Not working EventBridge's rule created by terraform

otanisan · September 3, 2022, 5:28am

I created rules in EventBridge by Terraform. This rule and aws sns is Sending email at console login. But not working. It was named “createdbyterraform”. Next I tested.

Main.tf

resource "aws_cloudwatch_event_rule" "console" {
  name        = "createdbyterraform"
  event_pattern = <<EOF
{
  "detail-type": ["AWS Console Sign In via CloudTrail"]
}
EOF
}

resource "aws_cloudwatch_event_target" "sns" {
  rule      = aws_cloudwatch_event_rule.console.name
  target_id = "SendToSNS"
  arn       = data.terraform_remote_state.aws_sns.outputs.aws_logins_arn
}

Test1
I created same as previously mentioned rules at console. It was named “createinconsole”. It’s working.
And at that moment Interestingly working “createdbyterraform” too.
Two emails were sent as a result.

Test2
I Executed a command.


% aws events describe-rule --name "createinconsole" --region "us-east-1"
{
    "Name": "createinconsole",
    "Arn": "arn:aws:events:us-east-1:xxxxxxxxxxxxxx:rule/createinconsole",
    "EventPattern": "{\"detail-type\":[\"AWS Console Sign In via CloudTrail\"]}",
    "State": "ENABLED",
    "EventBusName": "default",
    "CreatedBy": "xxxxxxxxxxxxxx"
}


% aws events describe-rule --name "createdbyterraform" --region "us-east-1"
{
    "Name": "createdbyterraform",
    "Arn": "arn:aws:events:us-east-1:xxxxxxxxxxxxxx:rule/createdbyterraform",
    "EventPattern": "{\"detail-type\":[\"AWS Console Sign In via CloudTrail\"]}",
    "State": "ENABLED",
    "EventBusName": "default",
    "CreatedBy": "xxxxxxxxxxxxxx"
}

Test3
Remove “createinconsole”. Namely only exist “createdbyterraform”. And at that moment for some reason not working “createdbyterraform” too.

I want working “createdbyterraform” alone.
Is this a bug?
What should I investigate next?

Thank you.

otanisan · September 4, 2022, 3:41am

I found the answer. That’s sns’s access policy. It was not enough.

worked

resource "aws_sns_topic" "test-login-alert" {
  name = "test-login-alert"
  fifo_topic = false
}

resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
  topic_arn = aws_sns_topic.test-login-alert.arn
  protocol  = "email"
  endpoint  = "example@example.com"
}

resource "aws_sns_topic_policy" "default" {
  arn    = aws_sns_topic.test-login-alert.arn
  policy = data.aws_iam_policy_document.sns_topic_policy.json
}

data "aws_iam_policy_document" "sns_topic_policy" {
  statement {
    effect  = "Allow"
    actions = ["SNS:Publish"]

    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }

    resources = [aws_sns_topic.test-login-alert.arn]
  }
}

notworked

resource "aws_sns_topic" "test-login-alert" {
  name = "test-login-alert"
  fifo_topic = false
}

resource "aws_sns_topic_subscription" "user_updates_sqs_target" {
  topic_arn = aws_sns_topic.test-login-alert.arn
  protocol  = "email"
  endpoint  = "example@example.com"
}

I confirmed that the sns access policy is automatically added when adding an EventBridge rule from the AWS console.
Thank you.