Allow Sirius accounts to send events

Add permissions to event bus to allow specified accounts to send events to the bus. For VEGA-2090 #minor
ministryofjustice · Oct 4, 2023 · f4aef4d · f4aef4d
1 parent 56a4fa7
commit f4aef4d
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 6 deletions.
diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf
@@ -2,6 +2,7 @@ module "event_bus" {
   source               = "./modules/event_bus"
   target_event_bus_arn = var.target_event_bus_arn
   iam_role             = var.iam_roles.cross_account_put
+  receive_account_id   = var.receive_account_id
   providers = {
     aws.region = aws.region
   }

diff --git a/terraform/environment/region/modules/event_bus/main.tf b/terraform/environment/region/modules/event_bus/main.tf
@@ -53,3 +53,29 @@ resource "aws_cloudwatch_event_target" "cross_account_put" {
   role_arn       = var.iam_role.arn
   provider       = aws.region
 }
+
+# Allow other accounts to send messages
+data "aws_iam_policy_document" "main" {
+  statement {
+    sid    = "CrossAccountAccess"
+    effect = "Allow"
+    actions = [
+      "events:PutEvents",
+    ]
+    resources = [
+      aws_cloudwatch_event_bus.main.arn
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [var.receive_account_id]
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_bus_policy" "main" {
+  count          = var.receive_account_id == "" ? 0 : 1
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+  policy         = data.aws_iam_policy_document.main.json
+}
+
diff --git a/terraform/environment/region/modules/event_bus/permissions.tf b/terraform/environment/region/modules/event_bus/permissions.tf
diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf
@@ -7,3 +7,9 @@ variable "iam_role" {
   type        = any
   description = "IAM role to allow cross account put to event bus"
 }
+
+variable "receive_account_id" {
+  type        = string
+  description = "ID of account to receive messages from"
+  default     = ""
+}
diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf
@@ -90,3 +90,9 @@ variable "target_event_bus_arn" {
   type        = string
   description = "ARN of the event bus to forward events to"
 }
+
+variable "receive_account_id" {
+  type        = string
+  description = "ID of account to receive messages from"
+  default     = ""
+}
diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
@@ -51,7 +51,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -112,7 +113,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -173,7 +175,8 @@
       "cloudwatch_application_insights_enabled": false,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -234,7 +237,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": "288342028542"
       },
       "reduced_fees": {
         "enabled": true,
@@ -295,7 +299,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": ""
       },
       "reduced_fees": {
         "enabled": true,
@@ -356,7 +361,8 @@
       "cloudwatch_application_insights_enabled": true,
       "pagerduty_service_name": "OPG Modernising LPA Non-Production",
       "event_bus": {
-        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas"
+        "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
+        "receive_account_id": ""
       },
       "reduced_fees": {
         "enabled": true,

diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf
@@ -73,6 +73,7 @@ variable "environments" {
       pagerduty_service_name                  = string
       event_bus = object({
         target_event_bus_arn = string
+        receive_account_id   = string
       })
       reduced_fees = object({
         enabled                                   = bool