Adding authentication setting and validation for kinesis destination

[mdkhan-tw]

Adding authentication setting and validation for kinesis destination. The authentication mechanism is by IAMRole and externalId where the clients will create IAM role which can be "assumed" by segment's provided IAM role and external Id.

We are only validating if the client provided role can be assumed by segment. We aren't verifying if we can send event to streams because stream configuration will be available at mapping stage.

Testing

Background

Created the below IAM role which allows that segment's IAM role can assume a role provided by clients.

arn:aws:iam::0000000000000:role/mdkhan-assume-role-for-kinesis-destination

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000000:role/customer-s3-stage-action-destination-access"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "mdkhan-external-id"
                }
            }
        }
    ]
}

Test Cases

TestCase	Result	Response
When valid credentials are provided	Successful	{ "ok": true }
When invalid credentials are provided	Successful	{ "ok": false, "error": "Credentials are invalid: User: arn:aws:sts::0000000000000:assumed-role/customer-s3-stage-action-destination-access/a701dab1-f9c3-4a01-aa2c-0c15db7020a6 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0000000000000:role/mdkhan-assume-role-for-kinesis-destination", "fields": {}}
When empty credentials are provided	Successful

Include any additional information about the testing you have completed to
ensure your changes behave as expected. For a speedy review, please check
any of the tasks you completed below during your testing.

• Added unit tests for new functionality
• Tested end-to-end using the local server
• [If destination is already live] Tested for backward compatibility of destination. Note: New required fields are a breaking change.
• [Segmenters] Tested in the staging environment
• [Segmenters] [If applicable for this change] Tested for regression with Hadron.

[github-actions]

New required fields detected

Warning

Your PR adds new required fields to an existing destination. Adding new required settings/mappings for a destination already in production requires updating existing customer destination configuration. Ignore this warning if this PR is for a new destination with no active customers in production.

The following required fields were added in this PR:

• Destination: Aws Kinesis, Settings:iamRoleArn,iamExternalId

Add these new fields as optional instead and assume default values in perform or performBatch block.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.03%. Comparing base (9ed58fa) to head (551510b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3378      +/-   ##
==========================================
+ Coverage   80.00%   80.03%   +0.03%     
==========================================
  Files        1211     1214       +3     
  Lines       22353    22387      +34     
  Branches     4411     4414       +3     
==========================================
+ Hits        17884    17918      +34     
  Misses       3689     3689              
  Partials      780      780              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.