I am trying to add custom resources to establish a rule on an existing EventBridge event bus that sends events to a Cloudwatch log group, and in another variation I am creating a rule to send event bus events to an SNS topic, but am having trouble.
I am able to establish the rules, but they end up having failed invocations on deploy because (I am fairly certain) the permissions are not correct. If I update the rule in some way through the console, the rule begins to work because that procedure sets the correct policy.
Taking the case of the rule sending events to the log group, I understand what I need to do is create a resource policy like this:
{
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Principal": {
"Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
},
"Resource": "arn:aws:logs:region:account:log-group:/aws/events/*:*",
"Sid": "TrustEventsToStoreLogEvent"
}
],
"Version": "2012-10-17"
}
(see: Using resource-based policies for Amazon EventBridge - Amazon EventBridge)
So I am attempting to do this in the custom resources section of my serverless.yaml. What I have looks like this:
resources:
Resources:
ShopifyEventsLogRule:
Type: AWS::Events::Rule
Properties:
Description: 'All Shopify events for environment into Cloudwatch Log'
EventBusName: ${self:custom.environment.${self:custom.stage}.EVENT_BUS_ARN}
EventPattern:
source:
- ${self:custom.environment.${self:custom.stage}.EVENT_BUS_ARN}
Name: ShopifyEventsLogRule-${self:custom.stage}
Targets:
- Arn: !GetAtt ShopifyEventsLog.Arn
Id: LogTarget
ShopifyEventsLog:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/events/shopify-events-${self:custom.stage}
ShopifyEventsLogPolicy:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
!GetAtt ShopifyEventsLog.Arn
Sid: TrustEventBridgeEvents
However, when I deploy this I get an error:
CREATE_FAILED: ShopifyEventsLogPolicy (AWS::IAM::Role)
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 6220551f-c1dc-41da-a646-f8c41b0d9c8f; Proxy: null)
Does anyone here know what I may be doing wrong?