws_iam_policy_document.kinesis_data_stream_policy.json
}

Or with plain awscli:

#!/bin/bash

set -e

STREAM_NAME="sample-table-dynamodb-stream"
REGION="us-east-1"
ACCOUNT_ID="000000000000"
STREAM_ARN="arn:aws:kinesis:$REGION:$ACCOUNT_ID:stream/$STREAM_NAME"

echo "Creating Kinesis stream: $STREAM_NAME"
awslocal kinesis create-stream \
  --stream-name "$STREAM_NAME" \
  --shard-count 1

echo "Waiting for the stream to become ACTIVE..."
while true; do
  STATUS=$(awslocal kinesis describe-stream-summary --stream-name "$STREAM_NAME" \
    --query "StreamDescriptionSummary.StreamStatus" --output text)
  if [ "$STATUS" == "ACTIVE" ]; then
    echo "Stream is ACTIVE."
    break
  fi
  sleep 1
done

awslocal kinesis put-resource-policy \
  --resource-arn "$STREAM_ARN" \
  --policy '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::000000000000:role/service-role"
        },
        "Action": [
          "kinesis:DescribeStreamSummary",
          "kinesis:GetShardIterator",
          "kinesis:GetRecords",
          "kinesis:ListShards"
        ],
        "Resource": "'"$STREAM_ARN"'"
      }
    ]
  }'

echo "✅ Policy attached successfully."

It also passes the terraform aws provider integration test:

image

@dmacvicar dmacvicar self-assigned this Aug 6, 2025
@dmacvicar dmacvicar added aws:kinesis Amazon Kinesis semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases labels Aug 6, 2025
@dmacvicar dmacvicar marked this pull request as draft August 6, 2025 08:17
@dmacvicar dmacvicar force-pushed the kinesis_put_resource_policy branch from 247da14 to e188b38 Compare August 6, 2025 08:33
@dmacvicar dmacvicar marked this pull request as ready for review August 6, 2025 09:08
@alexrashed alexrashed added this to the 4.9 milestone Sep 5, 2025
@dmacvicar dmacvicar force-pushed the kinesis_put_resource_policy branch from e188b38 to aa5a8cd Compare September 26, 2025 07:23
gregfurman
gregfurman approved these changes Sep 29, 2025
View reviewed changes
Copy link
Contributor

@gregfurman gregfurman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gregfurman gregfurman merged commit e60ff8e into localstack:main Sep 29, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gregfurman gregfurman gregfurman approved these changes

@dominikschubert dominikschubert Awaiting requested review from dominikschubert

Assignees

@dmacvicar dmacvicar

Labels

aws:kinesis Amazon Kinesis semver: minor Non-breaking changes which can be included in minor releases, but not in patch releases

Projects

None yet

Milestone

4.9

Development

Successfully merging this pull request may close these issues.

3 participants

@dmacvicar @gregfurman @alexrashed