Allow Sirius accounts to send events

Add permissions to event bus to allow specified accounts to send events to the bus.

For VEGA-2090 #minor

terraform/environment/region/event_bus.tf

@@ -2,6 +2,7 @@ module "event_bus" {
   source               = "./modules/event_bus"
   target_event_bus_arn = var.target_event_bus_arn
   iam_role             = var.iam_roles.cross_account_put
+  receive_account_id   = var.receive_account_id
   providers = {
     aws.region = aws.region
   }

terraform/environment/region/modules/event_bus/main.tf

@@ -53,3 +53,30 @@ resource "aws_cloudwatch_event_target" "cross_account_put" {
   role_arn       = var.iam_role.arn
   provider       = aws.region
 }
+
+# Allow other accounts to send messages
+data "aws_iam_policy_document" "main" {
+  statement {
+    sid    = "CrossAccountAccess"
+    effect = "Allow"
+    actions = [
+      "events:PutEvents",
+    ]
+    resources = [
+      aws_cloudwatch_event_bus.main.arn
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.receive_account_id]
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_bus_policy" "main" {
+  count          = var.receive_account_id == "" ? 0 : 1
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+  policy         = data.aws_iam_policy_document.main.json
+  provider       = aws.region
+}
+

terraform/environment/region/modules/event_bus/variables.tf

@@ -7,3 +7,9 @@ variable "iam_role" {
   type        = any
   description = "IAM role to allow cross account put to event bus"
 }
+
+variable "receive_account_id" {
+  type        = string
+  description = "ID of account to receive messages from"
+  default     = ""
+}

terraform/environment/region/variables.tf

@@ -90,3 +90,9 @@ variable "target_event_bus_arn" {
   type        = string
   description = "ARN of the event bus to forward events to"
 }
+
+variable "receive_account_id" {
+  type        = string
+  description = "ID of account to receive messages from"
+  default     = ""
+}

terraform/environment/regions.tf

@@ -35,6 +35,7 @@ module "eu_west_1" {
     enable_s3_batch_job_replication_scheduler = local.environment.reduced_fees.enable_s3_batch_job_replication_scheduler
   }
   target_event_bus_arn   = local.environment.event_bus.target_event_bus_arn
+  receive_account_id     = local.environment.event_bus.receive_account_id
   app_env_vars           = local.environment.app.env
   app_allowed_api_arns   = local.environment.app.allowed_api_arns
   public_access_enabled  = var.public_access_enabled
@@ -76,6 +77,7 @@ module "eu_west_2" {
     enable_s3_batch_job_replication_scheduler = local.environment.reduced_fees.enable_s3_batch_job_replication_scheduler
   }
   target_event_bus_arn   = local.environment.event_bus.target_event_bus_arn
+  receive_account_id     = local.environment.event_bus.receive_account_id
   app_env_vars           = local.environment.app.env
   app_allowed_api_arns   = local.environment.app.allowed_api_arns
   public_access_enabled  = var.public_access_enabled

terraform/environment/terraform.tfvars.json

@@ -51,7 +51,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -112,7 +113,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -173,7 +175,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -234,7 +237,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -295,7 +299,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": ""
       },
       "reduced_fees": {
         "enabled": true,
@@ -356,7 +361,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": ""
       },
       "reduced_fees": {
         "enabled": true,

terraform/environment/variables.tf

@@ -73,6 +73,7 @@ variable "environments" {
       pagerduty_service_name                  = string
       event_bus = object({
         target_event_bus_arn = string
+        receive_account_id   = string
       })
       reduced_fees = object({
         enabled                                   = bool