Skip to content

Latest commit

 

History

History
444 lines (364 loc) · 26.8 KB

README.md

File metadata and controls

444 lines (364 loc) · 26.8 KB

AWS EventBridge Terraform module

Terraform module to create EventBridge resources.

Supported Features

  • Creates AWS EventBridge Resources (bus, rules, targets, permissions, connections, destinations)
  • Attach resources to an existing EventBridge bus
  • Support AWS EventBridge Archives and Replays
  • Conditional creation for many types of resources
  • Support IAM policy attachments and various ways to create and attach additional policies

Feature Roadmap

  • Support monitoring usage with Cloudwatch Metrics

Usage

EventBridge Complete

Most common use-case which creates custom bus, rules and targets.

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  rules = {
    orders = {
      description   = "Capture all order data"
      event_pattern = jsonencode({ "source" : ["myapp.orders"] })
      enabled       = true
    }
  }

  targets = {
    orders = [
      {
        name            = "send-orders-to-sqs"
        arn             = aws_sqs_queue.queue.arn
        dead_letter_arn = aws_sqs_queue.dlq.arn
      },
      {
        name              = "send-orders-to-kinesis"
        arn               = aws_kinesis_stream.this.arn
        dead_letter_arn   = aws_sqs_queue.dlq.arn
        input_transformer = local.kinesis_input_transformer
      },
      {
        name = "log-orders-to-cloudwatch"
        arn  = aws_cloudwatch_log_group.this.arn
      }
    ]
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge Bus

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  tags = {
    Name = "my-bus"
  }
}

EventBridge Rule

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_targets = false

  rules = {
    logs = {
      description   = "Capture log data"
      event_pattern = jsonencode({ "source" : ["my.app.logs"] })
    }
  }
}

EventBridge Target

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  rules = {
    logs = {
      description   = "Capture log data"
      event_pattern = jsonencode({ "source" : ["my.app.logs"] })
    }
  }

  targets = {
    logs = [
      {
        name = "send-logs-to-sqs"
        arn  = aws_sqs_queue.queue.arn
      },
      {
        name = "send-logs-to-cloudwatch"
        arn  = aws_cloudwatch_log_stream.logs.arn
      }
    ]
  }
}

EventBridge Archive

module "eventbridge_with_archive" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_archives = true

  archives = {
    "my-bus-launch-archive" = {
      description    = "EC2 AutoScaling Event archive",
      retention_days = 1
      event_pattern  = <<PATTERN
      {
        "source": ["aws.autoscaling"],
        "detail-type": ["EC2 Instance Launch Successful"]
      }
      PATTERN
    }
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge Permission

module "eventbridge_with_permissions" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_permissions = true

  permissions = {
    "099720109477 DevAccess" = {}
    "099720109466 ProdAccess" = {}
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge API Destination

module "eventbridge_with_api_destination" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_connections      = true
  create_api_destinations = true

  attach_api_destination_policy = true

  connections = {
    smee = {
      authorization_type = "OAUTH_CLIENT_CREDENTIALS"
      auth_parameters = {
        oauth = {
          authorization_endpoint = "https://oauth.endpoint.com"
          http_method            = "GET"

          client_parameters = {
            client_id     = "1234567890"
            client_secret = "Pass1234!"
          }

          oauth_http_parameters = {
            body = [{
              key             = "body-parameter-key"
              value           = "body-parameter-value"
              is_value_secret = false
            }]

            header = [{
              key   = "header-parameter-key1"
              value = "header-parameter-value1"
            }, {
              key             = "header-parameter-key2"
              value           = "header-parameter-value2"
              is_value_secret = true
            }]

            query_string = [{
              key             = "query-string-parameter-key"
              value           = "query-string-parameter-value"
              is_value_secret = false
            }]
          }
        }
      }
    }
  }

  api_destinations = {
    smee = {
      description                      = "my smee endpoint"
      invocation_endpoint              = "https://smee.io/hgoubgoibwekt331"
      http_method                      = "POST"
      invocation_rate_limit_per_second = 200
    }
  }
}

Additional IAM policies for Step Function

In addition to all supported AWS service integrations you may want to create and attach additional policies.

There are 5 supported ways to attach additional IAM policies to IAM role used by Step Function:

  1. policy_json - JSON string or heredoc, when attach_policy_json = true.
  2. policy_jsons - List of JSON strings or heredoc, when attach_policy_jsons = true and number_of_policy_jsons > 0.
  3. policy - ARN of existing IAM policy, when attach_policy = true.
  4. policies - List of ARNs of existing IAM policies, when attach_policies = true and number_of_policies > 0.
  5. policy_statements - Map of maps to define IAM statements which will be generated as IAM policy. Requires attach_policy_statements = true. See examples/complete for more information.

Conditional creation

Sometimes you need to have a way to create resources conditionally but Terraform does not allow usage of count inside module block, so the solution is to specify create arguments.

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  create = false # to disable all resources

  create_bus              = false  # to control creation of the EventBridge Bus and related resources
  create_rule             = false  # to control creation of EventBridge Rules and related resources
  create_targets          = false  # to control creation of EventBridge Targets and related resources
  create_archives         = false  # to control creation of EventBridge Archives
  create_permissions      = false  # to control creation of EventBridge Permissions
  create_role             = false  # to control creation of the IAM role and policies required for EventBridge
  create_connections      = false  # to control creation of EventBridge Connection resources
  create_api_destinations = false  # to control creation of EventBridge Destination resources

  attach_cloudwatch_policy       = false
  attach_ecs_policy              = false
  attach_kinesis_policy          = false
  attach_kinesis_firehose_policy = false
  attach_lambda_policy           = false
  attach_sfn_policy              = false
  attach_sqs_policy              = false
  attach_tracing_policy          = false
  attach_api_destination_policy  = false

  # ... omitted
}

Examples

  • Complete - Creates EventBridge resources (bus, rules and targets) and connect with SQS queues, Kinesis Stream, Step Function, CloudWatch Logs, and more.
  • HTTP API Gateway - Creates an integration with HTTP API Gateway as event source.
  • Using Default Bus - Creates resources in the default bus.
  • Archive - EventBridge Archives resources in various configurations.
  • Permissions - Controls permissions to EventBridge.
  • API Destination - Control access to EventBridge using API destinations.
  • ECS Scheduled Events - Use default bus to schedule events on ECS.

Requirements

Name Version
terraform >= 0.13.1
aws >= 3.44

Providers

Name Version
aws >= 3.44

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_api_destination.this resource
aws_cloudwatch_event_archive.this resource
aws_cloudwatch_event_bus.this resource
aws_cloudwatch_event_connection.this resource
aws_cloudwatch_event_permission.this resource
aws_cloudwatch_event_rule.this resource
aws_cloudwatch_event_target.this resource
aws_iam_policy.additional_inline resource
aws_iam_policy.additional_json resource
aws_iam_policy.additional_jsons resource
aws_iam_policy.api_destination resource
aws_iam_policy.cloudwatch resource
aws_iam_policy.ecs resource
aws_iam_policy.kinesis resource
aws_iam_policy.kinesis_firehose resource
aws_iam_policy.lambda resource
aws_iam_policy.sfn resource
aws_iam_policy.sqs resource
aws_iam_policy.tracing resource
aws_iam_policy_attachment.additional_inline resource
aws_iam_policy_attachment.additional_json resource
aws_iam_policy_attachment.additional_jsons resource
aws_iam_policy_attachment.api_destination resource
aws_iam_policy_attachment.cloudwatch resource
aws_iam_policy_attachment.ecs resource
aws_iam_policy_attachment.kinesis resource
aws_iam_policy_attachment.kinesis_firehose resource
aws_iam_policy_attachment.lambda resource
aws_iam_policy_attachment.sfn resource
aws_iam_policy_attachment.sqs resource
aws_iam_policy_attachment.tracing resource
aws_iam_role.eventbridge resource
aws_iam_role_policy_attachment.additional_many resource
aws_iam_role_policy_attachment.additional_one resource
aws_iam_policy.tracing data source
aws_iam_policy_document.additional_inline data source
aws_iam_policy_document.api_destination data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.cloudwatch data source
aws_iam_policy_document.ecs data source
aws_iam_policy_document.kinesis data source
aws_iam_policy_document.kinesis_firehose data source
aws_iam_policy_document.lambda data source
aws_iam_policy_document.sfn data source
aws_iam_policy_document.sqs data source

Inputs

Name Description Type Default Required
api_destinations A map of objects with EventBridge Destination definitions. map(any) {} no
archives A map of objects with the EventBridge Archive definitions. map(any) {} no
attach_api_destination_policy Controls whether the API Destination policy should be added to IAM role for EventBridge Target bool false no
attach_cloudwatch_policy Controls whether the Cloudwatch policy should be added to IAM role for EventBridge Target bool false no
attach_ecs_policy Controls whether the ECS policy should be added to IAM role for EventBridge Target bool false no
attach_kinesis_firehose_policy Controls whether the Kinesis Firehose policy should be added to IAM role for EventBridge Target bool false no
attach_kinesis_policy Controls whether the Kinesis policy should be added to IAM role for EventBridge Target bool false no
attach_lambda_policy Controls whether the Lambda Function policy should be added to IAM role for EventBridge Target bool false no
attach_policies Controls whether list of policies should be added to IAM role bool false no
attach_policy Controls whether policy should be added to IAM role bool false no
attach_policy_json Controls whether policy_json should be added to IAM role bool false no
attach_policy_jsons Controls whether policy_jsons should be added to IAM role bool false no
attach_policy_statements Controls whether policy_statements should be added to IAM role bool false no
attach_sfn_policy Controls whether the StepFunction policy should be added to IAM role for EventBridge Target bool false no
attach_sqs_policy Controls whether the SQS policy should be added to IAM role for EventBridge Target bool false no
attach_tracing_policy Controls whether X-Ray tracing policy should be added to IAM role for EventBridge bool false no
bus_name A unique name for your EventBridge Bus string "default" no
cloudwatch_target_arns The Amazon Resource Name (ARN) of the Cloudwatch Log Streams you want to use as EventBridge targets list(string) [] no
connections A map of objects with EventBridge Connection definitions. any {} no
create Controls whether resources should be created bool true no
create_api_destinations Controls whether EventBridge Destination resources should be created bool false no
create_archives Controls whether EventBridge Archive resources should be created bool false no
create_bus Controls whether EventBridge Bus resource should be created bool true no
create_connections Controls whether EventBridge Connection resources should be created bool false no
create_permissions Controls whether EventBridge Permission resources should be created bool true no
create_role Controls whether IAM roles should be created bool true no
create_rules Controls whether EventBridge Rule resources should be created bool true no
create_targets Controls whether EventBridge Target resources should be created bool true no
ecs_target_arns The Amazon Resource Name (ARN) of the AWS ECS Tasks you want to use as EventBridge targets list(string) [] no
kinesis_firehose_target_arns The Amazon Resource Name (ARN) of the Kinesis Firehose Delivery Streams you want to use as EventBridge targets list(string) [] no
kinesis_target_arns The Amazon Resource Name (ARN) of the Kinesis Streams you want to use as EventBridge targets list(string) [] no
lambda_target_arns The Amazon Resource Name (ARN) of the Lambda Functions you want to use as EventBridge targets list(string) [] no
number_of_policies Number of policies to attach to IAM role number 0 no
number_of_policy_jsons Number of policies JSON to attach to IAM role number 0 no
permissions A map of objects with EventBridge Permission definitions. map(any) {} no
policies List of policy statements ARN to attach to IAM role list(string) [] no
policy An additional policy document ARN to attach to IAM role string null no
policy_json An additional policy document as JSON to attach to IAM role string null no
policy_jsons List of additional policy documents as JSON to attach to IAM role list(string) [] no
policy_statements Map of dynamic policy statements to attach to IAM role any {} no
role_description Description of IAM role to use for Lambda Function string null no
role_force_detach_policies Specifies to force detaching any policies the IAM role has before destroying it. bool true no
role_name Name of IAM role to use for Lambda Function string null no
role_path Path of IAM role to use for Lambda Function string null no
role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role used by Lambda Function string null no
role_tags A map of tags to assign to IAM role map(string) {} no
rules A map of objects with EventBridge Rule definitions. map(any) {} no
sfn_target_arns The Amazon Resource Name (ARN) of the StepFunctions you want to use as EventBridge targets list(string) [] no
sqs_target_arns The Amazon Resource Name (ARN) of the AWS SQS Queues you want to use as EventBridge targets list(string) [] no
tags A map of tags to assign to resources. map(string) {} no
targets A map of objects with EventBridge Target definitions. any {} no
trusted_entities Step Function additional trusted entities for assuming roles (trust relationship) list(string) [] no

Outputs

Name Description
eventbridge_api_destination_arns The EventBridge API Destination ARNs created
eventbridge_archive_arns The EventBridge Archive Arns created
eventbridge_bus_arn The EventBridge Bus Arn
eventbridge_bus_name The EventBridge Bus Name
eventbridge_connection_arns The EventBridge Connection Arns created
eventbridge_connection_ids The EventBridge Connection IDs created
eventbridge_permission_ids The EventBridge Permission Arns created
eventbridge_role_arn The ARN of the IAM role created for EventBridge
eventbridge_role_name The name of the IAM role created for EventBridge
eventbridge_rule_arns The EventBridge Rule ARNs created
eventbridge_rule_ids The EventBridge Rule IDs created

Authors

Module managed by Sven Lito. Check out serverless.tf to learn more about doing serverless with Terraform.

License

Apache 2 Licensed. See LICENSE for full details.