I'm trying to send EventBridge events to the Event bus of our backup account, but the bus isn't receiving the events. I've been following this blog post, and translated the example given into Terraform code. The rule in the source account is triggered, but the Event bus in the destination account isn't receiving the events.
Here's the Terraform code for the destination account:
data "aws_cloudwatch_event_bus" "default_bus" {
name = "default"
}
resource "aws_cloudwatch_event_bus_policy" "copy_rds_backups" {
event_bus_name = data.aws_cloudwatch_event_bus.default_bus.id
policy = data.aws_iam_policy_document.event_bus_policy.json
}
data "aws_iam_policy_document" "event_bus_policy" {
statement {
sid = "AWSBackupCopyCompleteEvent"
actions = ["events:PutEvents"]
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::SOURCE_ACCOUNT_ID:root"
]
}
resources = ["${data.aws_cloudwatch_event_bus.default_bus.arn}"]
}
}
resource "aws_cloudwatch_event_rule" "copy_rds_backups" {
name = "copy_rds_backups"
description = "EventBridge rule for CopyCompleteJob event to trigger cross-region backup copy of RDS resources."
state = "ENABLED"
event_pattern = jsonencode({
source = ["aws.backup"],
account = [{
anything-but = "DESTINATION_ACCOUNT_ID"
}],
detail-type = ["Copy Job State Changed"],
detail = {
"state" = ["COMPLETED"],
"resourceType" = ["RDS", "Aurora"]
}
})
}
And the source account:
resource "aws_iam_role" "cloudwatch_backup_event_role" {
name = "cloudwatch-backup-event-role"
description = "Role for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume_role.json
}
data "aws_iam_policy_document" "cloudwatch_assume_role" {
statement {
effect = "Allow"
actions = [
"sts:AssumeRole"
]
principals {
type = "Service"
identifiers = ["events.amazonaws.com"]
}
}
}
resource "aws_iam_policy_attachment" "cloudwatch_backup_event_policy_attachment" {
name = "cloudwatch-event-policy-attachment"
roles = [
aws_iam_role.cloudwatch_backup_event_role.name
]
policy_arn = aws_iam_policy.cloudwatch_backup_event_policy.arn
}
resource "aws_iam_policy" "cloudwatch_backup_event_policy" {
name = "cloudwatch-event-policy"
description = "Policy for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
policy = data.aws_iam_policy_document.cloudwatch_backup_event_policy.json
}
data "aws_iam_policy_document" "cloudwatch_backup_event_policy" {
statement {
effect = "Allow"
actions = [
"events:PutEvents"
]
resources = [
"arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
]
}
}
resource "aws_cloudwatch_event_rule" "rds_backup_complete" {
name = "rds-backup-complete"
description = "Rule to trigger event when RDS backup is complete"
state = "ENABLED"
event_pattern = jsonencode({
source = ["aws.backup"],
detail-type = ["Copy Job State Change"],
detail = {
"state" = ["COMPLETED"],
"resourceType" = ["RDS", "Aurora"],
"destinationBackupVaultArn" : [{
"prefix": "arn:aws:backup:eu-west-1:DESTINATION_ACCOUNT_ID:backup-vault:",
}]
}
})
}
resource "aws_cloudwatch_event_target" "rds_backup_complete" {
rule = aws_cloudwatch_event_rule.rds_backup_complete.name
target_id = "rds-backup-complete"
role_arn = aws_iam_role.cloudwatch_backup_event_role.arn
arn = "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
}
You have a mismatch between the event pattern detail-type of you source account and dest account :
detail-type = ["Copy Job State Changed"] vs detail-type = ["Copy Job State Change"]
According to this page, the correct syntax is 'Change' without the 'd'.