aws-cdk: @aws-cdk/aws-events: Can't create EventBridge Rule for bus in different region
Describe the bug
I want to add a rule on an Event Bus in a different account and region. If I create a new Rule, the CDK seems to ignore the region in the event bus’ ARN and uses the region of the current app instead.
Expected Behavior
I expect the CDK to try to create the rule on the event bus specified. (in this case the event bus ARN is arn:aws:events:eu-west-2:XXXXXXXXXXXX:event-bus/my-event-bus)
Current Behavior
I receive the following error (N.b. The CDK app is deployed in the us-east-1 region).
Error: The stack named XAcctDestinationBusStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: User: arn:aws:sts::YYYYYYYYYYYY:assumed-role/cdk-hnb659fds-cfn-exec-role-YYYYYYYYYYYY-us-east-1/AWSCloudFormation is not authorized to perform: events:PutRule on resource: arn:aws:events:us-east-1:XXXXXXXXXXXX:rule/my-event-bus/XAcctDestinationBusStack-forwardEventsFromSourceBu-SI90TXUR6U6F because no resource-based policy allows the events:PutRule action (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException;
Note that the region in the ARN has been changed to the app region us-east-1, which is why it fails.
Reproduction Steps
const sourceBusArn =
"arn:aws:events:eu-west-2:XXXXXXXXXXXX:event-bus/my-event-bus";
export class XAcctDestinationBusStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const bus = new events.EventBus(this, "bus");
const sourceBus = events.EventBus.fromEventBusAttributes(
this,
"sourceBus",
{
eventBusArn: sourceBusArn,
eventBusName: sourceBusArn,
eventBusPolicy: "",
}
);
new events.Rule(this, "forwardEventsFromSourceBus", {
eventBus: sourceBus,
eventPattern: { source: ["*"] },
targets: [new targets.EventBus(bus)],
});
}
}
Possible Solution
I’ve looked into the source code and the Rule class seems to construct a new CfnRule, passing in the ARN as eventBusName, I’m not sure how to find the source of CfnRule to see what it’s doing with the region.
Additional Information/Context
No response
CDK CLI Version
2.84.0 (build f7c792f)
Framework Version
No response
Node.js Version
16.20.0
OS
MacOS Ventura 13.4
Language
Typescript
Language Version
No response
Other information
No response
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 4
- Comments: 15 (7 by maintainers)
Hi @peterwoodworth - we are creating an Event Rule on a Bus in a different account.
In the CF template, the full ARN is not rendered, it is just the Event Bus name. So we also have to add:
If I read correctly - https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events/lib/rule.ts#L114 this should be setting the
eventBusArn, noteventBusName.To post an update here, I have reported this internally and will provide updates when I have them (P99178026)
The documentation for
eventBusNamestates: “The name or ARN of the event bus associated with the rule.” So it’s confusingly named but should be able to (and actually will) accept an ARN.N.b. You can tell that it reads more than just he name because it gets the account ID from the ARN correctly, and I’ve successfully been able to do this when the external event bus is in the same region as the current stack but in a different account.
I should add the reason I want to do this…we’re implementing a separate “DevOps bus” account as per this article: https://github.com/aws-samples/amazon-eventbridge-resource-policy-samples/blob/main/patterns/README.md (I guess the article’s author has all their services in the same regions so didn’t hit this issue).
In this pattern the rules are created on the bus in the central account by the subscriber accounts, leaving the central bus account cleanly separated from that logic.