aws_cloudwatch_event_target does not support cross-account Event Bus

[tanasegabriel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS introduced support for cross-account CloudWatch event delivery back in 2017 (an overview can be found here). This works by setting up a CloudWatch event rule on the sender account that filters the events to be sent (better known as event source which is usually set up as a JSON pattern - this is supported by the current version of the AWS provider) and setting up a target named event bus. This event bus is located in a different account (recipient) and it requires a dedicated set of permissions (another action that is currently supported Terraform).

However, it doesn't seem that defining an event bus located in a different account is supported by aws_cloudwatch_event_target. Adding support for this would mean that all of this intricate set up can be Terraformed.

New or Affected Resource(s)

• aws_cloudwatch_event_target

Potential Terraform Configuration

➜ terraform version
Terraform v0.11.7
+ provider.aws v1.60.0

References

• It looks like this was first raised in Add CloudWatch Events EventBuses #1042, but the outcome of that was implementing support for aws_cloudwatch_event_permission which deals with the set up that needs to be done on the recipient side of things.

[fdamstra]

At first I thought I was running into this because I got the message Error: Creating CloudWatch Event Target failed: AccessDeniedException: Access to the resource arn:aws:events:us-east-1:012345678901:event-bus/default is denied. Reason: Adding cross-region target is not permitted.

Careful reading shows that the real issue is that I was trying to go from us-east-1 to us-east-2, which is not supported by AWS. Once I fixed this, cross-account event bus worked just fine.

On the event bus destination account:

resource "aws_cloudwatch_event_permission" "CrossAccountEventBus" {
  principal    = "012345678901"
  statement_id = "test-1"
}

On the source:

resource "aws_cloudwatch_event_target" "fcm-event" {
  rule      = "${aws_cloudwatch_event_rule.fcm-event.name}"
  target_id = "fcm-security-account-eventbus"
  arn       = "arn:aws:events:us-east-2:${var.destination_account}:event-bus/default"
}

I suggest this issue can be closed.

[jg100006]

Has anyone had any luck on a workaround to this issue?

[rahulk94]

Previously I was using the AWS CLI to manually create the event after Terraform-ing the rest of my resources but @fdamstra's suggestion has worked for me now.

If anyone wants it, the old snippet I used was

export CW_EVENT_RULE="${outputs.cloudwatch_event_rule_name}"
export ROLE_ARN="${outputs.cross_account_events_role_arn}"
export TARGET_ARN=arn:aws:events:${AWS_REGION}:${OTHER_ACCOUNT_ID}:event-bus/default

aws events put-targets --rule $CW_EVENT_RULE --targets "Id"="SendEventsToOtherAcct$RANDOM","Arn"="$TARGET_ARN","RoleArn"="$ROLE_ARN"

[husain-aljamri]

@tanasegabriel This is actually not a problem at all. If you take a look at the AWS console, when adding a target to an event rule, and upon selecting "Event bus in another AWS account" you are required to choose an IAM role (either create new or choose existing). The aws_cloudwatch_event_target has a role_arn argument, which in the docs it says "(Optional) The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. Required if ecs_target is used." This does not indicate that it is also required (by AWS) when a cross-account event bus is specified. so the solution is:

resource "aws_cloudwatch_event_target" "target" {
  arn         = event_bus # ARN from destination account
  rule        = aws_cloudwatch_event_rule.rule.name
  role_arn = ARN of a role that grants access to the source account to put events to the destination bus
}

I initially set the role_arn argument in the aws_cloudwatch_event_rule resource, but it kept throwing the following error when trying to create the target.

Error: Creating CloudWatch Event Target failed: AccessDeniedException: Access to the resource arn:aws:events:us-east-1:491171633245:event-bus/default is denied. Reason: EventBus does not exist or its policy does not allow this operation.

Hope this helps!

[jihed]

I am experiencing the same issue. Any hint or workaround this ?

[BHSDuncan]

I had the same issue here trying to target a CodePipeline deployment responding to a CodeCommit push from a different account. The only way to accomplish this right now seems to be talking to the other account's event bus and using the same event rule to pick it up except with the sending account's ID in the event tail.

This post here really helped me: https://dev.to/pranitraje/how-to-create-a-codepipeline-with-source-from-another-aws-account-n0m

(And don't forget to set the IAM roles and policies as above, either.)

HTH

[FrancescoFucile-CAZ]

This PR should fix the issue.
#20312

[github-actions]

This functionality has been released in v3.55.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.