Aws-cli: EventBridge : can not edit rule/targets created from CLI

Created on 15 Jan 2020 · 12Comments · Source: aws/aws-cli

Hello,

I am trying to use EventBridge via boto3 or/and CLI.
If i add targets to a rule via boto3/CLI, i can NOT modify my rule in the EventBridge web console. I receive an error message when i try to edit (update the rule without any change is same) :

Statement AWSEvents_BackupTagRemediationSchedule_mystatement1 is not found in resource policy.

_with BackupTagRemediationSchedule as my rule name and mystatement1 as targets id_

If i use aws events list-targets-by-rule , everything seems to be ok.
The only way i found to edit is to modify events from CloudWatchEvent console. If you edit the rule and save it (without any modification), it works. Now go back to EventBridge console, and you can edit your rule and target without any problem.

Did i do something wrong here ?
I think it's just a bug.

Steps to reproduce with CLI :

PROFILE_TO_USE=myProfile
lambdaArn=arn:aws:lambda:eu-west-1:123456789012:function:TagRemediation

eventArn=$(aws events put-rule --profile=${PROFILE_TO_USE} --name BackupTagRemediationSchedule --schedule-expression 'rate(60 minutes)' | jq .RuleArn | tr -d '"')

echo $eventArn
arn:aws:events:eu-west-1:123456789012:rule/BackupTagRemediationSchedule

aws lambda add-permission --profile=${PROFILE_TO_USE} \
> --function-name TagRemediation \
> --statement-id BackupTagRemediationSchedule \
> --action 'lambda:InvokeFunction' \
> --principal events.amazonaws.com \
> --source-arn $eventArn
{
    "Statement": "{\"Sid\":\"BackupTagRemediationSchedule\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:eu-west-1:123456789012:function:TagRemediation\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:events:eu-west-1:123456789012:rule/BackupTagRemediationSchedule\"}}}"
}

aws events put-targets --profile=${PROFILE_TO_USE} --rule BackupTagRemediationSchedule --targets '{"Id":"2", "Arn":"'${lambdaArn}'", "Input":"{\"foo\":\"bar\"}"}'
{
    "FailedEntryCount": 0,
    "FailedEntries": []
}

Thanks for your support.

Jonathan LAMBERT

closed-for-staleness events needs-reproduction response-requested service-api

Source

Ziranium

👍3

Most helpful comment

I have the same issue, with the addition that the rule is not actually triggering the lambda it's attached to. Is everyone having this same issue?

richardtapendium on 23 Jun 2020

👍3

All 12 comments

Hello,

Am i the only one encoutering this issue ?

Jonathan

Ziranium on 28 Jan 2020

I am facing the same issue when I created clodwatch rule and target via Terraform.

It is related to target_id provided in "aws_cloudwatch_event_target" resource. If this is not provided, Target in lambda is not being linked to this cloud watch rule. If this is added and we try to change that rule via console, then "Statement XXX is not found in resource policy" appears.

I hope this will help you somehow to identify/debug the issue.

mharini on 5 Mar 2020

Yeah, I'm can't add target or edit the current target. My Event bus and target were created by sam-cli.

johnjonathan on 22 May 2020

Same here, with CDK/Cloudformation.
It is even worse because I am using event patterns that are only available in Eventbridge. So I can't use the trick fallback to modify the events in cloudwatch.

hoppefamily on 28 May 2020

This isn't limited to the CLI.

I am trying to set up a basic EventBridge rule with a Lambda target using CloudFormation.

The Rule->Target resource takes an Id field. It then looks for that ID field in the SID of the resource policy of the lambda, which you can’t set using the Lambda Permission CloudFormation resource.

This looks like a case where the Target has an Id field, which you can see only in the CLI, and that Id field has to match the SID of the resource policy on the lambda (or cloudwatch event).

In the event of not being able to edit rules created in the CLI via the console, the fix is to delete the target from the console and recreate it from the console. If you do this the platform will re-create the target with an Id, and then create the resource policy on the associated lambda with the appropriate SID for you. This doesn't help at all in my case where I need to use CloudFormation.

jocapp on 16 Jun 2020

👍1

I have the same issue, with the addition that the rule is not actually triggering the lambda it's attached to. Is everyone having this same issue?

richardtapendium on 23 Jun 2020

👍3

I am facing the same issue when I created clodwatch rule and target via Terraform.

It is related to target_id provided in "aws_cloudwatch_event_target" resource. If this is not provided, Target in lambda is not being linked to this cloud watch rule. If this is added and we try to change that rule via console, then "Statement XXX is not found in resource policy" appears.

I hope this will help you somehow to identify/debug the issue.

I am having this issue too (using terraform).
Did you find a solution?

EricMametPro on 1 Jul 2020

Some one has got any update in this?
I've tried from aws-lambda written in python 3.7 and rule doesn't actually change.

jsmontoya9207 on 2 Oct 2020

Hi @Ziranium,

I apologize for the delay in response. I just tried this, and I couldn't reproduce. Can you let me know what version of the AWS CLI you used when you encountered this?

boto3-1.14.40 botocore-1.17.40

Here's my reproduction attempt:

$ aws --version
aws-cli/1.18.143 Python/3.8.3 Darwin/19.6.0 botocore/1.18.2
$ PROFILE_TO_USE=default
$ lambdaArn=arn:aws:lambda:us-west-2:123456789012:function:aws-cli-issue-4841
$ eventArn=$(aws events put-rule --profile=${PROFILE_TO_USE} --name BackupTagRemediationSchedule --schedule-expression 'rate(60 minutes)' | jq .RuleArn | tr -d '"')
$ echo $eventArn
arn:aws:events:us-west-2:123456789012:rule/BackupTagRemediationSchedule
$ aws lambda add-permission --profile=${PROFILE_TO_USE} \
--function-name aws-cli-issue-4841 \
--statement-id BackupTagRemediationSchedule \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn $eventArn
{
    "Statement": "{\"Sid\":\"BackupTagRemediationSchedule\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:123456789012:function:aws-cli-issue-4841\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:events:us-west-2:123456789012:rule/BackupTagRemediationSchedule\"}}}"
}
$ aws events put-targets --profile=${PROFILE_TO_USE} --rule BackupTagRemediationSchedule --targets '{"Id":"2", "Arn":"'${lambdaArn}'", "Input":"{\"foo\":\"bar\"}"}'
{
    "FailedEntryCount": 0,
    "FailedEntries": []
}

I could then go to the console EventBridge and edit the rule - both a no-op and making an actual change.

kdaily on 6 Nov 2020

@jsmontoya9207 are you using the available Python SDK for AWS Lambda? This would indicate you're using the following version:

kdaily on 6 Nov 2020

@richardtapendium - that can commonly be a permissions issue:

https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-troubleshooting.html#lam-function-not-invoked

kdaily on 6 Nov 2020

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.