feat(ec2): support Firehose IDeliveryStreamRef as flow log destination

[Tietew]

Issue # (if applicable)

Re-drive of #33883 and #34596.
Related to #33757.

Reason for this change

FlowLogDestination.toKinesisDataFirehoseDestination() includes the former service name Kinesis and receives the string ARN.

Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html

Description of changes

• Added FlowLogDestination.toFirehose() with an optional IAM role.
• Deprecate toKinesisDataFirehoseDestination()

Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it.

Changes from previous PRs

This PR refers the new reference interface IDeliveryStreamRef (defined in interfaces submodule) to avoid cyclic dependency.

BEFORE

graph TD;
  A1(aws-ec2)--IDeliveryStream-->B1;
  B1(aws-kinesisfirehose)--Connections,Peer,IConnectable-->A1;

Loading

AFTER

graph TD;
  A1(aws-ec2)--IDeliveryStreamRef-->C1;
  B1(aws-kinesisfirehose)--Connections,Peer,IConnecttable-->A1;
  B1(aws-kinesisfirehose)--IDeliveryStreamRef-->C1;
  C1(interfaces);

Loading

Describe any new or updated permissions being added

N/A - Users must specify IAM roles for cross account delivery.

Description of how you validated changes

Unit tests and integ test.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ❌️	Skipped	Failed
Security Guardian Results

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ❌️	Skipped	Failed
Security Guardian Results with resolved templates

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[aws-cdk-automation]

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

[Tietew]

@leonmk-aws Should I revert renaming integ test?

[leonmk-aws]

Thank you for your contribution, just a small change requested to clean up leftovers files. Regarding the integ test naming, no you can let it like this, looks like a small bug in how the integ runner workflow find which integ tests to deploy, but the new test deploys fine.

[leonmk-aws]

There are leftovers files, can you remove the directory completely since the test got removed.

[Tietew]

Thanks for clarification. Removed them.

Pull request has been modified.

[leonmk-aws]

LGTM

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

🟠 Waiting for merge conditions (rule: default-squash)

Entered the queue at: 2026-02-06 10:28 UTC.
Checks are running in-place (dashboard).
Merge ETA: 2026-02-06 10:29 UTC. Buckle up 🚀

Required conditions to merge

• any of [🛡 GitHub branch protection]:
  • check-neutral = build
  • check-skipped = build
  • check-success = build
• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(ec2): support Firehose IDeliveryStreamRef as flow log destination #36278
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(ec2): support Firehose IDeliveryStreamRef as flow log destination #36278
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr

Required conditions to stay in the queue

• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of [📌 queue -> configuration change requirements]:
  • -mergify-configuration-changed
  • check-success = Configuration changed
• any of [📌 queue requirement]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections
• any of [🔀 queue conditions]:
  • all of [📌 queue conditions of queue default-squash]:
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge|no-squash|priority-pr)
    • -merged
    • -title~=(WIP|wip)
    • base!=release
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build
  • all of [📌 queue conditions of queue default-merge]:
    • label~=no-squash
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge)
    • -merged
    • -title~=(WIP|wip)
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build
  • all of [📌 queue conditions of queue priority-squash]:
    • label~=priority-pr
    • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
    • #approved-reviews-by>=1
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • -approved-reviews-by~=author
    • -closed
    • -label~=(blocked|do-not-merge|no-squash)
    • -merged
    • -title~=(WIP|wip)
    • base!=release
    • check-success=build
    • check-success=validate-pr
    • any of:
      • -label~=pr/needs-integration-tests-deployment
      • check-success=Deploy integration test snapshots (requires pr/needs-integration-tests-deployment label)
    • any of [🛡 GitHub branch protection]:
      • check-success = validate-pr
      • check-neutral = validate-pr
      • check-skipped = validate-pr
    • any of [🛡 GitHub branch protection]:
      • check-success = build
      • check-neutral = build
      • check-skipped = build

[Tietew]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.