CDK EventBridge CfnRule does not put events to a CloudWatch Log Group

Question

Hello all, I am implementing a simple EventBridge rule which put events to a CloudWatch LogGroup as below. However, it does not put event into the log group through EventBridge monitor shows that events already recorded at EventBridge
```
const role = new cdk.aws_iam.Role(
      this,
      "AllowEventBridgeWriteToLogs",
      {
        roleName: "AllowEventBridgeWriteToLogs",
        assumedBy: new cdk.aws_iam.ServicePrincipal(
          "events.amazonaws.com"
        ),
      }
    );

role.addToPolicy(
      new cdk.aws_iam.PolicyStatement({
        effect: Effect.ALLOW,
        resources: ["*"],
        actions: ["*"],
      })
    );

new cdk.aws_events.CfnRule(this, "L1Rule", {
      name: "L1Rule",
      roleArn: role.roleArn,
      eventPattern: {
        source: ["entest.io"],
      },
      targets: [
        {
          arn: log.logGroupArn,
          id: log.logGroupName,
        },
      ],
    });
```

I implement by L2 construct then it works. I notice that an additional lambda function is automatically added, don't know why?
```
const rule = new cdk.aws_events.Rule(
     this,
      "WriteToEventLogRule",
      {
       ruleName: "WriteToEventLogRule",
        eventPattern: {
         source: ["entest.io"],
       },
       enabled: false,
     }
    );
     rule.addTarget(
     new cdk.aws_events_targets.CloudWatchLogGroup(log)
     );
```

Answer

The reason why it is not working is because `EventBridge only uses IAM roles for rules that send events to Kinesis streams. For rules that invoke Lambda functions or Amazon SNS topics, you need to provide resource-based permissions.` Also, if you look at CloudTrail logs, you will find an error for `CreateLogStream` API call made by EventBridge. Again, EventBridge does not use the IAM role to create log streams and put events in CloudWatch logs, you need to set a resource policy for the CloudWatch log group.

Here is a sample code snippet for creating a CloudWatch log group and EventBridge event rule (under default bus) to send events to CloudWatch Log.

```
    const log = new cdk.aws_logs.LogGroup(this, "loggroup")
    log.addToResourcePolicy(new cdk.aws_iam.PolicyStatement({
      resources: [log.logGroupArn],
      actions: ["logs:PutLogEvents","logs:CreateLogStream"],
      effect: cdk.aws_iam.Effect.ALLOW,
      principals: [new cdk.aws_iam.ServicePrincipal("events.amazonaws.com")]
    }))

new cdk.aws_events.CfnRule(this, "L1Rule", {
      name: "L1Rule",
      // roleArn: role.roleArn,
      eventPattern: {
        source: ["entest.io"],
      },
      targets: [
        {
          arn: log.logGroupArn,
          id: log.logGroupName,
        },
      ],
    });
```

The L2 construct has a Lambda function and a custom resource to set a resource policy for a CloudWatch log group. You can take a look at what it does in a synthesized CloudFormation template under the cdk.out directory.

- [The IAM role associated with my rule is being ignored when the rule runs](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-iam-role-ignored)

CDK EventBridge CfnRule does not put events to a CloudWatch Log Group

関連するコンテンツ