amazon web services - EventBridge Event bus doesn't receive cross-account events - Stack Overflow

admin管理员组

文章数量:1278910

I'm trying to send EventBridge events to the Event bus of our backup account, but the bus isn't receiving the events. I've been following this blog post, and translated the example given into Terraform code. The rule in the source account is triggered, but the Event bus in the destination account isn't receiving the events.

Here's the Terraform code for the destination account:

data "aws_cloudwatch_event_bus" "default_bus" {
  name = "default"
}
resource "aws_cloudwatch_event_bus_policy" "copy_rds_backups" {
  event_bus_name = data.aws_cloudwatch_event_bus.default_bus.id
  policy         = data.aws_iam_policy_document.event_bus_policy.json
}
data "aws_iam_policy_document" "event_bus_policy" {
  statement {
    sid     = "AWSBackupCopyCompleteEvent"
    actions = ["events:PutEvents"]
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::SOURCE_ACCOUNT_ID:root"
      ]
    }
    resources = ["${data.aws_cloudwatch_event_bus.default_bus.arn}"]
  }
}

resource "aws_cloudwatch_event_rule" "copy_rds_backups" {
  name        = "copy_rds_backups"
  description = "EventBridge rule for CopyCompleteJob event to trigger cross-region backup copy of RDS resources."
  state       = "ENABLED"

  event_pattern = jsonencode({
    source = ["aws.backup"],
    account = [{
      anything-but = "DESTINATION_ACCOUNT_ID"
    }],
    detail-type = ["Copy Job State Changed"],
    detail = {
      "state"         = ["COMPLETED"],
      "resourceType" = ["RDS", "Aurora"]
    }
  })
}

And the source account:

resource "aws_iam_role" "cloudwatch_backup_event_role" {
  name               = "cloudwatch-backup-event-role"
  description        = "Role for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
  assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume_role.json
}
data "aws_iam_policy_document" "cloudwatch_assume_role" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws"]
    }
  }
}
resource "aws_iam_policy_attachment" "cloudwatch_backup_event_policy_attachment" {
  name = "cloudwatch-event-policy-attachment"
  roles = [
    aws_iam_role.cloudwatch_backup_event_role.name
  ]
  policy_arn = aws_iam_policy.cloudwatch_backup_event_policy.arn
}
resource "aws_iam_policy" "cloudwatch_backup_event_policy" {
  name        = "cloudwatch-event-policy"
  description = "Policy for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
  policy      = data.aws_iam_policy_document.cloudwatch_backup_event_policy.json

}
data "aws_iam_policy_document" "cloudwatch_backup_event_policy" {
  statement {
    effect = "Allow"
    actions = [
      "events:PutEvents"
    ]
    resources = [
      "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
    ]
  }
}

resource "aws_cloudwatch_event_rule" "rds_backup_complete" {
  name        = "rds-backup-complete"
  description = "Rule to trigger event when RDS backup is complete"
  state       = "ENABLED"

  
  event_pattern = jsonencode({
    source      = ["aws.backup"],
    detail-type = ["Copy Job State Change"],
    detail = {
      "state"         = ["COMPLETED"],
      "resourceType" = ["RDS", "Aurora"],
      "destinationBackupVaultArn" : [{
        "prefix": "arn:aws:backup:eu-west-1:DESTINATION_ACCOUNT_ID:backup-vault:",
        }]
    }
  })
}
resource "aws_cloudwatch_event_target" "rds_backup_complete" {
  rule      = aws_cloudwatch_event_rule.rds_backup_complete.name
  target_id = "rds-backup-complete"
  role_arn  = aws_iam_role.cloudwatch_backup_event_role.arn
  arn       = "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
}

I'm trying to send EventBridge events to the Event bus of our backup account, but the bus isn't receiving the events. I've been following this blog post, and translated the example given into Terraform code. The rule in the source account is triggered, but the Event bus in the destination account isn't receiving the events.

Here's the Terraform code for the destination account:

data "aws_cloudwatch_event_bus" "default_bus" {
  name = "default"
}
resource "aws_cloudwatch_event_bus_policy" "copy_rds_backups" {
  event_bus_name = data.aws_cloudwatch_event_bus.default_bus.id
  policy         = data.aws_iam_policy_document.event_bus_policy.json
}
data "aws_iam_policy_document" "event_bus_policy" {
  statement {
    sid     = "AWSBackupCopyCompleteEvent"
    actions = ["events:PutEvents"]
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::SOURCE_ACCOUNT_ID:root"
      ]
    }
    resources = ["${data.aws_cloudwatch_event_bus.default_bus.arn}"]
  }
}

resource "aws_cloudwatch_event_rule" "copy_rds_backups" {
  name        = "copy_rds_backups"
  description = "EventBridge rule for CopyCompleteJob event to trigger cross-region backup copy of RDS resources."
  state       = "ENABLED"

  event_pattern = jsonencode({
    source = ["aws.backup"],
    account = [{
      anything-but = "DESTINATION_ACCOUNT_ID"
    }],
    detail-type = ["Copy Job State Changed"],
    detail = {
      "state"         = ["COMPLETED"],
      "resourceType" = ["RDS", "Aurora"]
    }
  })
}

And the source account:

resource "aws_iam_role" "cloudwatch_backup_event_role" {
  name               = "cloudwatch-backup-event-role"
  description        = "Role for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
  assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume_role.json
}
data "aws_iam_policy_document" "cloudwatch_assume_role" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws"]
    }
  }
}
resource "aws_iam_policy_attachment" "cloudwatch_backup_event_policy_attachment" {
  name = "cloudwatch-event-policy-attachment"
  roles = [
    aws_iam_role.cloudwatch_backup_event_role.name
  ]
  policy_arn = aws_iam_policy.cloudwatch_backup_event_policy.arn
}
resource "aws_iam_policy" "cloudwatch_backup_event_policy" {
  name        = "cloudwatch-event-policy"
  description = "Policy for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
  policy      = data.aws_iam_policy_document.cloudwatch_backup_event_policy.json

}
data "aws_iam_policy_document" "cloudwatch_backup_event_policy" {
  statement {
    effect = "Allow"
    actions = [
      "events:PutEvents"
    ]
    resources = [
      "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
    ]
  }
}

resource "aws_cloudwatch_event_rule" "rds_backup_complete" {
  name        = "rds-backup-complete"
  description = "Rule to trigger event when RDS backup is complete"
  state       = "ENABLED"

  
  event_pattern = jsonencode({
    source      = ["aws.backup"],
    detail-type = ["Copy Job State Change"],
    detail = {
      "state"         = ["COMPLETED"],
      "resourceType" = ["RDS", "Aurora"],
      "destinationBackupVaultArn" : [{
        "prefix": "arn:aws:backup:eu-west-1:DESTINATION_ACCOUNT_ID:backup-vault:",
        }]
    }
  })
}
resource "aws_cloudwatch_event_target" "rds_backup_complete" {
  rule      = aws_cloudwatch_event_rule.rds_backup_complete.name
  target_id = "rds-backup-complete"
  role_arn  = aws_iam_role.cloudwatch_backup_event_role.arn
  arn       = "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
}

• amazon-web-services
• terraform
• terraform-provider-aws
• aws-event-bridge

Share Improve this question Follow asked Feb 24 at 22:25 KamelonKamelon 322 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You have a mismatch between the event pattern detail-type of you source account and dest account : detail-type = ["Copy Job State Changed"] vs detail-type = ["Copy Job State Change"] According to this page, the correct syntax is 'Change' without the 'd'.

本文标签： amazon web servicesEventBridge Event bus doesn39t receive crossaccount eventsStack Overflow