Skip to content

nbrational/CFN_EventBusPolicy_Bug156

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
CustomResourceEventBusPolicyTemplate.yaml
CustomResourceEventBusPolicyTemplate.yaml
 
 
README.md
README.md
 
 
lambda_function.py
lambda_function.py
 
 

Repository files navigation

Workaround For CFN_EventBusPolicy_Bug156

Background

The main issue is being tracked under aws-cloudformation-coverage-roadmap issue #156

Issue Description

ChangeSet creation fails if CloudFormation stack has resource type AWS::Event::EventBusPolicy which uses Condition property. Sample template code to replicate the issue:

Resources:
  CompanyEventBusPolicy:
    Type: AWS::Events::EventBusPolicy
    Properties:
      Action: events:PutEvents
      Principal: '*'
      StatementId: EventBusPolicyStatement
      Condition:
        Type: StringEquals
        Key: aws:PrincipalOrgID
        Value: o-7gdn86yz4h

Reason being that property Condition collides with the CloudFormation intrinsic function called 'Condition'.

Workaround

The workaround is to use CloudFormation Custom Resource to implement creation, delete and update of EventBusPolicy.

Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.

The template for Custom Resource accepts parameter called 'TheCondition' instead of 'Condition' as the latter collides with CloudFormation intrinsic function. For example:-

CustomEventBusPolicy:
  Type: Custom::CustomEventBusPolicy
  Properties:
    ServiceToken: !GetAtt  CreateEventBusPolicyLambda.Arn
    Region: !Ref  "AWS::Region"
    EventBusName: ''
    Action: events:PutEvents
    Principal: '*'
    StatementId: CM2PatchStatement
    TheCondition:
      Type: 'StringEquals'
      Key: 'aws:PrincipalOrgID'
      Value: 'o-6fmn73yz43'

A Lambda execution role AWS::IAM::Role and AWS::Lambda::Function can be created in the same template. Refer to file CustomResourceEventBusPolicyTemplate.yaml

Custom resource code lambda_function.py implements Create, Delete and Update for the CloudFormation custom resource to imitate the functionality of AWS::Event::EventBusPolicy.

ChangeSet creation works alright using custom resource Custom::CustomEventBusPolicy in the template instead of AWS::Event::EventBusPolicy.

Usage

  • Clone the repository

  • Upload Custom resource Lambda code lambda_function.py to an S3 bucket:

      zip function.zip lambda_function.py
  aws s3 mb s3://mylambdacodebucket
  aws s3 cp function.zip s3://mylambdacodebucket/

  • Update CustomResourceEventBusPolicyTemplate.yaml to replace S3Bucket and PrincipalOrgID

  • Create stack in CloudFormation console using CustomResourceEventBusPolicyTemplate.yaml

About

Workaround for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/156

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages