Search code examples
amazon-web-servicesaws-cloudformationaws-event-bridgeaws-cloudformation-custom-resource

AWS event bridge rule role not attaching to event bridge when creating via CloudFormation

I have a Cloudformation template to create an event bridge rule with target to a central event bus running in another account. When i run the below code , both IAM role and event bridge is getting created but the IAM role is not getting attached to eventbridge rule. Below is the yaml template i am using.

Please see the attached screenshot also.

AWSTemplateFormatVersion: 2010-09-09
Resources:
    EventRuleRegion1:
        Type: AWS::Events::Rule
        Properties: 
            Description: Event rule to send events to monitoring account event bus
            EventBusName: default
            EventPattern:
                source:
                    - aws.ec2
                    
            Name: ec2-lifecycle-events2
            RoleArn: !GetAtt
                - EventBridgeIAMrole
                - Arn
            State: ENABLED
            Targets: 
                - Arn: >-
                    arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney
                  Id: 'central-eventbus-sydney'
                  
                  
    
    
    EventBridgeIAMrole:
        Type: 'AWS::IAM::Role'
        Properties:
            AssumeRolePolicyDocument:
                Version: 2012-10-17
                Statement:
                    - Effect: Allow
                      Principal:
                        Service: !Sub events.amazonaws.com
                      Action: 'sts:AssumeRole'
            Path: /
            Policies:
                - PolicyName: PutEventsDestinationBus
                  PolicyDocument:
                    Version: 2012-10-17
                    Statement:
                        - Effect: Allow
                          Action:
                            - 'events:PutEvents'
                          Resource:
                            - >-
                              arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney

enter image description here

Manually Created Event rule which shows the role created and attached.

enter image description here

Policy in the role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                "arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney"
            ]
        }
    ]
}
Solution

  • Cross-account permissions are not set using role, but EventBus resource permissions. From [docs][1]:

    The permissions for an event bus are granted or denied using a resource-based policy attached to the event bus.

    To do this in CloudFormation, you have to develop your own custom resource.

    Update

    You haven't specified RoleArn for your target. This is different RoleArn that you have now.