Skip to content

feat(gen2-migration): lambda access to kinesis streams#14644

Open
sai-ray wants to merge 2 commits intogen2-migrationfrom
sai/lambda-access-to-kinesis-streams-for-gen2-migration
Open

feat(gen2-migration): lambda access to kinesis streams#14644
sai-ray wants to merge 2 commits intogen2-migrationfrom
sai/lambda-access-to-kinesis-streams-for-gen2-migration

Conversation

@sai-ray
Copy link
Contributor

@sai-ray sai-ray commented Mar 4, 2026

Fixes: #14620

Description

This PR extends the migration codegen pipeline to detect and preserve Kinesis stream access for Lambda functions during Amplify gen1 to gen2 migration, following the same pattern used for DynamoDB and S3 function access.

Changes

  • New KinesisCloudFormationAccessParser (codegen-head/kinesis_cfn_access_parser.ts) reads each function's Gen1 CFN template and extracts kinesis:* IAM actions from the AmplifyResourcesPolicy resource. Follows the same pattern as DynamoDBCloudFormationAccessParser and S3CloudFormationAccessParser.

  • New extractFunctionKinesisAccess() in adapters/analytics/analytics_access.ts aggregates per-function Kinesis permissions into FunctionKinesisAccess[].

  • Function adapter (adapters/functions/index.ts) now filters ANALYTICS_*_KINESISSTREAMARN env vars into filteredEnvironmentVariables, same as existing STORAGE_* and AUTH_* filtering.

  • Lambda env generator (generators/functions/lambda_env_generator.ts) maps ANALYTICS_.*_KINESISSTREAMARN to analytics.kinesisStreamArn using a direct variable reference (isDirect = true) since analytics is a standalone CDK construct, not accessed via backend..

  • BackendSynthesizer (backend/synthesizer.ts) extended with functionsWithKinesisAccess on BackendRenderParameters.analytics. Generates addToRolePolicy() calls with aws_iam.PolicyStatement for each function with Kinesis access, and adds the aws_iam import from aws-cdk-lib.

  • Migration pipeline (core/migration-pipeline.ts) calls extractFunctionKinesisAccess(functionNames) and passes results to backendRenderOptions.analytics.functionsWithKinesisAccess.

Input:

IAM Permissions
 "AmplifyResourcesPolicy": {
      "DependsOn": [
        "LambdaExecutionRole"
      ],
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "amplify-lambda-execution-policy",
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "kinesis:ListShards",
                "kinesis:ListStreams",
                "kinesis:ListStreamConsumers",
                "kinesis:DescribeStream",
                "kinesis:DescribeStreamSummary",
                "kinesis:DescribeStreamConsumer",
                "kinesis:GetRecords",
                "kinesis:GetShardIterator",
                "kinesis:SubscribeToShard",
                "kinesis:DescribeLimits",
                "kinesis:ListTagsForStream",
                "kinesis:SubscribeToShard"
              ],
              "Resource": {
                "Ref": "analyticsmoodBoardDemoKinesiskinesisStreamArn"
              }
            }
          ]
        }
      }
    }
Environment Variable
"Environment": {
        "Variables": {
          "ENV": {
            "Ref": "env"
          },
          "REGION": {
            "Ref": "AWS::Region"
          },
          "ANALYTICS_MOODBOARDDEMOKINESIS_KINESISSTREAMARN": {
            "Ref": "analyticsmoodBoardDemoKinesiskinesisStreamArn"
          }
        }
      }

Output (backend.ts)

import { aws_iam } from "aws-cdk-lib";


backend.moodboardKinesisReader.resources.lambda.addToRolePolicy(new aws_iam.PolicyStatement({
   actions: ["kinesis:ListShards", "kinesis:ListStreams", "kinesis:ListStreamConsumers", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:DescribeStreamConsumer", "kinesis:GetRecords", "kinesis:GetShardIterator", "kinesis:SubscribeToShard", "kinesis:DescribeLimits", "kinesis:ListTagsForStream"],
   resources: [analytics.kinesisStreamArn]
}));


backend.moodboardKinesisReader.addEnvironment("ANALYTICS_MOODBOARDKINESIS_KINESISSTREAMARN", analytics.kinesisStreamArn);

Issue #, if available

Description of how you validated changes

Tested migration on an Amplify Gen1 app containing lambda function reading from a kinesis stream.

Checklist

  • PR description included
  • yarn test passes
  • Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)
  • New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
  • Pull request labels are added

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sai-ray sai-ray requested a review from a team as a code owner March 4, 2026 09:20
@sai-ray sai-ray enabled auto-merge (squash) March 4, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sai-ray