CDK EventBridge CfnRule does not put events to a CloudWatch Log Group

0

Hello all, I am implementing a simple EventBridge rule which put events to a CloudWatch LogGroup as below. However, it does not put event into the log group through EventBridge monitor shows that events already recorded at EventBridge

const role = new cdk.aws_iam.Role(
      this,
      "AllowEventBridgeWriteToLogs",
      {
        roleName: "AllowEventBridgeWriteToLogs",
        assumedBy: new cdk.aws_iam.ServicePrincipal(
          "events.amazonaws.com"
        ),
      }
    );

    role.addToPolicy(
      new cdk.aws_iam.PolicyStatement({
        effect: Effect.ALLOW,
        resources: ["*"],
        actions: ["*"],
      })
    );

    new cdk.aws_events.CfnRule(this, "L1Rule", {
      name: "L1Rule",
      roleArn: role.roleArn,
      eventPattern: {
        source: ["entest.io"],
      },
      targets: [
        {
          arn: log.logGroupArn,
          id: log.logGroupName,
        },
      ],
    });

I implement by L2 construct then it works. I notice that an additional lambda function is automatically added, don't know why?

const rule = new cdk.aws_events.Rule(
     this,
      "WriteToEventLogRule",
      {
       ruleName: "WriteToEventLogRule",
        eventPattern: {
         source: ["entest.io"],
       },
       enabled: false,
     }
    );
     rule.addTarget(
     new cdk.aws_events_targets.CloudWatchLogGroup(log)
     );
hai
asked 3 months ago14 views
1 Answer
0

The reason why it is not working is because EventBridge only uses IAM roles for rules that send events to Kinesis streams. For rules that invoke Lambda functions or Amazon SNS topics, you need to provide resource-based permissions. Also, if you look at CloudTrail logs, you will find an error for CreateLogStream API call made by EventBridge. Again, EventBridge does not use the IAM role to create log streams and put events in CloudWatch logs, you need to set a resource policy for the CloudWatch log group.

Here is a sample code snippet for creating a CloudWatch log group and EventBridge event rule (under default bus) to send events to CloudWatch Log.

    const log = new cdk.aws_logs.LogGroup(this, "loggroup")
    log.addToResourcePolicy(new cdk.aws_iam.PolicyStatement({
      resources: [log.logGroupArn],
      actions: ["logs:PutLogEvents","logs:CreateLogStream"],
      effect: cdk.aws_iam.Effect.ALLOW,
      principals: [new cdk.aws_iam.ServicePrincipal("events.amazonaws.com")]
    }))

    new cdk.aws_events.CfnRule(this, "L1Rule", {
      name: "L1Rule",
      // roleArn: role.roleArn,
      eventPattern: {
        source: ["entest.io"],
      },
      targets: [
        {
          arn: log.logGroupArn,
          id: log.logGroupName,
        },
      ],
    });

The L2 construct has a Lambda function and a custom resource to set a resource policy for a CloudWatch log group. You can take a look at what it does in a synthesized CloudFormation template under the cdk.out directory.

Taka_M
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions