[Bug]: aws_cloudwatch_event_target Cross-Region

[pixie79]

Terraform Core Version

1.3.9

AWS Provider Version

4.67.0

Affected Resource(s)

aws_cloudwatch_event_target

Expected Behavior

I should be able to replicate events from a bus in one region to a bus in another using the bus ARN as a target

Actual Behavior

creating EventBridge Target (arn:aws:events:af-south-1::event-bus/ ): ValidationException: Cross-region api call is not allowed.

This was allowed when I added the target manually via the console.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
    actions = ["sts:AssumeRole"]
  }
  provider = aws.ireland
}

data "aws_iam_policy_document" "event_bus_invoke_remote_event_bus" {
  statement {
    effect    = "Allow"
    actions   = ["events:PutEvents"]
    resources = [module.salesforce.eventhub_bus_arn]
  }
  provider = aws.ireland
}

resource "aws_cloudwatch_event_rule" "eu_af" {
  name           = local.salesforce_name
  description    = "Sync bus to SF Region"
  event_bus_name = var.eu_eventbus_name
  event_pattern = jsonencode({
    source = [
      var.eu_eventbus_name
    ]
  })
  provider = aws.ireland
}

resource "aws_iam_role" "cross_account_sync" {
  name               = "${local.name}-service"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
  inline_policy {
    name   = "policy-allow-events"
    policy = data.aws_iam_policy_document.event_bus_invoke_remote_event_bus.json
  }
  provider = aws.ireland
}

resource "aws_cloudwatch_event_target" "eu_af" {
  rule           = aws_cloudwatch_event_rule.eu_af.name
  arn            = module.salesforce.eventhub_bus_arn
  role_arn       = aws_iam_role.cross_account_sync.arn
  provider       = aws.ireland
  event_bus_name = module.salesforce.eventhub_bus_arn
}

Steps to Reproduce

Try and attach a target to send events from an event bus in one region to an event bus in another via TF

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[PaulTartarian]

Any update? or maybe a workaround?

Same issue happens when trying to import a aws_cloudwatch_event_target resource that is in a region different than the rule. I get : Cross-region api call is not allowed