Skip to content

Latest commit

 

History

History
580 lines (486 loc) · 38.3 KB

README.md

File metadata and controls

580 lines (486 loc) · 38.3 KB

AWS EventBridge Terraform module

Terraform module to create EventBridge resources.

Supported Features

  • Creates AWS EventBridge Resources (bus, rules, targets, permissions, connections, destinations, pipes, schedules and schedule groups)
  • Attach resources to an existing EventBridge bus
  • Support AWS EventBridge Archives and Replays
  • Conditional creation for many types of resources
  • Support IAM policy attachments and various ways to create and attach additional policies

Usage

EventBridge Complete

Most common use-case which creates custom bus, rules and targets.

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  rules = {
    orders = {
      description   = "Capture all order data"
      event_pattern = jsonencode({ "source" : ["myapp.orders"] })
      enabled       = true
    }
  }

  targets = {
    orders = [
      {
        name            = "send-orders-to-sqs"
        arn             = aws_sqs_queue.queue.arn
        dead_letter_arn = aws_sqs_queue.dlq.arn
      },
      {
        name              = "send-orders-to-kinesis"
        arn               = aws_kinesis_stream.this.arn
        dead_letter_arn   = aws_sqs_queue.dlq.arn
        input_transformer = local.kinesis_input_transformer
      },
      {
        name = "log-orders-to-cloudwatch"
        arn  = aws_cloudwatch_log_group.this.arn
      }
    ]
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge Bus

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  tags = {
    Name = "my-bus"
  }
}

EventBridge Rule

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_targets = false

  rules = {
    logs = {
      description   = "Capture log data"
      event_pattern = jsonencode({ "source" : ["my.app.logs"] })
    }
  }
}

EventBridge Target

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  rules = {
    logs = {
      description   = "Capture log data"
      event_pattern = jsonencode({ "source" : ["my.app.logs"] })
    }
  }

  targets = {
    logs = [
      {
        name = "send-logs-to-sqs"
        arn  = aws_sqs_queue.queue.arn
      },
      {
        name = "send-logs-to-cloudwatch"
        arn  = aws_cloudwatch_log_stream.logs.arn
      }
    ]
  }
}

EventBridge Archive

module "eventbridge_with_archive" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_archives = true

  archives = {
    "my-bus-launch-archive" = {
      description    = "EC2 AutoScaling Event archive",
      retention_days = 1
      event_pattern  = <<PATTERN
      {
        "source": ["aws.autoscaling"],
        "detail-type": ["EC2 Instance Launch Successful"]
      }
      PATTERN
    }
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge Permission

module "eventbridge_with_permissions" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_permissions = true

  permissions = {
    "099720109477 DevAccess" = {}
    "099720109466 ProdAccess" = {}
  }

  tags = {
    Name = "my-bus"
  }
}

EventBridge with schedule rule and Lambda target

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  create_bus = false

  rules = {
    crons = {
      description         = "Trigger for a Lambda"
      schedule_expression = "rate(5 minutes)"
    }
  }

  targets = {
    crons = [
      {
        name  = "lambda-loves-cron"
        arn   = "arn:aws:lambda:ap-southeast-1:135367859851:function:resolved-penguin-lambda"
        input = jsonencode({"job": "cron-by-rate"})
      }
    ]
  }
}

EventBridge with schedule rule and Step Functions target

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  create_bus = false

  rules = {
    crons = {
      description         = "Run state machine everyday 10:00 UTC"
      schedule_expression = "cron(0 10 * * ? *)"
    }
  }

  targets = {
    crons = [
      {
        name            = "your-awesome-state-machine"
        arn             = "arn:aws:states:us-east-1:123456789012:stateMachine:your-awesome-state-machine"
        attach_role_arn = true
      }
    ]
  }

  sfn_target_arns   = ["arn:aws:states:us-east-1:123456789012:stateMachine:your-awesome-state-machine"]
  attach_sfn_policy = true
}

EventBridge Scheduler which triggers Lambda Function

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "example" # "default" bus already support schedule_expression in rules

  attach_lambda_policy = true
  lambda_target_arns   = ["arn:aws:lambda:us-east-1:135367859851:function:resolved-penguin-lambda"]

  schedules = {
    lambda-cron = {
      description         = "Trigger for a Lambda"
      schedule_expression = "rate(1 day)"
      timezone            = "Europe/London"
      arn                 = "arn:aws:lambda:us-east-1:135367859851:function:resolved-penguin-lambda"
      input               = jsonencode({ "job" : "cron-by-rate" })
    }
  }
}

EventBridge API Destination

module "eventbridge_with_api_destination" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "my-bus"

  create_connections      = true
  create_api_destinations = true

  attach_api_destination_policy = true

  connections = {
    smee = {
      authorization_type = "OAUTH_CLIENT_CREDENTIALS"
      auth_parameters = {
        oauth = {
          authorization_endpoint = "https://oauth.endpoint.com"
          http_method            = "GET"

          client_parameters = {
            client_id     = "1234567890"
            client_secret = "Pass1234!"
          }

          oauth_http_parameters = {
            body = [{
              key             = "body-parameter-key"
              value           = "body-parameter-value"
              is_value_secret = false
            }]

            header = [{
              key   = "header-parameter-key1"
              value = "header-parameter-value1"
            }, {
              key             = "header-parameter-key2"
              value           = "header-parameter-value2"
              is_value_secret = true
            }]

            query_string = [{
              key             = "query-string-parameter-key"
              value           = "query-string-parameter-value"
              is_value_secret = false
            }]
          }
        }
      }
    }
  }

  api_destinations = {
    smee = {
      description                      = "my smee endpoint"
      invocation_endpoint              = "https://smee.io/hgoubgoibwekt331"
      http_method                      = "POST"
      invocation_rate_limit_per_second = 200
    }
  }
}

Additional IAM policies for Step Function

In addition to all supported AWS service integrations you may want to create and attach additional policies.

There are 5 supported ways to attach additional IAM policies to IAM role used by Step Function:

  1. policy_json - JSON string or heredoc, when attach_policy_json = true.
  2. policy_jsons - List of JSON strings or heredoc, when attach_policy_jsons = true and number_of_policy_jsons > 0.
  3. policy - ARN of existing IAM policy, when attach_policy = true.
  4. policies - List of ARNs of existing IAM policies, when attach_policies = true and number_of_policies > 0.
  5. policy_statements - Map of maps to define IAM statements which will be generated as IAM policy. Requires attach_policy_statements = true. See examples/complete for more information.

Conditional creation

Sometimes you need to have a way to create resources conditionally but Terraform does not allow usage of count inside module block, so the solution is to specify create arguments.

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  create = false # to disable all resources

  create_bus              = false  # to control creation of the EventBridge Bus and related resources
  create_rules            = false  # to control creation of EventBridge Rules and related resources
  create_targets          = false  # to control creation of EventBridge Targets and related resources
  create_archives         = false  # to control creation of EventBridge Archives
  create_permissions      = false  # to control creation of EventBridge Permissions
  create_role             = false  # to control creation of the IAM role and policies required for EventBridge
  create_connections      = false  # to control creation of EventBridge Connection resources
  create_api_destinations = false  # to control creation of EventBridge Destination resources
  create_schedule_groups  = false  # to control creation of EventBridge Schedule Group resources
  create_schedules        = false  # to control creation of EventBridge Schedule resources
  create_pipes            = false  # to control creation of EventBridge Pipes resources

  attach_cloudwatch_policy       = false
  attach_ecs_policy              = false
  attach_kinesis_policy          = false
  attach_kinesis_firehose_policy = false
  attach_lambda_policy           = false
  attach_sfn_policy              = false
  attach_sqs_policy              = false
  attach_tracing_policy          = false
  attach_api_destination_policy  = false

  # ... omitted
}

Examples

  • Complete - Creates EventBridge resources (bus, rules and targets) and connect with SQS queues, Kinesis Stream, Step Function, CloudWatch Logs, Lambda Functions, and more.
  • HTTP API Gateway - Creates an integration with HTTP API Gateway as event source.
  • Using Default Bus - Creates resources in the default bus.
  • Archive - EventBridge Archives resources in various configurations.
  • Permissions - Controls permissions to EventBridge.
  • Scheduler - EventBridge Scheduler which works with any bus (recommended way).
  • ECS Scheduling Events - Use default bus to schedule events on ECS.
  • Lambda Scheduling Events - Trigger Lambda functions on schedule (works only with default bus).
  • API Destination - Control access to EventBridge using API destinations.
  • Pipes - EventBridge Pipes with lots of configurations.

Requirements

Name Version
terraform >= 1.0
aws >= 5.9

Providers

Name Version
aws >= 5.9

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_api_destination.this resource
aws_cloudwatch_event_archive.this resource
aws_cloudwatch_event_bus.this resource
aws_cloudwatch_event_connection.this resource
aws_cloudwatch_event_permission.this resource
aws_cloudwatch_event_rule.this resource
aws_cloudwatch_event_target.this resource
aws_iam_policy.additional_inline resource
aws_iam_policy.additional_json resource
aws_iam_policy.additional_jsons resource
aws_iam_policy.api_destination resource
aws_iam_policy.cloudwatch resource
aws_iam_policy.ecs resource
aws_iam_policy.kinesis resource
aws_iam_policy.kinesis_firehose resource
aws_iam_policy.lambda resource
aws_iam_policy.service resource
aws_iam_policy.sfn resource
aws_iam_policy.sns resource
aws_iam_policy.sqs resource
aws_iam_policy.tracing resource
aws_iam_policy_attachment.additional_inline resource
aws_iam_policy_attachment.additional_json resource
aws_iam_policy_attachment.additional_jsons resource
aws_iam_policy_attachment.api_destination resource
aws_iam_policy_attachment.cloudwatch resource
aws_iam_policy_attachment.ecs resource
aws_iam_policy_attachment.kinesis resource
aws_iam_policy_attachment.kinesis_firehose resource
aws_iam_policy_attachment.lambda resource
aws_iam_policy_attachment.service resource
aws_iam_policy_attachment.sfn resource
aws_iam_policy_attachment.sns resource
aws_iam_policy_attachment.sqs resource
aws_iam_policy_attachment.tracing resource
aws_iam_role.eventbridge resource
aws_iam_role.eventbridge_pipe resource
aws_iam_role_policy_attachment.additional_many resource
aws_iam_role_policy_attachment.additional_one resource
aws_pipes_pipe.this resource
aws_scheduler_schedule.this resource
aws_scheduler_schedule_group.this resource
aws_schemas_discoverer.this resource
aws_caller_identity.current data source
aws_cloudwatch_event_bus.this data source
aws_iam_policy.tracing data source
aws_iam_policy_document.additional_inline data source
aws_iam_policy_document.api_destination data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.assume_role_pipe data source
aws_iam_policy_document.cloudwatch data source
aws_iam_policy_document.ecs data source
aws_iam_policy_document.kinesis data source
aws_iam_policy_document.kinesis_firehose data source
aws_iam_policy_document.lambda data source
aws_iam_policy_document.service data source
aws_iam_policy_document.sfn data source
aws_iam_policy_document.sns data source
aws_iam_policy_document.sqs data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
api_destinations A map of objects with EventBridge Destination definitions. map(any) {} no
append_connection_postfix Controls whether to append '-connection' to the name of the connection bool true no
append_destination_postfix Controls whether to append '-destination' to the name of the destination bool true no
append_pipe_postfix Controls whether to append '-pipe' to the name of the pipe bool true no
append_rule_postfix Controls whether to append '-rule' to the name of the rule bool true no
append_schedule_group_postfix Controls whether to append '-group' to the name of the schedule group bool true no
append_schedule_postfix Controls whether to append '-schedule' to the name of the schedule bool true no
archives A map of objects with the EventBridge Archive definitions. map(any) {} no
attach_api_destination_policy Controls whether the API Destination policy should be added to IAM role for EventBridge Target bool false no
attach_cloudwatch_policy Controls whether the Cloudwatch policy should be added to IAM role for EventBridge Target bool false no
attach_ecs_policy Controls whether the ECS policy should be added to IAM role for EventBridge Target bool false no
attach_kinesis_firehose_policy Controls whether the Kinesis Firehose policy should be added to IAM role for EventBridge Target bool false no
attach_kinesis_policy Controls whether the Kinesis policy should be added to IAM role for EventBridge Target bool false no
attach_lambda_policy Controls whether the Lambda Function policy should be added to IAM role for EventBridge Target bool false no
attach_policies Controls whether list of policies should be added to IAM role bool false no
attach_policy Controls whether policy should be added to IAM role bool false no
attach_policy_json Controls whether policy_json should be added to IAM role bool false no
attach_policy_jsons Controls whether policy_jsons should be added to IAM role bool false no
attach_policy_statements Controls whether policy_statements should be added to IAM role bool false no
attach_sfn_policy Controls whether the StepFunction policy should be added to IAM role for EventBridge Target bool false no
attach_sns_policy Controls whether the SNS policy should be added to IAM role for EventBridge Target bool false no
attach_sqs_policy Controls whether the SQS policy should be added to IAM role for EventBridge Target bool false no
attach_tracing_policy Controls whether X-Ray tracing policy should be added to IAM role for EventBridge bool false no
bus_name A unique name for your EventBridge Bus string "default" no
cloudwatch_target_arns The Amazon Resource Name (ARN) of the Cloudwatch Log Streams you want to use as EventBridge targets list(string) [] no
connections A map of objects with EventBridge Connection definitions. any {} no
create Controls whether resources should be created bool true no
create_api_destinations Controls whether EventBridge Destination resources should be created bool false no
create_archives Controls whether EventBridge Archive resources should be created bool false no
create_bus Controls whether EventBridge Bus resource should be created bool true no
create_connections Controls whether EventBridge Connection resources should be created bool false no
create_permissions Controls whether EventBridge Permission resources should be created bool true no
create_pipes Controls whether EventBridge Pipes resources should be created bool true no
create_role Controls whether IAM roles should be created bool true no
create_rules Controls whether EventBridge Rule resources should be created bool true no
create_schedule_groups Controls whether EventBridge Schedule Group resources should be created bool true no
create_schedules Controls whether EventBridge Schedule resources should be created bool true no
create_schemas_discoverer Controls whether default schemas discoverer should be created bool false no
create_targets Controls whether EventBridge Target resources should be created bool true no
ecs_target_arns The Amazon Resource Name (ARN) of the AWS ECS Tasks you want to use as EventBridge targets list(string) [] no
event_source_name The partner event source that the new event bus will be matched with. Must match name. string null no
kinesis_firehose_target_arns The Amazon Resource Name (ARN) of the Kinesis Firehose Delivery Streams you want to use as EventBridge targets list(string) [] no
kinesis_target_arns The Amazon Resource Name (ARN) of the Kinesis Streams you want to use as EventBridge targets list(string) [] no
lambda_target_arns The Amazon Resource Name (ARN) of the Lambda Functions you want to use as EventBridge targets list(string) [] no
number_of_policies Number of policies to attach to IAM role number 0 no
number_of_policy_jsons Number of policies JSON to attach to IAM role number 0 no
permissions A map of objects with EventBridge Permission definitions. map(any) {} no
pipes A map of objects with EventBridge Pipe definitions. any {} no
policies List of policy statements ARN to attach to IAM role list(string) [] no
policy An additional policy document ARN to attach to IAM role string null no
policy_json An additional policy document as JSON to attach to IAM role string null no
policy_jsons List of additional policy documents as JSON to attach to IAM role list(string) [] no
policy_statements Map of dynamic policy statements to attach to IAM role any {} no
role_description Description of IAM role to use for EventBridge string null no
role_force_detach_policies Specifies to force detaching any policies the IAM role has before destroying it. bool true no
role_name Name of IAM role to use for EventBridge string null no
role_path Path of IAM role to use for EventBridge string null no
role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role used by EventBridge string null no
role_tags A map of tags to assign to IAM role map(string) {} no
rules A map of objects with EventBridge Rule definitions. map(any) {} no
schedule_group_timeouts A map of objects with EventBridge Schedule Group create and delete timeouts. map(string) {} no
schedule_groups A map of objects with EventBridge Schedule Group definitions. any {} no
schedules A map of objects with EventBridge Schedule definitions. map(any) {} no
schemas_discoverer_description Default schemas discoverer description string "Auto schemas discoverer event" no
sfn_target_arns The Amazon Resource Name (ARN) of the StepFunctions you want to use as EventBridge targets list(string) [] no
sns_target_arns The Amazon Resource Name (ARN) of the AWS SNS's you want to use as EventBridge targets list(string) [] no
sqs_target_arns The Amazon Resource Name (ARN) of the AWS SQS Queues you want to use as EventBridge targets list(string) [] no
tags A map of tags to assign to resources. map(string) {} no
targets A map of objects with EventBridge Target definitions. any {} no
trusted_entities Additional trusted entities for assuming roles (trust relationship) list(string) [] no

Outputs

Name Description
eventbridge_api_destination_arns The EventBridge API Destination ARNs
eventbridge_api_destinations The EventBridge API Destinations created and their attributes
eventbridge_archive_arns The EventBridge Archive ARNs
eventbridge_archives The EventBridge Archives created and their attributes
eventbridge_bus The EventBridge Bus created and their attributes
eventbridge_bus_arn The EventBridge Bus ARN
eventbridge_bus_name The EventBridge Bus Name
eventbridge_connection_arns The EventBridge Connection Arns
eventbridge_connection_ids The EventBridge Connection IDs
eventbridge_connections The EventBridge Connections created and their attributes
eventbridge_iam_roles The EventBridge IAM roles created and their attributes
eventbridge_permission_ids The EventBridge Permission IDs
eventbridge_permissions The EventBridge Permissions created and their attributes
eventbridge_pipe_arns The EventBridge Pipes ARNs
eventbridge_pipe_ids The EventBridge Pipes IDs
eventbridge_pipe_role_arns The ARNs of the IAM role created for EventBridge Pipes
eventbridge_pipe_role_names The names of the IAM role created for EventBridge Pipes
eventbridge_pipes The EventBridge Pipes created and their attributes
eventbridge_pipes_iam_roles The EventBridge Pipes IAM roles created and their attributes
eventbridge_role_arn The ARN of the IAM role created for EventBridge
eventbridge_role_name The name of the IAM role created for EventBridge
eventbridge_rule_arns The EventBridge Rule ARNs
eventbridge_rule_ids The EventBridge Rule IDs
eventbridge_rules The EventBridge Rules created and their attributes
eventbridge_schedule_arns The EventBridge Schedule ARNs created
eventbridge_schedule_group_arns The EventBridge Schedule Group ARNs
eventbridge_schedule_group_ids The EventBridge Schedule Group IDs
eventbridge_schedule_group_states The EventBridge Schedule Group states
eventbridge_schedule_groups The EventBridge Schedule Groups created and their attributes
eventbridge_schedule_ids The EventBridge Schedule IDs created
eventbridge_schedules The EventBridge Schedules created and their attributes

Authors

Module managed by Sven Lito. Check out serverless.tf to learn more about doing serverless with Terraform.

License

Apache 2 Licensed. See LICENSE for full details.