Skip to content

Resource: awsCloudwatchEventBusPolicy

Provides a resource to create an EventBridge resource policy to support cross-account events.

\~> Note: EventBridge was formerly known as CloudWatch Events. The functionality is identical.

\~> Note: The EventBridge bus policy resource (awsCloudwatchEventBusPolicy) is incompatible with the EventBridge permission resource (awsCloudwatchEventPermission) and will overwrite permissions.

Example Usage

Account Access

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentTest =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "test", {
    statement: [
      {
        actions: ["events:PutEvents"],
        effect: "Allow",
        principals: [
          {
            identifiers: ["123456789012"],
            type: "AWS",
          },
        ],
        resources: ["arn:aws:events:eu-west-1:123456789012:event-bus/default"],
        sid: "DevAccountAccess",
      },
    ],
  });
const awsCloudwatchEventBusPolicyTest =
  new aws.cloudwatchEventBusPolicy.CloudwatchEventBusPolicy(this, "test_1", {
    eventBusName: "${aws_cloudwatch_event_bus.test.name}",
    policy: dataAwsIamPolicyDocumentTest.json,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchEventBusPolicyTest.overrideLogicalId("test");

Organization Access

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentTest =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "test", {
    statement: [
      {
        actions: [
          "events:DescribeRule",
          "events:ListRules",
          "events:ListTargetsByRule",
          "events:ListTagsForResource",
        ],
        condition: [
          {
            test: "StringEquals",
            values: ["${aws_organizations_organization.example.id}"],
            variable: "aws:PrincipalOrgID",
          },
        ],
        effect: "Allow",
        principals: [
          {
            identifiers: ["*"],
            type: "AWS",
          },
        ],
        resources: [
          "arn:aws:events:eu-west-1:123456789012:rule/*",
          "arn:aws:events:eu-west-1:123456789012:event-bus/default",
        ],
        sid: "OrganizationAccess",
      },
    ],
  });
const awsCloudwatchEventBusPolicyTest =
  new aws.cloudwatchEventBusPolicy.CloudwatchEventBusPolicy(this, "test_1", {
    eventBusName: "${aws_cloudwatch_event_bus.test.name}",
    policy: dataAwsIamPolicyDocumentTest.json,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchEventBusPolicyTest.overrideLogicalId("test");

Multiple Statements

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentTest =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "test", {
    statement: [
      {
        actions: ["events:PutEvents"],
        effect: "Allow",
        principals: [
          {
            identifiers: ["123456789012"],
            type: "AWS",
          },
        ],
        resources: ["arn:aws:events:eu-west-1:123456789012:event-bus/default"],
        sid: "DevAccountAccess",
      },
      {
        actions: [
          "events:DescribeRule",
          "events:ListRules",
          "events:ListTargetsByRule",
          "events:ListTagsForResource",
        ],
        condition: [
          {
            test: "StringEquals",
            values: ["${aws_organizations_organization.example.id}"],
            variable: "aws:PrincipalOrgID",
          },
        ],
        effect: "Allow",
        principals: [
          {
            identifiers: ["*"],
            type: "AWS",
          },
        ],
        resources: [
          "arn:aws:events:eu-west-1:123456789012:rule/*",
          "arn:aws:events:eu-west-1:123456789012:event-bus/default",
        ],
        sid: "OrganizationAccess",
      },
    ],
  });
const awsCloudwatchEventBusPolicyTest =
  new aws.cloudwatchEventBusPolicy.CloudwatchEventBusPolicy(this, "test_1", {
    eventBusName: "${aws_cloudwatch_event_bus.test.name}",
    policy: dataAwsIamPolicyDocumentTest.json,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCloudwatchEventBusPolicyTest.overrideLogicalId("test");

Argument Reference

The following arguments are supported:

  • policy - (Required) The text of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • eventBusName - (Optional) The name of the event bus to set the permissions on. If you omit this, the permissions are set on the default event bus.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the EventBridge event bus.

Import

EventBridge permissions can be imported using the eventBusName, e.g.,

$ terraform import aws_cloudwatch_event_bus_policy.DevAccountAccess example-event-bus