typescript - 是否可以在不同的帐户中创建规则？

Question

使用 CDK，我尝试在不同的帐户中创建事件总线规则:

// Getting source bus ARN
const sourceBusArn = Stack.of(this).formatArn({
  region: this.region,
  service: 'events',
  account: Config.sourceAccount,
  resource: 'event-bus',
  resourceName: Config.sourceBusName,
});

// Retrieving source bus
const sourceBus = EventBus.fromEventBusArn(this, 'SourceBus', sourceBusArn);

// creating rule to forward source bus events to target buses
new Rule(this, 'CrossAccountSourceRule', {
  eventPattern: Config.eventPattern,
  eventBus: sourceBus,
  targets: [new EventBusTarget(targetBus)],
});

这里Config.sourceAccount是一个外部帐户，与正在执行的 CDK 不同。Config.sourceBusName总线存在于该帐户中，并且具有允许从同一组织中的外部帐户创建规则的策略。

但是尝试创建规则会引发异常 Event bus <bus-in-external-account> does not exist. Status Code: 400 。是否可以像这样或任何其他方式在不同的帐户中创建规则？

Answer 1

找到了解决方案。从源帐户导入总线而不是使用 EventBus.fromEventBusArn 时，请使用 EventBus.fromEventBusAttributes - 但有一个变化:传递源总线 ARN 作为总线名称和总线 ARN:

// Getting source bus ARN
const sourceBusArn = Stack.of(this).formatArn({
  region: this.region,
  service: 'events',
  account: Config.sourceAccount,
  resource: 'event-bus',
  resourceName: Config.sourceBusName,
});

// Retrieving source bus. Pass ARN both as name and Arn props.
const sourceCoreBus = EventBus.fromEventBusAttributes(this, 'SourceCoreBus', {
  eventBusName: sourceBusArn,
  eventBusArn: sourceBusArn,
  eventBusPolicy: '',
});

// creating rule to forward source bus events to target buses
new Rule(this, 'CrossAccountSourceRule', {
  eventPattern: Config.eventPattern,
  eventBus: sourceBus,
  targets: [new EventBusTarget(targetBus)],
});

这将在外部帐户中创建规则。不要忘记您尝试访问的总线必须具备所需的权限策略，例如

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":"<id-of-account-that-creates-rules>"
         },
         "Action":[
            "events:DescribeEventBus",
            "events:PutRule",
            "events:PutTargets",
            "events:DeleteRule",
            "events:RemoveTargets",
            "events:DisableRule",
            "events:EnableRule",
            "events:TagResource",
            "events:UntagResource",
            "events:DescribeRule",
            "events:ListTargetsByRule",
            "events:ListTagsForResource"
         ],
         "Resource":[
            "arn:aws:events:us-west-2:<id-of-source-account>:event-bus/<bus-name>",
            "arn:aws:events:us-west-2:<id-of-source-account>:rule/<bus-name>/*"
         ]
      }
   ]
}

更新:一些解释。上述解决方案之所以有效，是因为在底层 Rule 构造使用了 Level 1 CfnRule 构造。它的属性之一 EventBusName 可以是 bus name or ARN 。因此，当传递 ARN 而不是名称时 - 它就这样使用。生成的 CloudFormation 模板如下所示(相关片段):

  "CrossAccountSourceRuleAF67328": {
   "Type": "AWS::Events::Rule",
   "Properties": {
    "EventBusName": {
     "Fn::Join": [
      "",
      [
       "arn:",
       {
        "Ref": "AWS::Partition"
       },
       ":events:",
       {
        "Ref": "AWS::Region"
       },
       ":1234567890:event-bus/bus-name"
      ]
     ]
    },