diff --git a/terraform/environment/region/event_bus.tf b/terraform/environment/region/event_bus.tf index 899bb5d6c9..b833eb563c 100644 --- a/terraform/environment/region/event_bus.tf +++ b/terraform/environment/region/event_bus.tf @@ -2,6 +2,7 @@ module "event_bus" { source = "./modules/event_bus" target_event_bus_arn = var.target_event_bus_arn iam_role = var.iam_roles.cross_account_put + receive_account_id = var.receive_account_id providers = { aws.region = aws.region } diff --git a/terraform/environment/region/modules/event_bus/main.tf b/terraform/environment/region/modules/event_bus/main.tf index a635bfae70..024d08c276 100644 --- a/terraform/environment/region/modules/event_bus/main.tf +++ b/terraform/environment/region/modules/event_bus/main.tf @@ -53,3 +53,29 @@ resource "aws_cloudwatch_event_target" "cross_account_put" { role_arn = var.iam_role.arn provider = aws.region } + +# Allow other accounts to send messages +data "aws_iam_policy_document" "main" { + statement { + sid = "CrossAccountAccess" + effect = "Allow" + actions = [ + "events:PutEvents", + ] + resources = [ + aws_cloudwatch_event_bus.main.arn + ] + + principals { + type = "AWS" + identifiers = [var.receive_account_id] + } + } +} + +resource "aws_cloudwatch_event_bus_policy" "main" { + count = var.receive_account_id == "" ? 0 : 1 + event_bus_name = aws_cloudwatch_event_bus.main.name + policy = data.aws_iam_policy_document.main.json +} + diff --git a/terraform/environment/region/modules/event_bus/permissions.tf b/terraform/environment/region/modules/event_bus/permissions.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/terraform/environment/region/modules/event_bus/variables.tf b/terraform/environment/region/modules/event_bus/variables.tf index 98a6d6f898..bd1723c0d9 100644 --- a/terraform/environment/region/modules/event_bus/variables.tf +++ b/terraform/environment/region/modules/event_bus/variables.tf @@ -7,3 +7,9 @@ variable "iam_role" { type = any description = "IAM role to allow cross account put to event bus" } + +variable "receive_account_id" { + type = string + description = "ID of account to receive messages from" + default = "" +} diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index 1ca625752b..862d28ea76 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -90,3 +90,9 @@ variable "target_event_bus_arn" { type = string description = "ARN of the event bus to forward events to" } + +variable "receive_account_id" { + type = string + description = "ID of account to receive messages from" + default = "" +} diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index 331d32ad48..09d8a38090 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -51,7 +51,8 @@ "cloudwatch_application_insights_enabled": false, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas", + "receive_account_id": "288342028542" }, "reduced_fees": { "enabled": true, @@ -112,7 +113,8 @@ "cloudwatch_application_insights_enabled": false, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas", + "receive_account_id": "288342028542" }, "reduced_fees": { "enabled": true, @@ -173,7 +175,8 @@ "cloudwatch_application_insights_enabled": false, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/integration-poas", + "receive_account_id": "288342028542" }, "reduced_fees": { "enabled": true, @@ -234,7 +237,8 @@ "cloudwatch_application_insights_enabled": true, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas", + "receive_account_id": "288342028542" }, "reduced_fees": { "enabled": true, @@ -295,7 +299,8 @@ "cloudwatch_application_insights_enabled": true, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas", + "receive_account_id": "" }, "reduced_fees": { "enabled": true, @@ -356,7 +361,8 @@ "cloudwatch_application_insights_enabled": true, "pagerduty_service_name": "OPG Modernising LPA Non-Production", "event_bus": { - "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas" + "target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas", + "receive_account_id": "" }, "reduced_fees": { "enabled": true, diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf index ec707c5444..3c22faade5 100644 --- a/terraform/environment/variables.tf +++ b/terraform/environment/variables.tf @@ -73,6 +73,7 @@ variable "environments" { pagerduty_service_name = string event_bus = object({ target_event_bus_arn = string + receive_account_id = string }) reduced_fees = object({ enabled = bool