From df6110909403d196f9a3dedc5e5f9fddac2ebe05 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Mon, 16 Mar 2026 18:42:17 -0400 Subject: [PATCH 1/7] Add Kinesis stream policy to CDN logs stream --- cdn/dovetail-cdn/real-time-logs-kinesis.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cdn/dovetail-cdn/real-time-logs-kinesis.yml b/cdn/dovetail-cdn/real-time-logs-kinesis.yml index 48ee5d19..4055ef48 100644 --- a/cdn/dovetail-cdn/real-time-logs-kinesis.yml +++ b/cdn/dovetail-cdn/real-time-logs-kinesis.yml @@ -28,6 +28,27 @@ Resources: - { Key: prx:ops:environment, Value: !Ref EnvironmentType } - { Key: prx:dev:family, Value: Dovetail } - { Key: prx:dev:application, Value: Counts } + CloudfrontRealTimeLogsStreamPolicy: + Type: AWS::Kinesis::ResourcePolicy + Properties: + ResourceArn: !GetAtt CloudfrontRealTimeLogsStream.Arn + ResourcePolicy: + Statement: + - Action: + - kinesis:DescribeStream + - kinesis:DescribeStreamSummary + - kinesis:GetRecords + - kinesis:GetShardIterator + - kinesis:ListShards + - kinesis:SubscribeToShard + Condition: + StringEquals: + aws:ResourceOrgID: ${aws:PrincipalOrgID} + aws:ResourceTag/prx:ops:environment: ${aws:PrincipalTag/prx:ops:environment} + Effect: Allow + Resource: !GetAtt CloudfrontRealTimeLogsStream.Arn + Principal: "*" + Version: '2012-10-17' Outputs: RealTimeLogsStreamArn: From e95c24c588bc9df4c5a4b8e2a1351a83607f8b48 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Mon, 16 Mar 2026 19:12:21 -0400 Subject: [PATCH 2/7] Add second Kinesis stream trigger to Counts function --- spire/templates/apps-100A.yml | 3 ++- spire/templates/apps/dovetail-counts.yml | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/spire/templates/apps-100A.yml b/spire/templates/apps-100A.yml index da91272c..b7cb4992 100644 --- a/spire/templates/apps-100A.yml +++ b/spire/templates/apps-100A.yml @@ -194,7 +194,8 @@ Resources: ArrangementsDynamodbRegion: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_REGION ArrangementsDynamodbTableName: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_TABLE ArrangementsDynamodbAccessRoleArn: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_ACCESS_ROLE - DovetailCdnLogsKinesisStreamArn: !Ref DovetailCdnLogsKinesisStreamArn + DovetailCdnLogsKinesisStreamArn: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Counts/cdn-logs-kinesis-stream-arn + OldDovetailCdnLogsKinesisStreamArn: !Ref DovetailCdnLogsKinesisStreamArn DovetailCountedKinesisStreamArn: !Ref DovetailCountedKinesisStreamArn DovetailRedisClientSecurityGroupId: !Ref DovetailRedisClientSecurityGroupId DovetailRedisReplicationGroupEndpointAddress: !Ref DovetailRedisReplicationGroupEndpointAddress diff --git a/spire/templates/apps/dovetail-counts.yml b/spire/templates/apps/dovetail-counts.yml index 3a9de26f..b33d8745 100644 --- a/spire/templates/apps/dovetail-counts.yml +++ b/spire/templates/apps/dovetail-counts.yml @@ -28,7 +28,8 @@ Parameters: ArrangementsDynamodbRegion: { Type: AWS::SSM::Parameter::Value } ArrangementsDynamodbTableName: { Type: AWS::SSM::Parameter::Value } ArrangementsDynamodbAccessRoleArn: { Type: AWS::SSM::Parameter::Value } - DovetailCdnLogsKinesisStreamArn: { Type: String } + DovetailCdnLogsKinesisStreamArn: { Type: AWS::SSM::Parameter::Value } + OldDovetailCdnLogsKinesisStreamArn: { Type: String } DovetailCountedKinesisStreamArn: { Type: String } DovetailRedisReplicationGroupEndpointAddress: { Type: String } DovetailRedisReplicationGroupEndpointPort: { Type: String } @@ -88,8 +89,19 @@ Resources: BisectBatchOnFunctionError: true Enabled: true StartingPosition: LATEST - Stream: !Ref DovetailCdnLogsKinesisStreamArn + Stream: !Ref OldDovetailCdnLogsKinesisStreamArn Type: Kinesis + CountsBytesKinesisStreamTrigger: + Fn::If: + - IsProduction + - !Ref AWS::NoValue + - Type: Kinesis + Properties: + BatchSize: 100 + BisectBatchOnFunctionError: true + Enabled: true + StartingPosition: LATEST + Stream: !Ref DovetailCdnLogsKinesisStreamArn Handler: index.handler Layers: - Fn::If: From bac60a85856f7c37cafeb16b3699216d7fa7525c Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Tue, 17 Mar 2026 11:13:59 -0400 Subject: [PATCH 3/7] Fix stream event conditions --- spire/templates/apps/dovetail-counts.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/spire/templates/apps/dovetail-counts.yml b/spire/templates/apps/dovetail-counts.yml index b33d8745..ae8814af 100644 --- a/spire/templates/apps/dovetail-counts.yml +++ b/spire/templates/apps/dovetail-counts.yml @@ -92,16 +92,13 @@ Resources: Stream: !Ref OldDovetailCdnLogsKinesisStreamArn Type: Kinesis CountsBytesKinesisStreamTrigger: - Fn::If: - - IsProduction - - !Ref AWS::NoValue - - Type: Kinesis - Properties: - BatchSize: 100 - BisectBatchOnFunctionError: true - Enabled: true - StartingPosition: LATEST - Stream: !Ref DovetailCdnLogsKinesisStreamArn + Properties: + BatchSize: 100 + BisectBatchOnFunctionError: true + Enabled: !If [IsProduction, false, true] + StartingPosition: LATEST + Stream: !Ref DovetailCdnLogsKinesisStreamArn + Type: Kinesis Handler: index.handler Layers: - Fn::If: From 88d84ecdc5d64c64be76abfa50299c60bd0b1d11 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Wed, 18 Mar 2026 13:51:51 -0400 Subject: [PATCH 4/7] Remove invalid action --- cdn/dovetail-cdn/real-time-logs-kinesis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/cdn/dovetail-cdn/real-time-logs-kinesis.yml b/cdn/dovetail-cdn/real-time-logs-kinesis.yml index 4055ef48..6cf6a4bc 100644 --- a/cdn/dovetail-cdn/real-time-logs-kinesis.yml +++ b/cdn/dovetail-cdn/real-time-logs-kinesis.yml @@ -40,7 +40,6 @@ Resources: - kinesis:GetRecords - kinesis:GetShardIterator - kinesis:ListShards - - kinesis:SubscribeToShard Condition: StringEquals: aws:ResourceOrgID: ${aws:PrincipalOrgID} From 32accbc0fbbf3d1e693328905815d16b09d62c20 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Wed, 18 Mar 2026 13:52:12 -0400 Subject: [PATCH 5/7] Switch to explicit principal Wildcard principal isn't supported here --- cdn/dovetail-cdn/real-time-logs-kinesis.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cdn/dovetail-cdn/real-time-logs-kinesis.yml b/cdn/dovetail-cdn/real-time-logs-kinesis.yml index 6cf6a4bc..409f1731 100644 --- a/cdn/dovetail-cdn/real-time-logs-kinesis.yml +++ b/cdn/dovetail-cdn/real-time-logs-kinesis.yml @@ -46,8 +46,11 @@ Resources: aws:ResourceTag/prx:ops:environment: ${aws:PrincipalTag/prx:ops:environment} Effect: Allow Resource: !GetAtt CloudfrontRealTimeLogsStream.Arn - Principal: "*" - Version: '2012-10-17' + Principal: + AWS: + - "561178107736" + - !Ref AWS::AccountId + Version: "2012-10-17" Outputs: RealTimeLogsStreamArn: From 3d29fa4b156742469d41efb40580d8d8c593d98d Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Wed, 18 Mar 2026 15:34:29 -0400 Subject: [PATCH 6/7] Use region-specific Kinesis parameters --- spire/templates/apps-100A.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spire/templates/apps-100A.yml b/spire/templates/apps-100A.yml index b7cb4992..8a9cabf7 100644 --- a/spire/templates/apps-100A.yml +++ b/spire/templates/apps-100A.yml @@ -194,7 +194,7 @@ Resources: ArrangementsDynamodbRegion: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_REGION ArrangementsDynamodbTableName: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_TABLE ArrangementsDynamodbAccessRoleArn: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_ACCESS_ROLE - DovetailCdnLogsKinesisStreamArn: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Counts/cdn-logs-kinesis-stream-arn + DovetailCdnLogsKinesisStreamArn: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Counts/cdn-logs-kinesis-stream-arn/${AWS::Region} OldDovetailCdnLogsKinesisStreamArn: !Ref DovetailCdnLogsKinesisStreamArn DovetailCountedKinesisStreamArn: !Ref DovetailCountedKinesisStreamArn DovetailRedisClientSecurityGroupId: !Ref DovetailRedisClientSecurityGroupId From 4a9725c37ae5d46c66b08c6c19edf572606f856e Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Wed, 18 Mar 2026 16:36:28 -0400 Subject: [PATCH 7/7] Fix param path --- spire/templates/apps-100A.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spire/templates/apps-100A.yml b/spire/templates/apps-100A.yml index 8a9cabf7..c4cffecb 100644 --- a/spire/templates/apps-100A.yml +++ b/spire/templates/apps-100A.yml @@ -194,7 +194,7 @@ Resources: ArrangementsDynamodbRegion: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_REGION ArrangementsDynamodbTableName: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_TABLE ArrangementsDynamodbAccessRoleArn: !Sub /prx/${EnvironmentTypeAbbreviation}/dovetail-cdn-arranger/ARRANGEMENTS_DDB_ACCESS_ROLE - DovetailCdnLogsKinesisStreamArn: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Counts/cdn-logs-kinesis-stream-arn/${AWS::Region} + DovetailCdnLogsKinesisStreamArn: !Sub /prx/${EnvironmentTypeAbbreviation}/Spire/Dovetail-Counts/cdn-logs-kinesis-stream-arn-${AWS::Region} OldDovetailCdnLogsKinesisStreamArn: !Ref DovetailCdnLogsKinesisStreamArn DovetailCountedKinesisStreamArn: !Ref DovetailCountedKinesisStreamArn DovetailRedisClientSecurityGroupId: !Ref DovetailRedisClientSecurityGroupId