[Docs]: aws_cloudwatch_event_target - batch_target, role_arn should be required

[mila411]

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target#argument-reference

Description

Versions

Terraform: 1.3.2 AWS Provider: 4.34

What's happening

When creating an EventBridge Target, the current documentation states that RoleArn is optional:

role_arn - (Optional) The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. Required if ecs_target is used or target in arn is EC2 instance, Kinesis data stream, Step Functions state machine, or Event Bus in different account or region.

I have accordingly created the following resource in batch_target:

resource "aws_cloudwatch_event_target" "this" {
  rule     = aws_cloudwatch_event_rule.this.name
  arn      = aws_batch_job_queue.this.arn
  batch_target {
    job_definition = aws_batch_job_definition.this.name
    job_name       = "my-job"
    job_attempts   = 3
  }
}

terraform plan passes, but when terraform deploy, it complains as follows:

│ Error: Creating EventBridge Target failed: ValidationException: RoleArn is required for target arn:aws:batch:us-west-1:***:job-queue/this-queue.
│   status code: 400, request id: faaee62f-dc3a-4177-86b7-5bacd3215150
│ 
│   with aws_cloudwatch_event_target.this,
│   on ../compute.tf line 10, in resource "aws_cloudwatch_event_target" "this":
│  10: resource "aws_cloudwatch_event_target" "this" {
│ 
╵

My Batch is defined to be executed by Fargate. This potentially implies that the interpretation by the AWS API called by the SDK could be ecs_target, which requires a RoleArn to be specified. So, I actually specified the RoleArn and the terraform deploy worked:

resource "aws_cloudwatch_event_target" "this" {
  rule     = aws_cloudwatch_event_rule.this.name
  role_arn = aws_iam_role.this.arn  # Added
  arn      = aws_batch_job_queue.this.arn
  batch_target {
    job_definition = aws_batch_job_definition.this.name
    job_name       = "my-job"
    job_attempts   = 3
  }
}

Note

I am willing to contribute to the relevant documentation update, but it seems to me that role_arn may be required for other targets as #20519 and others indicate. I'm not too sure how to describe it in this case that would cause the least confusion to the end user :(

References

• Related to this Issue: #20519
• https://github.com/hashicorp/terraform-provider-aws/blob/main/website/docs/r/cloudwatch_event_target.html.markdown

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[nwongahp]

I was working on something similar and stumbled upon the requirement for RoleArn when the target is a Batch job queue. Can you show what the IAM role looks like?