i created an EventTarget for an event bus with a CloudWatch LogGroup as the ARN, but there are no logs being written to it. This pattern works when the target is defined from the console. i thought at first that the console might have transparently made some IAM changes, but that's not so - there are no new roles or policies created. Is it possible to write this implementation with Pulumi?

I’ve recently implemented eventbridge events shipping to lambda recently and these are the things I needed to create in Pulumi for it to work

const sechubEventRule = new cloudwatch.EventRule('forward-sechub-events-to-jira', {
  name: 'forward-sechub-events-to-jira',
  description: 'Forwards securityhub events to Jira',
  isEnabled: true,
  roleArn: securityHubEventBridgeRole.arn,
  eventPattern: `{
      "source": ["aws.securityhub"],
      "detail-type": ["Security Hub Findings - Imported"],
      "detail": {
        "findings": {
          "Compliance": {
              "Status": ["FAILED", "WARNING"]
          }
        }
      }
    }
  `,
});

new cloudwatch.EventTarget('forward-sechub-events-target', {
  arn: securityHubJiraFunction.arn,
  rule: sechubEventRule.name,
});

new lambda.Permission(`securityhub-jira-permission`, {
  action: 'lambda:InvokeFunction',
  function: securityHubJiraFunction.arn,
  principal: '<http://events.amazonaws.com|events.amazonaws.com>',
  sourceArn: sechubEventRule.arn,
});

in the role which is referenced in the target, has the following permissions:

const eventbridgeRolePolicy: iam.PolicyDocument = {
  Version: '2012-10-17',

  Statement: [
    {
      Sid: 'EventTrustPolicy',
      Effect: 'Allow',

      Principal: {
        Service: '<http://events.amazonaws.com|events.amazonaws.com>',
      },

      Action: ['sts:AssumeRole'],
    },
  ],
};

export const securityHubEventBridgeRole = new iam.Role('sechub-eventbridge-role', {
  name: 'sechub-eventbridge-role',
  assumeRolePolicy: eventbridgeRolePolicy,
});

const eventBridgeDefaultBusPutEventsPolicyDocument: iam.PolicyDocument = {
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'PutEventsPolicy',
      Effect: 'Allow',
      Action: ['events:PutEvents'],
      Resource: [interpolate`${defaultEventBus.arn}`],
    },
  ],
};

const securityHubEventBridgeRolePolicy = new iam.Policy('sechub-eventbridge-role-policy', {
  name: 'sechub-eventbridge-role-policy',
  policy: eventBridgeDefaultBusPutEventsPolicyDocument,
  description: 'Allows put events on the default bus',
});

new iam.RolePolicyAttachment('sechub-eventbridge-role-policy-attachment', {
  role: securityHubEventBridgeRole.name,
  policyArn: securityHubEventBridgeRolePolicy.arn,
});

Thank you. i discovered that for whatever reason, prefixing the log group name with "/aws/events/" did the trick.

ah ok nice find