Skip to content

Resource: awsCloudwatchEventPermission

Provides a resource to create an EventBridge permission to support cross-account events in the current account default event bus.

\~> Note: EventBridge was formerly known as CloudWatch Events. The functionality is identical.

\~> Note: The EventBridge bus policy resource (awsCloudwatchEventBusPolicy) is incompatible with the EventBridge permission resource (awsCloudwatchEventPermission) and will overwrite permissions.

Example Usage

Account Access

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cloudwatchEventPermission.CloudwatchEventPermission(
  this,
  "DevAccountAccess",
  {
    principal: "123456789012",
    statementId: "DevAccountAccess",
  }
);

Organization Access

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.cloudwatchEventPermission.CloudwatchEventPermission(
  this,
  "OrganizationAccess",
  {
    condition: {
      key: "aws:PrincipalOrgID",
      type: "StringEquals",
      value: "${aws_organizations_organization.example.id}",
    },
    principal: "*",
    statementId: "OrganizationAccess",
  }
);

Argument Reference

The following arguments are supported:

  • principal - (Required) The 12-digit AWS account ID that you are permitting to put events to your default event bus. Specify * to permit any account to put events to your default event bus, optionally limited by condition.
  • statementId - (Required) An identifier string for the external account that you are granting permissions to.
  • action - (Optional) The action that you are enabling the other account to perform. Defaults to events:putEvents.
  • condition - (Optional) Configuration block to limit the event bus permissions you are granting to only accounts that fulfill the condition. Specified below.
  • eventBusName - (Optional) The name of the event bus to set the permissions on. If you omit this, the permissions are set on the default event bus.

condition

  • key - (Required) Key for the condition. Valid values: aws:principalOrgId.
  • type - (Required) Type of condition. Value values: stringEquals.
  • value - (Required) Value for the key.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The statement ID of the EventBridge permission.

Import

EventBridge permissions can be imported using the eventBusName/statementId (if you omit eventBusName, the default event bus will be used), e.g.,

$ terraform import aws_cloudwatch_event_permission.DevAccountAccess example-event-bus/DevAccountAccess