[aws-events-targets] add a target for a cross-account eventbus

[jacques-]

I would like a "CrossAccountEventBus" target in aws_events_targets that allows me to forward events to the default eventbus of a different account.

I did see https://docs.aws.amazon.com/cdk/api/latest/docs/aws-events-readme.html#cross-account-targets - but this seems to make changes in the target account which doesn't work in my case.

Use Case

I have a target account where the default eventbus has already been configured with a policy accept forwarded events, I would like to create a rule that targets this cross-account eventbus.

Proposed Solution

A target in aws_events_targets (like https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-events-targets.SnsTopic.html) but that only has an ARN property.

Other

I'm opening this feature request as was recommended to another commenter here: #2850

I'm currently working around this by using the CfnRule, but this is a bit of a bummer as I can use the very handy .on_xxx methods.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

Yep, this would probably be a good idea. Thanks for the request.

It's unlikely we will take this on quickly but you should be able to add it yourself in a PR if you want.

[alanraison]

I would like to have a go at this, if that's ok? I have a similar requirement.

[gabrielbastien]

Please add this feature! It's important!

[hlascelles]

I have implemented this as follows. It works well for me...

import { RuleTargetConfig } from "@aws-cdk/aws-events";
import { IRule } from "@aws-cdk/aws-events/lib/rule-ref";
import { Effect, PolicyStatement, Role, ServicePrincipal } from "@aws-cdk/aws-iam";
import { ServicePrincipals } from "cdk-constants";

const targetAccountId = "123456789009";
const targetAccountDefaultBus = `arn:aws:events:eu-west-1:${targetAccountId}:event-bus/default`;
const publishingRole = new Role(this, "PublishingRole", {
  assumedBy: new ServicePrincipal(ServicePrincipals.EVENTS)
});
publishingRole.addToPolicy(
  new PolicyStatement({
    effect: Effect.ALLOW,
    resources: [targetAccountDefaultBus],
    actions: [
      "events:PutEvents"
    ]
  })
);

// This rule captures authentication events and sends it to the 
// default EventBridge bus in the other account
const rule = new Rule(this, "EventRule", {
  description: "Captures events",
  ruleName: "EventRule",
  enabled: true,
  eventPattern: {
    source: ["aws.someservice"]
  }
});

rule.addTarget({
  bind(_rule: IRule, generatedTargetId: string): RuleTargetConfig {
    return {
      arn: targetAccountDefaultBus,
      id: generatedTargetId,
      role: publishingRole
    };
  }
});

Don't forget to also log into the target account and set the default bus to permit submissions from the origin account (or Organisation as a whole).

Have a go, see if it works out for you. Be good to get a formal version though too...

[alanraison]

Sorry I'm having a lot of trouble getting the project to build 🙁

[strannik19]

thanks @hlascelles for the inspiration. dirty python code that works for me:

@jsii.implements(events.IRuleTarget)
class EventBridgeEventTarget:
    def __init__(
        self,
        id: str,
        target_account_id: str,
        role: iam.Role,
        target_region: str = "eu-west-1",
        target_topic: str = "default",
    ) -> None:
        self.id = id
        self.role = role
        self.target_account_id = target_account_id
        self.target_region = target_region
        self.target_topic = target_topic

    def bind(self, rule, id=None):
        return events.RuleTargetConfig(
            arn=f"arn:aws:events:{self.target_region}:{self.target_account_id}:event-bus/{self.target_topic}",
            role=self.role,
            id=self.id,
        )

[sblackstone]

@alanraison see if this helps, its basically the same thing that @hlascelles posted but a bit more stand-alone (they're referencing a few things that are specific to they're code base)

const core = require('@aws-cdk/core');
const lambda_event_sources = require("@aws-cdk/aws-lambda-event-sources");
const events = require('@aws-cdk/aws-events');
const targets = require("@aws-cdk/aws-events-targets");
const cfn = require('@aws-cdk/aws-cloudformation');

const TARGET_ACCOUNT_ID="123456678";
const TARGET_ACCOUNT_REGION='us-east-1';

const publishingRole = new iam.Role(this, "PublishingRole", {
  assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
});

const targetArn = `arn:aws:events:${TARGET_ACCOUNT_REGION}:${TARGET_ACCOUNT_ID}:event-bus/default`;

publishingRole.addToPolicy(
  new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    resources: [targetArn],
    actions: [
      "events:PutEvents"
    ]
  })
);

const rule = new events.Rule(this, "forwardingRule", {
  description: "Forwards Events to Another Bus",
  ruleName: "forwardingRule",
  eventBus: this.eventBus,
  enabled: true,
  eventPattern: {
    source: ["your-namespace"] // <--- update this
  }
});

rule.addTarget({
  bind: (rule, id)  => ({
    arn: targetArn,
    id: id,
    role: publishingRole
  })
});

[shaleenmundra]

I used the below to send event to a different account's default bus. I was setting up the event on step function status change to SUCCEEDED

import {CfnRule} from "@aws-cdk/aws-events";
import TargetProperty = CfnRule.TargetProperty;

const targetProperty: TargetProperty = {
            id: `CrossAccountTarget`,
            arn: `arn:aws:events:<region>:<targetAccountId>:event-bus/default`,
        }
const cfnRuleCrossAccount = new CfnRule(this, `CrossAccountRule`, {
            description: "Cross Account rule to send event to different AWS Account",
            state: "ENABLED",
            targets: [targetProperty],
            eventPattern: {
                "source": [
                    "aws.states"
                ],
                "detail-type": [
                    "Step Functions Execution Status Change"
                ],
                "detail": {
                    "status": [
                        "SUCCEEDED"
                    ]
                }
            }
        });

You just have to create a targetProperty and give the arn of target event bus.
Then create a CfnRule and supply it the targetProperty as targets prop

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.