I've spent the last few weeks researching how to connect event busses in two different AWS accounts using the CDK. Most of the information that I've found has just been CloudFormation templates, which is fine, but some of the resources you have to create in CloudFormation are automatically created in the CDK. Now that I've solved the problem, I'd like to help the next unfortunate soul that needs to implement this. Fortunately, the final solution isn't that complicated. This article leaves out some boilerplate code, like creating the stacks. For the full source go to: . https://github.com/theBenForce/post-samples/tree/article/cross-account-event-bus What's needed? To get this to work you'll have to create a bus in each account—obviously. Beyond that, you'll need to create different resources for the sending and receiving accounts. In the receiving account, you'll need to create the rule that you want to be triggered by the message, and a policy on the target bus that allows messages from the sending account. In the sending account, you'll need to create an IAM Role that allows put events to the receiving bus. You'll also need to create a rule on the sending bus that references that role and forwards events to the receiving bus. Setting up the target account First, create the target bus. You'll need to set the name so that the ARN can be used in a stack in another account. const targetBus = new events.EventBus(this, "TargetBus", {
  eventBusName: "TargetBus"
}); Since we're going to be referencing this bus from another account, we need to tell the CDK to generate a physical name during the synthesis process. This enables the CDK to generate an ARN before deployment. targetBus._enableCrossEnvironment(); Now you need to create an event bus policy that allows messages from the source account. new events.CfnEventBusPolicy(this, "CrossAccountPolicy", {
  action: "events:PutEvents",
  eventBusName: targetBus.eventBusName,
  principal: sourceAccountId,
  statementId: AcceptFrom${sourceAccountId},
}); This wouldn't be any fun if you didn't get to see your events somewhere in the target account. To make that happen, create a CloudWatch log group that you can dump all of the received messages into. const eventLogs = new logs.LogGroup(this, "EventLogs", {
  logGroupName: "EventLogs",
}); Finally, you need to create the rule that you want to be triggered. The rule will pass all events with a set to into the log group that you created. detailType TestEvent new events.Rule(this, "TestRule", {
  eventBus: targetBus,
  eventPattern: {
    detailType: ["TestEvent"],
  },
	targets: [
    new eventsTargets.CloudWatchLogGroup(eventLogs),
  ],
}); Setting up the source account Start by creating the bus that will be sending events. const sourceBus = new events.EventBus(this, "SourceBus"); And create a rule that will forward TestEvent messages to the target bus. The CDK creates both the Event Bus Rule and an IAM Role that will allow your Event Bus to send messages to the target Event Bus. new events.Rule(this, "TestRule", {
	eventBus: sourceBus,
	eventPattern: "TestEvent",
	targets: [
		new eventsTargets.EventBus(targetBus)
	]
}); Deploy Now that you've created both busses, go ahead and deploy them. Without any fancy setup, you'll need to deploy the stacks one at a time using the proper AWS profile for each. npx cdk deploy --profile source SourceStack
npx cdk deploy --profile target TargetStack Testing Now that both stacks are deployed you can test the connection. Log into the source account's AWS console and navigate to "Event busses" in the EventBridge service. Select your bus then click Actions→Send events. On the page that opens, make sure the "Detail type" matches the value you used when you created the event bus rule. Now head over to your target account and open the CloudWatch log group that you created. You should see your message there. Summary Connecting event bridges across two AWS accounts requires several pieces to get it working, fortunately, the CDK makes it pretty simple to create them. In the target account, you need to create an Event Bus with an Event Bus Policy that allows messages from the source account. The source account needs an IAM Role attached to an Event Bus Rule, which the CDK takes care of behind the scenes. Also published on . https://thebenforce.com/post/cross-account-event-bus

Stacks

Target

Running Cdk Integration Tests in a CloudFormation Custom Resource

An Intro to Dynamic CDK Dashboards

Connecting Event Bridges Across AWS Accounts: A How-To Guide

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

An Intro to Dynamic CDK Dashboards

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 1)

An Intro to Dynamic CDK Dashboards

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 1)

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps