a

    average-school-38756

    4 months ago
    i created an EventTarget for an event bus with a CloudWatch LogGroup as the ARN, but there are no logs being written to it. This pattern works when the target is defined from the console. i thought at first that the console might have transparently made some IAM changes, but that's not so - there are no new roles or policies created. Is it possible to write this implementation with Pulumi?
    v

    victorious-church-57397

    4 months ago
    I’ve recently implemented eventbridge events shipping to lambda recently and these are the things I needed to create in Pulumi for it to work
    const sechubEventRule = new cloudwatch.EventRule('forward-sechub-events-to-jira', {
      name: 'forward-sechub-events-to-jira',
      description: 'Forwards securityhub events to Jira',
      isEnabled: true,
      roleArn: securityHubEventBridgeRole.arn,
      eventPattern: `{
          "source": ["aws.securityhub"],
          "detail-type": ["Security Hub Findings - Imported"],
          "detail": {
            "findings": {
              "Compliance": {
                  "Status": ["FAILED", "WARNING"]
              }
            }
          }
        }
      `,
    });
    
    new cloudwatch.EventTarget('forward-sechub-events-target', {
      arn: securityHubJiraFunction.arn,
      rule: sechubEventRule.name,
    });
    
    new lambda.Permission(`securityhub-jira-permission`, {
      action: 'lambda:InvokeFunction',
      function: securityHubJiraFunction.arn,
      principal: '<http://events.amazonaws.com|events.amazonaws.com>',
      sourceArn: sechubEventRule.arn,
    });
    in the role which is referenced in the target, has the following permissions:
    const eventbridgeRolePolicy: iam.PolicyDocument = {
      Version: '2012-10-17',
    
      Statement: [
        {
          Sid: 'EventTrustPolicy',
          Effect: 'Allow',
    
          Principal: {
            Service: '<http://events.amazonaws.com|events.amazonaws.com>',
          },
    
          Action: ['sts:AssumeRole'],
        },
      ],
    };
    
    export const securityHubEventBridgeRole = new iam.Role('sechub-eventbridge-role', {
      name: 'sechub-eventbridge-role',
      assumeRolePolicy: eventbridgeRolePolicy,
    });
    
    const eventBridgeDefaultBusPutEventsPolicyDocument: iam.PolicyDocument = {
      Version: '2012-10-17',
      Statement: [
        {
          Sid: 'PutEventsPolicy',
          Effect: 'Allow',
          Action: ['events:PutEvents'],
          Resource: [interpolate`${defaultEventBus.arn}`],
        },
      ],
    };
    
    const securityHubEventBridgeRolePolicy = new iam.Policy('sechub-eventbridge-role-policy', {
      name: 'sechub-eventbridge-role-policy',
      policy: eventBridgeDefaultBusPutEventsPolicyDocument,
      description: 'Allows put events on the default bus',
    });
    
    new iam.RolePolicyAttachment('sechub-eventbridge-role-policy-attachment', {
      role: securityHubEventBridgeRole.name,
      policyArn: securityHubEventBridgeRolePolicy.arn,
    });
    a

    average-school-38756

    4 months ago
    Thank you. i discovered that for whatever reason, prefixing the log group name with "/aws/events/" did the trick.
    v

    victorious-church-57397

    4 months ago
    ah ok nice find