Permissions for custom resource directing eventbridge events to targets

Serverless Framework
,
1

I am trying to add custom resources to establish a rule on an existing EventBridge event bus that sends events to a Cloudwatch log group, and in another variation I am creating a rule to send event bus events to an SNS topic, but am having trouble.

I am able to establish the rules, but they end up having failed invocations on deploy because (I am fairly certain) the permissions are not correct. If I update the rule in some way through the console, the rule begins to work because that procedure sets the correct policy.

Taking the case of the rule sending events to the log group, I understand what I need to do is create a resource policy like this:

{
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Effect": "Allow",
            "Principal": {
                "Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
            },
            "Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
            "Sid": "TrustEventsToStoreLogEvent"
        }
    ],
    "Version": "2012-10-17"
}

(see: Using resource-based policies for Amazon EventBridge - Amazon EventBridge)

So I am attempting to do this in the custom resources section of my serverless.yaml. What I have looks like this:

resources:
  Resources:
    ShopifyEventsLogRule:
      Type: AWS::Events::Rule
      Properties:
        Description: 'All Shopify events for environment into Cloudwatch Log'
        EventBusName: ${self:custom.environment.${self:custom.stage}.EVENT_BUS_ARN}
        EventPattern:
          source:
            - ${self:custom.environment.${self:custom.stage}.EVENT_BUS_ARN}
        Name: ShopifyEventsLogRule-${self:custom.stage}
        Targets:
          - Arn: !GetAtt ShopifyEventsLog.Arn 
            Id: LogTarget
    ShopifyEventsLog:
      Type: AWS::Logs::LogGroup
      Properties:
        LogGroupName: /aws/events/shopify-events-${self:custom.stage}
    ShopifyEventsLogPolicy:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - events.amazonaws.com
              Action:
                - logs:CreateLogStream
                - logs:PutLogEvents
              Resource:
                !GetAtt ShopifyEventsLog.Arn
              Sid: TrustEventBridgeEvents

However, when I deploy this I get an error:

CREATE_FAILED: ShopifyEventsLogPolicy (AWS::IAM::Role)
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 6220551f-c1dc-41da-a646-f8c41b0d9c8f; Proxy: null)

Does anyone here know what I may be doing wrong?

2

I also came across this topic that is rather old, which doesn’t seem to apply very precisely to my case since I am not trying to set permissions for delivery to a lambda.