amazon-web-servicesterraformstate-machineaws-step-functionsamazon-cloudwatch-events

How to use Terraform to define cloundwatch event rules to trigger StepFunction statemachine


I have defined the creation of a StepFunction state machine in Terraform, now I want to set a timer to trigger the state machine everyday, I think probably using cloudwatch event rules is a good choice, I know how to set event rule to trigger a Lambda:

resource "aws_cloudwatch_event_rule" "lambda_event_rule" {
  name                = xxx
  schedule_expression = xxx
  description         = xxx
}

resource "aws_cloudwatch_event_target" "lambda_event_target" {
  target_id = xxx
  rule      = aws_cloudwatch_event_rule.lambda_event_rule.name
  arn       = xxx
}

#I must setup the right permissions using 'aws_lambda_permission' 
#see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target

resource "aws_lambda_permission" "lambda_event_permission" {
  statement_id  = xxx
  action        = "lambda:InvokeFunction"
  function_name = xxx
  principal     = "events.amazonaws.com"
  source_arn    = aws_cloudwatch_event_rule.lambda_event_rule.name
}

but how can I setup the permission part for triggerring a state machine? I couldn't find any examples about it, am I missing anything? Is it because we don't need a permission config for state machine? Can someone help please?

Below is what I got to use cloudwatch event rules to trigger state machine so far:

resource "aws_cloudwatch_event_rule" "step_function_event_rule" {
  name                = xxx
  schedule_expression = xxx
  description         = xxx
}

resource "aws_cloudwatch_event_target" "step_function_event_target" {
  target_id = xxx
  rule      = aws_cloudwatch_event_rule.step_function_event_rule.name
  arn       = xxx
}


?????What else should I add here?

PS: I found someone else was asking about a similar question here, but no answers yet.


Solution

  • I'm not well versed with terraform but it seems to follow a similar pattern to the official documentation. For targets; https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html >> See section "Adds a Step Functions state machine as a target"

    {
        "Rule": "testrule", 
        "Targets": [
               {
            "RoleArn": "arn:aws:iam::123456789012:role/MyRoleToAccessStepFunctions"
            "Arn":"arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorld"
          }
        ]
    }
    

    This tells me that you need to pass the role and arn. So taking your example, here's the thing you probably need to fill

    resource "aws_cloudwatch_event_rule" "step_function_event_rule" {
      name                = <something unique>
      schedule_expression = <syntax described in https://docs.aws.amazon.com/eventbridge/latest/userguide/scheduled-events.html>
      description         = <something descriptive>
    }
    
    resource "aws_cloudwatch_event_target" "step_function_event_target" {
      target_id = <something unique>
      rule      = aws_cloudwatch_event_rule.step_function_event_rule.name
      arn       = <step function arn>
      role_arn  = <role that allows eventbridge to start execution on your behalf>
    }