Skip to content

feat(kinesisfirehose): support iceberg destination #35761

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat(kinesisfirehose): support iceberg destination #35761

wants to merge 11 commits into from
+3,783 −1

Conversation

@Konippi
Copy link
Contributor

@Konippi Konippi commented Oct 16, 2025

Issue # (if applicable)

Closes #33666.

Reason for this change

Firehose supports the destination settings for Apache Iceberg Table.
https://docs.aws.amazon.com/firehose/latest/dev/apache-iceberg-destination.html

But at the present, L2 Construct does not support it.

Description of changes

This PR adds a new IcebergDestination to the aws-kinesisfirehose module that implements the IDestination interface.

Describe any new or updated permissions being added

Description of how you validated changes

Unit tests and integration tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Oct 16, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team October 16, 2025 14:46
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Oct 16, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

tmokmss
tmokmss reviewed Oct 22, 2025
View reviewed changes
.../@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.iceberg-destination.ts

const app = new cdk.App();

const stack = new cdk.Stack(app, 'aws-cdk-firehose-iceberg-destination');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current integ test file doesn't work in my environment. It throws errors as below:

5:23:04 PM | CREATE_FAILED | AWS::KinesisFirehose::DeliveryStream | IcebergDeliveryStr...CustomRole50F03C05
Resource handler returned message: "Role arn:aws:iam::123456789012:role/aws-cdk-firehose-iceberg-destina-CustomRole6D8E6809-g4HAdgCYjJQD is not authorized to perform: glue:GetTable for the given table or the table does not exist. (Service: Firehose, Status Code: 400, Request ID: ...

.../@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.iceberg-destination.ts Outdated
destinationTableConfigurations: [
{
databaseName: 'iceberg_db',
tableName: 'iceberg_table',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use database.ref and table.ref to get these names. Plus it automatically sets proper dependencies between those resources.

packages/aws-cdk-lib/aws-kinesisfirehose/lib/iceberg-destination.ts Outdated
resources: [
catalogArn,
`${catalogArn}/database/*`,
`${catalogArn}/table/*`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that a catalog can be shared with multiple systems in a region, I feel table/* and database/* is a bit too permissive. Can we narrow them down using information from destinationTableConfigurations?

.../@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.iceberg-destination.ts Outdated
new firehose.DeliveryStream(stack, 'IcebergDeliveryStreamAllProperties', {
destination: new firehose.IcebergDestination(bucket, {
catalogConfiguration: {
catalogArn: `arn:aws:glue:${cdk.Stack.of(stack).region}:${cdk.Stack.of(stack).account}:catalog`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend to use Stack.formatArn in aws-cdk-lib code. This way you don't have to care about region/account/partition.

packages/aws-cdk-lib/aws-kinesisfirehose/lib/iceberg-destination.ts Outdated
resources: [
catalogArn,
`${catalogArn}/database/*`,
`${catalogArn}/table/*`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading this document, the correct format for glue database/table is
arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName} or arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}. It seems we don't need catalog part.

Another document is referring to another arn format, so I'm not entirely sure 👀

packages/aws-cdk-lib/aws-kinesisfirehose/lib/iceberg-destination.ts Outdated
* Specifies the Glue catalog ARN identifier of the destination Apache Iceberg Tables.
* Format: arn:aws:glue:region:account-id:catalog
*
* @default - Uses the default Glue Catalog for the account
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this description align with the current implementation?

packages/aws-cdk-lib/aws-kinesisfirehose/lib/iceberg-destination.ts Outdated

// Add CreateTable permission if table creation is enabled
if (this.props.tableCreationEnabled) {
actions.push('glue:CreateTable');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need this permission when warehouseLocation (instead of catalogArn) and tableCreationEnabled is specified?

.../@aws-cdk-testing/framework-integ/test/aws-kinesisfirehose/test/integ.iceberg-destination.ts
new firehose.DeliveryStream(stack, 'IcebergDeliveryStreamWithWarehouse', {
destination: new firehose.IcebergDestination(bucket, {
catalogConfiguration: {
warehouseLocation: `s3://${bucket.bucketName}/warehouse`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about setting tableCreationEnabled for wider coverage?

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 23, 2025 16:32

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@Konippi Konippi marked this pull request as ready for review October 24, 2025 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+1 more reviewer

@tmokmss tmokmss tmokmss left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

kinesisfirehose: support Iceberg Destination

3 participants

@Konippi @tmokmss @aws-cdk-automation