https://pulumi.com logo
#aws
Title
# aws
a

average-school-38756

04/26/2022, 7:11 PM
i created an EventTarget for an event bus with a CloudWatch LogGroup as the ARN, but there are no logs being written to it. This pattern works when the target is defined from the console. i thought at first that the console might have transparently made some IAM changes, but that's not so - there are no new roles or policies created. Is it possible to write this implementation with Pulumi?
v

victorious-church-57397

04/26/2022, 7:18 PM
I’ve recently implemented eventbridge events shipping to lambda recently and these are the things I needed to create in Pulumi for it to work
Copy code
const sechubEventRule = new cloudwatch.EventRule('forward-sechub-events-to-jira', {
  name: 'forward-sechub-events-to-jira',
  description: 'Forwards securityhub events to Jira',
  isEnabled: true,
  roleArn: securityHubEventBridgeRole.arn,
  eventPattern: `{
      "source": ["aws.securityhub"],
      "detail-type": ["Security Hub Findings - Imported"],
      "detail": {
        "findings": {
          "Compliance": {
              "Status": ["FAILED", "WARNING"]
          }
        }
      }
    }
  `,
});

new cloudwatch.EventTarget('forward-sechub-events-target', {
  arn: securityHubJiraFunction.arn,
  rule: sechubEventRule.name,
});

new lambda.Permission(`securityhub-jira-permission`, {
  action: 'lambda:InvokeFunction',
  function: securityHubJiraFunction.arn,
  principal: '<http://events.amazonaws.com|events.amazonaws.com>',
  sourceArn: sechubEventRule.arn,
});
in the role which is referenced in the target, has the following permissions:
Copy code
const eventbridgeRolePolicy: iam.PolicyDocument = {
  Version: '2012-10-17',

  Statement: [
    {
      Sid: 'EventTrustPolicy',
      Effect: 'Allow',

      Principal: {
        Service: '<http://events.amazonaws.com|events.amazonaws.com>',
      },

      Action: ['sts:AssumeRole'],
    },
  ],
};

export const securityHubEventBridgeRole = new iam.Role('sechub-eventbridge-role', {
  name: 'sechub-eventbridge-role',
  assumeRolePolicy: eventbridgeRolePolicy,
});

const eventBridgeDefaultBusPutEventsPolicyDocument: iam.PolicyDocument = {
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'PutEventsPolicy',
      Effect: 'Allow',
      Action: ['events:PutEvents'],
      Resource: [interpolate`${defaultEventBus.arn}`],
    },
  ],
};

const securityHubEventBridgeRolePolicy = new iam.Policy('sechub-eventbridge-role-policy', {
  name: 'sechub-eventbridge-role-policy',
  policy: eventBridgeDefaultBusPutEventsPolicyDocument,
  description: 'Allows put events on the default bus',
});

new iam.RolePolicyAttachment('sechub-eventbridge-role-policy-attachment', {
  role: securityHubEventBridgeRole.name,
  policyArn: securityHubEventBridgeRolePolicy.arn,
});
a

average-school-38756

04/26/2022, 7:18 PM
Thank you. i discovered that for whatever reason, prefixing the log group name with "/aws/events/" did the trick.
v

victorious-church-57397

04/26/2022, 7:19 PM
ah ok nice find
4 Views