Terraform-provider-aws: aws_cloudwatch_event_target does not support cross-account Event Bus
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
AWS introduced support for cross-account CloudWatch event delivery back in 2017 (an overview can be found here). This works by setting up a CloudWatch event rule on the sender account that filters the events to be sent (better known as event source which is usually set up as a JSON pattern - this is supported by the current version of the AWS provider) and setting up a target named event bus. This event bus is located in a different account (recipient) and it requires a dedicated set of permissions (another action that is currently supported Terraform).
However, it doesn't seem that defining an event bus located in a different account is supported by aws_cloudwatch_event_target. Adding support for this would mean that all of this intricate set up can be Terraformed.
New or Affected Resource(s)
- aws_cloudwatch_event_target
Potential Terraform Configuration
➜ terraform version
Terraform v0.11.7
+ provider.aws v1.60.0
References
It looks like this was first raised in https://github.com/terraform-providers/terraform-provider-aws/issues/1042, but the outcome of that was implementing support for aws_cloudwatch_event_permission which deals with the set up that needs to be done on the recipient side of things.
tanasegabriel
All 4 comments
At first I thought I was running into this because I got the message Error: Creating CloudWatch Event Target failed: AccessDeniedException: Access to the resource arn:aws:events:us-east-1:012345678901:event-bus/default is denied. Reason: Adding cross-region target is not permitted.
Careful reading shows that the real issue is that I was trying to go from us-east-1 to us-east-2, which is not supported by AWS. Once I fixed this, cross-account event bus worked just fine.
On the event bus destination account:
resource "aws_cloudwatch_event_permission" "CrossAccountEventBus" {
principal = "012345678901"
statement_id = "test-1"
}
On the source:
resource "aws_cloudwatch_event_target" "fcm-event" {
rule = "${aws_cloudwatch_event_rule.fcm-event.name}"
target_id = "fcm-security-account-eventbus"
arn = "arn:aws:events:us-east-2:${var.destination_account}:event-bus/default"
}
I suggest this issue can be closed.
fdamstra
on 27 Sep 2019
Has anyone had any luck on a workaround to this issue?
jg100006
on 8 Nov 2019
Previously I was using the AWS CLI to manually create the event after Terraform-ing the rest of my resources but @fdamstra's suggestion has worked for me now.
If anyone wants it, the old snippet I used was
export CW_EVENT_RULE="${outputs.cloudwatch_event_rule_name}"
export ROLE_ARN="${outputs.cross_account_events_role_arn}"
export TARGET_ARN=arn:aws:events:${AWS_REGION}:${OTHER_ACCOUNT_ID}:event-bus/default
aws events put-targets --rule $CW_EVENT_RULE --targets "Id"="SendEventsToOtherAcct$RANDOM","Arn"="$TARGET_ARN","RoleArn"="$ROLE_ARN"
rahulk94
on 21 Nov 2019
@tanasegabriel This is actually not a problem at all. If you take a look at the AWS console, when adding a target to an event rule, and upon selecting "Event bus in another AWS account" you are required to choose an IAM role (either create new or choose existing). The aws_cloudwatch_event_target has a role_arn argument, which in the docs it says _"(Optional) The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. Required if ecs_target is used."_ This does not indicate that it is also required (by AWS) when a cross-account event bus is specified. so the solution is:
resource "aws_cloudwatch_event_target" "target" {
arn = event_bus # ARN from destination account
rule = aws_cloudwatch_event_rule.rule.name
role_arn = ARN of a role that grants access to the source account to put events to the destination bus
}
I initially set the role_arn argument in the aws_cloudwatch_event_rule resource, but it kept throwing the following error when trying to create the target.
Error: Creating CloudWatch Event Target failed: AccessDeniedException: Access to the resource arn:aws:events:us-east-1:491171633245:event-bus/default is denied. Reason: EventBus does not exist or its policy does not allow this operation.
Hope this helps!
husain-aljamri
on 29 Jan 2020
Related issues
blaltarriba
·
3Comments
dvishniakov
·
3Comments
modax
·
3Comments
ccslamstack
·
3Comments
carmas
·
3Comments
Most helpful comment
At first I thought I was running into this because I got the message
Error: Creating CloudWatch Event Target failed: AccessDeniedException: Access to the resource arn:aws:events:us-east-1:012345678901:event-bus/default is denied. Reason: Adding cross-region target is not permitted.Careful reading shows that the real issue is that I was trying to go from us-east-1 to us-east-2, which is not supported by AWS. Once I fixed this, cross-account event bus worked just fine.
On the event bus destination account:
On the source:
I suggest this issue can be closed.