Add documentation example

framework/src/streaming/README.md

@@ -178,6 +178,13 @@ The method attachs an IAM policy as defined in the [AWS documentation](https://d
 
 [example msk serverless grantProduce](./examples/msk-serverless-grant-consume.lit.ts)
 
+### Add Cluster Policy
+
+This method allows you to add IAM resource policy to your MSK cluster. These for example can enable you to setup cross account access for your Amazon MSK cluster. 
+
+
+[example msk serverless add cluster policy](./examples/msk-serverless-cluster-policy.lit.ts)
+
 [//]: # (streaming.kafka-api)
 # Kafka Api - Bring your own cluster
 

framework/src/streaming/examples/msk-serverless-cluster-policy.lit.ts

@@ -0,0 +1,45 @@
+import * as cdk from 'aws-cdk-lib';
+import { AclOperationTypes, AclPermissionTypes, AclResourceTypes,MskProvisioned, ResourcePatternTypes } from '../lib/msk';
+import { Effect, PolicyDocument, PolicyStatement, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'MskProvisionedDsf');
+
+stack.node.setContext('@data-solutions-framework-on-aws/removeDataOnDestroy', true);
+
+/// !show
+const msk = new MskProvisioned(stack, 'cluster');
+const cluterPolicy = new PolicyDocument(
+    {
+      statements: [
+        new PolicyStatement ({
+          actions: [
+            'kafka:CreateVpcConnection',
+            'kafka:GetBootstrapBrokers',
+            'kafka:DescribeClusterV2',
+          ],
+          resources: [msk.cluster.attrArn],
+          effect: Effect.ALLOW,
+          principals: [new ServicePrincipal('firehose.amazonaws.com')],
+        }),
+      ],
+    },
+  );
+
+msk.addClusterPolicy(cluterPolicy, 'cluterPolicy');
+/// !hide
+
+msk.setAcl('acl', {
+    resourceType: AclResourceTypes.TOPIC,
+    resourceName: 'topic-1',
+    resourcePatternType: ResourcePatternTypes.LITERAL,
+    principal: 'User:Cn=Toto',
+    host: '*',
+    operation: AclOperationTypes.CREATE,
+    permissionType: AclPermissionTypes.ALLOW,
+  },
+  cdk.RemovalPolicy.DESTROY);
+
+

website/docs/constructs/library/generated/_streaming-msk-serverless.mdx

@@ -218,3 +218,56 @@ msk.grant_consume("topic1", iam_role)
   </TabItem>
 </Tabs>
 
+### Add Cluster Policy
+
+This method allows you to add IAM resource policy to your MSK cluster. These for example can enable you to setup cross account access for your Amazon MSK cluster. 
+
+
+<Tabs>
+  <TabItem value="typescript" label="TypeScript" default>
+
+  ```typescript
+const msk = new MskProvisioned(stack, 'cluster');
+const cluterPolicy = new PolicyDocument(
+    {
+      statements: [
+        new PolicyStatement ({
+          actions: [
+            'kafka:CreateVpcConnection',
+            'kafka:GetBootstrapBrokers',
+            'kafka:DescribeClusterV2',
+          ],
+          resources: [msk.cluster.attrArn],
+          effect: Effect.ALLOW,
+          principals: [new ServicePrincipal('firehose.amazonaws.com')],
+        }),
+      ],
+    },
+  );
+
+msk.addClusterPolicy(cluterPolicy, 'cluterPolicy');
+  ```
+
+  </TabItem>
+  <TabItem value="python" label="Python">
+
+  ```python
+msk = MskProvisioned(stack, "cluster")
+cluter_policy = PolicyDocument(
+    statements=[
+        PolicyStatement(
+            actions=["kafka:CreateVpcConnection", "kafka:GetBootstrapBrokers", "kafka:DescribeClusterV2"
+            ],
+            resources=[msk.cluster.attr_arn],
+            effect=Effect.ALLOW,
+            principals=[ServicePrincipal("firehose.amazonaws.com")]
+        )
+    ]
+)
+
+msk.add_cluster_policy(cluter_policy, "cluterPolicy")
+  ```
+
+  </TabItem>
+</Tabs>
+