aws_cloudwatch_event_target - cloudwatch log target, role_arn should be required

[fraserc182]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform - V1.0.1 AWS Provider - 3.50.0

Affected Resource(s)

• aws_cloudwatch_event_target

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_cloudwatch_event_rule" "securityhub_eventbridge_rule" {
  name        = "SecurityHub-Findings-Rule"
  description = "Captures all securityhub findings"

  event_pattern = <<EOF
{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"]
}
EOF
}

resource "aws_cloudwatch_event_target" "securityhub_cloudwatch_target" {
  rule      = aws_cloudwatch_event_rule.securityhub_eventbridge_rule.name
  target_id = "SecurityHubToCloudwatch"
  arn       = aws_cloudwatch_log_group.securityhub_findings_log_group.arn
}

Expected Behavior

Create eventbridge rule and have the ability to deliver to the cloudwatch log group specified.

Actual Behavior

Eventbridge rule is created but each invocation receives "FailedInvocation" error message. Reading the documentation (https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-cloudwatchlogs-permissions) it specifically states the following:

CloudWatch Logs must include a resource-based policy that enables EventBridge to write to CloudWatch Logs. If you use the AWS Management Console to add CloudWatch Logs as the target of a rule, the resource-based policy is created automatically. If you use the AWS CLI to add the target, and the policy doesn't already exist, you must create it.

But the resource states the role_arn is optional and allows you to create the target without specifying a role that has the ability to do the above.

Steps to Reproduce

Create an eventbridge rule and target that specifies a cloudwatch log group as the target. Do not specify a role_arn.

Important Factoids

no

References

• https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html
• https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-cloudwatchlogs-permissions

[gdavison]

Hi @fraserc182. The resource-based policy that the AWS documentation refers to is configured using a aws_cloudwatch_log_resource_policy resource, not using the role_arn parameter on the aws_cloudwatch_event_target.

See the CloudWatch Logs example in the aws_cloudwatch_event_target documentation at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#cloudwatch-log-group-usage