paint-brush
Connecting Event Bridges Across AWS Accounts: A How-To Guideby@theBenForce

Connecting Event Bridges Across AWS Accounts: A How-To Guide

by Ben ForceOctober 3rd, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

This article leaves out some boilerplate code, like creating the stacks. I've spent the last few weeks researching how to connect event busses in two different AWS accounts using the CDK. Fortunately, the final solution isn't that complicated. The CDK creates both a bus and an IAM Role that will allow the bus to send events to the receiving bus. Without any fancy setup, you'll need to deploy stacks at a time using the proper time for each profile for each account.

Company Mentioned

Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - Connecting Event Bridges Across AWS Accounts: A How-To Guide
Ben Force HackerNoon profile picture


I've spent the last few weeks researching how to connect event busses in two different AWS accounts using the CDK. Most of the information that I've found has just been CloudFormation templates, which is fine, but some of the resources you have to create in CloudFormation are automatically created in the CDK.


Now that I've solved the problem, I'd like to help the next unfortunate soul that needs to implement this. Fortunately, the final solution isn't that complicated.


This article leaves out some boilerplate code, like creating the stacks. For the full source go to: https://github.com/theBenForce/post-samples/tree/article/cross-account-event-bus.


What's needed?

To get this to work you'll have to create a bus in each account—obviously. Beyond that, you'll need to create different resources for the sending and receiving accounts.


In the receiving account, you'll need to create the rule that you want to be triggered by the message, and a policy on the target bus that allows messages from the sending account.


In the sending account, you'll need to create an IAM Role that allows put events to the receiving bus. You'll also need to create a rule on the sending bus that references that role and forwards events to the receiving bus.


Setting up the target account

First, create the target bus. You'll need to set the name so that the ARN can be used in a stack in another account.


const targetBus = new events.EventBus(this, "TargetBus", {
  eventBusName: "TargetBus"
});

Since we're going to be referencing this bus from another account, we need to tell the CDK to generate a physical name during the synthesis process. This enables the CDK to generate an ARN before deployment.


targetBus._enableCrossEnvironment();

Now you need to create an event bus policy that allows messages from the source account.


new events.CfnEventBusPolicy(this, "CrossAccountPolicy", {
  action: "events:PutEvents",
  eventBusName: targetBus.eventBusName,
  principal: sourceAccountId,
  statementId: AcceptFrom${sourceAccountId},
});

This wouldn't be any fun if you didn't get to see your events somewhere in the target account. To make that happen, create a CloudWatch log group that you can dump all of the received messages into.


const eventLogs = new logs.LogGroup(this, "EventLogs", {
  logGroupName: "EventLogs",
});

Finally, you need to create the rule that you want to be triggered. The rule will pass all events with a detailType set to TestEvent into the log group that you created.


new events.Rule(this, "TestRule", {
  eventBus: targetBus,
  eventPattern: {
    detailType: ["TestEvent"],
  },
	targets: [
    new eventsTargets.CloudWatchLogGroup(eventLogs),
  ],
});

Setting up the source account

Start by creating the bus that will be sending events.


const sourceBus = new events.EventBus(this, "SourceBus");

And create a rule that will forward TestEvent messages to the target bus. The CDK creates both the Event Bus Rule and an IAM Role that will allow your Event Bus to send messages to the target Event Bus.


new events.Rule(this, "TestRule", {
	eventBus: sourceBus,
	eventPattern: "TestEvent",
	targets: [
		new eventsTargets.EventBus(targetBus)
	]
});

Deploy

Now that you've created both busses, go ahead and deploy them. Without any fancy setup, you'll need to deploy the stacks one at a time using the proper AWS profile for each.


npx cdk deploy --profile source SourceStack
npx cdk deploy --profile target TargetStack


Testing

Now that both stacks are deployed you can test the connection. Log into the source account's AWS console and navigate to "Event busses" in the EventBridge service. Select your bus then click Actions→Send events.


Selecting an event bus

On the page that opens, make sure the "Detail type" matches the value you used when you created the event bus rule.


Sending an event

Now head over to your target account and open the CloudWatch log group that you created. You should see your message there.


View event in the target

Summary

Connecting event bridges across two AWS accounts requires several pieces to get it working, fortunately, the CDK makes it pretty simple to create them. In the target account, you need to create an Event Bus with an Event Bus Policy that allows messages from the source account. The source account needs an IAM Role attached to an Event Bus Rule, which the CDK takes care of behind the scenes.


Also published on https://thebenforce.com/post/cross-account-event-bus.