From c546e833c3ecb784af046d6edca055cd679bac3d Mon Sep 17 00:00:00 2001 From: DaWyz Date: Fri, 5 Mar 2021 17:13:59 -0800 Subject: [PATCH 1/6] feat(events): grant putEvents to a specific eventbus --- packages/@aws-cdk/aws-events/lib/event-bus.ts | 16 ++++++++ .../aws-events/test/test.event-bus.ts | 38 +++++++++++++++++++ .../lib/event-bridge.ts | 3 +- .../test/destinations.test.ts | 7 +++- 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts index cd0c7f913cbf6..078c5e5577ff6 100644 --- a/packages/@aws-cdk/aws-events/lib/event-bus.ts +++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts @@ -47,6 +47,14 @@ export interface IEventBus extends IResource { * @param props Properties of the archive */ archive(id: string, props: BaseArchiveProps): Archive; + + /** + * Grants an IAM Principal to send custom events to the eventBus + * so that they can be matched to rules. + * + * @param grantee The principal (no-op if undefined) + */ + grantPut(grantee: iam.IGrantable): iam.Grant; } /** @@ -137,6 +145,14 @@ abstract class EventBusBase extends Resource implements IEventBus { archiveName: props.archiveName, }); } + + public grantPut(grantee: iam.IGrantable): iam.Grant { + return iam.Grant.addToPrincipal({ + grantee, + actions: ['events:PutEvents'], + resourceArns: [this.eventBusArn], + }); + } } /** diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts index 2e8434e147bb1..1b533e08c7dbe 100644 --- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts +++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts @@ -247,6 +247,44 @@ export = { test.done(); }, + 'can grant PutEvents to a specific event bus'(test: Test) { + // GIVEN + const stack = new Stack(); + const role = new iam.Role(stack, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + const eventBus = new EventBus(stack, 'EventBus'); + + // WHEN + eventBus.grantPut(role); + + // THEN + expect(stack).to(haveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'events:PutEvents', + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'EventBus7B8748AA', + 'Arn', + ], + }, + }, + ], + Version: '2012-10-17', + }, + Roles: [ + { + Ref: 'Role1ABCC5F0', + }, + ], + })); + + test.done(); + }, 'can archive events'(test: Test) { // GIVEN const stack = new Stack(); diff --git a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts index f61d8409da7bd..4581a33ae3d55 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts @@ -22,8 +22,7 @@ export class EventBridgeDestination implements lambda.IDestination { * Returns a destination configuration */ public bind(_scope: Construct, fn: lambda.IFunction, _options?: lambda.DestinationOptions): lambda.DestinationConfig { - // deduplicated automatically - events.EventBus.grantPutEvents(fn); // Cannot restrict to a specific resource + this.eventBus.grantPut(fn); return { destination: this.eventBus && this.eventBus.eventBusArn || Stack.of(fn).formatArn({ diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts index 0f8f7d4c85254..4f32441b2c269 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts @@ -47,7 +47,12 @@ test('event bus as destination', () => { { Action: 'events:PutEvents', Effect: 'Allow', - Resource: '*', + Resource: { + 'Fn::GetAtt': [ + 'EventBus7B8748AA', + 'Arn', + ], + }, }, ], Version: '2012-10-17', From b0708659fef2b069fef1cbee7f33fa6a3d10bdc2 Mon Sep 17 00:00:00 2001 From: DaWyz Date: Fri, 5 Mar 2021 17:47:57 -0800 Subject: [PATCH 2/6] Updating README.md --- packages/@aws-cdk/aws-events/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/packages/@aws-cdk/aws-events/README.md b/packages/@aws-cdk/aws-events/README.md index 565b0537d091d..15d6fc5cb326f 100644 --- a/packages/@aws-cdk/aws-events/README.md +++ b/packages/@aws-cdk/aws-events/README.md @@ -186,3 +186,17 @@ bus.archive('MyArchive', { retention: cdk.Duration.days(365), }); ``` + +## Granting PutEvents to an existing EventBus + +To import an existing EventBus into your CDK application, use `EventBus.fromEventBusArn` or `EventBus.fromEventBusAttributes` +factory method. + +Then, you can use the `grantPut` method to grant `event:PutEvents` to the eventBus. + +```ts +const eventBus = EventBus.fromEventBusArn(this, 'ImportedEventBus', 'arn:aws:events:us-east-1:111111111:event-bus/my-event-bus'); + +// now you can just call methods on the eventbus +eventBus.grantPut(lambdaFunction); +``` \ No newline at end of file From a8a2f078c71e87ca125e72ad25ac147ab7fc02bb Mon Sep 17 00:00:00 2001 From: DaWyz Date: Fri, 5 Mar 2021 18:15:56 -0800 Subject: [PATCH 3/6] renaming method --- packages/@aws-cdk/aws-events/README.md | 6 +++--- packages/@aws-cdk/aws-events/lib/event-bus.ts | 4 ++-- packages/@aws-cdk/aws-events/test/test.event-bus.ts | 2 +- .../@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-events/README.md b/packages/@aws-cdk/aws-events/README.md index 15d6fc5cb326f..83aececc56740 100644 --- a/packages/@aws-cdk/aws-events/README.md +++ b/packages/@aws-cdk/aws-events/README.md @@ -192,11 +192,11 @@ bus.archive('MyArchive', { To import an existing EventBus into your CDK application, use `EventBus.fromEventBusArn` or `EventBus.fromEventBusAttributes` factory method. -Then, you can use the `grantPut` method to grant `event:PutEvents` to the eventBus. +Then, you can use the `grantPutEventsTo` method to grant `event:PutEvents` to the eventBus. ```ts const eventBus = EventBus.fromEventBusArn(this, 'ImportedEventBus', 'arn:aws:events:us-east-1:111111111:event-bus/my-event-bus'); // now you can just call methods on the eventbus -eventBus.grantPut(lambdaFunction); -``` \ No newline at end of file +eventBus.grantPutEventsTo(lambdaFunction); +``` diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts index 078c5e5577ff6..dee779d0ebe2d 100644 --- a/packages/@aws-cdk/aws-events/lib/event-bus.ts +++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts @@ -54,7 +54,7 @@ export interface IEventBus extends IResource { * * @param grantee The principal (no-op if undefined) */ - grantPut(grantee: iam.IGrantable): iam.Grant; + grantPutEventsTo(grantee: iam.IGrantable): iam.Grant; } /** @@ -146,7 +146,7 @@ abstract class EventBusBase extends Resource implements IEventBus { }); } - public grantPut(grantee: iam.IGrantable): iam.Grant { + public grantPutEventsTo(grantee: iam.IGrantable): iam.Grant { return iam.Grant.addToPrincipal({ grantee, actions: ['events:PutEvents'], diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts index 1b533e08c7dbe..aada931b05e59 100644 --- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts +++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts @@ -257,7 +257,7 @@ export = { const eventBus = new EventBus(stack, 'EventBus'); // WHEN - eventBus.grantPut(role); + eventBus.grantPutEventsTo(role); // THEN expect(stack).to(haveResource('AWS::IAM::Policy', { diff --git a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts index 4581a33ae3d55..da4d9c0ac917c 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts @@ -22,7 +22,7 @@ export class EventBridgeDestination implements lambda.IDestination { * Returns a destination configuration */ public bind(_scope: Construct, fn: lambda.IFunction, _options?: lambda.DestinationOptions): lambda.DestinationConfig { - this.eventBus.grantPut(fn); + this.eventBus.grantPutEventsTo(fn); return { destination: this.eventBus && this.eventBus.eventBusArn || Stack.of(fn).formatArn({ From 906b608b4c2d6ca7065ae1cd78e1691c0676b191 Mon Sep 17 00:00:00 2001 From: DaWyz Date: Sat, 6 Mar 2021 12:14:21 -0800 Subject: [PATCH 4/6] Replacing static grantPutEvents method. This is a breaking change --- packages/@aws-cdk/aws-events/lib/event-bus.ts | 20 +----- .../aws-events/test/test.event-bus.ts | 34 +-------- .../lib/event-bridge.ts | 23 ++++-- .../test/destinations.test.ts | 70 ++++++------------- .../test/integ.destinations.expected.json | 21 +++++- .../test/integ.lambda-chain.expected.json | 42 ++++++++++- 6 files changed, 100 insertions(+), 110 deletions(-) diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts index dee779d0ebe2d..2ec2cbbc64466 100644 --- a/packages/@aws-cdk/aws-events/lib/event-bus.ts +++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts @@ -54,7 +54,7 @@ export interface IEventBus extends IResource { * * @param grantee The principal (no-op if undefined) */ - grantPutEventsTo(grantee: iam.IGrantable): iam.Grant; + grantPutEvents(grantee: iam.IGrantable): iam.Grant; } /** @@ -146,7 +146,7 @@ abstract class EventBusBase extends Resource implements IEventBus { }); } - public grantPutEventsTo(grantee: iam.IGrantable): iam.Grant { + public grantPutEvents(grantee: iam.IGrantable): iam.Grant { return iam.Grant.addToPrincipal({ grantee, actions: ['events:PutEvents'], @@ -188,22 +188,6 @@ export class EventBus extends EventBusBase { return new ImportedEventBus(scope, id, attrs); } - /** - * Permits an IAM Principal to send custom events to EventBridge - * so that they can be matched to rules. - * - * @param grantee The principal (no-op if undefined) - */ - public static grantPutEvents(grantee: iam.IGrantable): iam.Grant { - // It's currently not possible to restrict PutEvents to specific resources. - // See https://docs.aws.amazon.com/eventbridge/latest/userguide/permissions-reference-eventbridge.html - return iam.Grant.addToPrincipal({ - grantee, - actions: ['events:PutEvents'], - resourceArns: ['*'], - }); - } - private static eventBusProps(defaultEventBusName: string, props?: EventBusProps) { if (props) { const { eventBusName, eventSourceName } = props; diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts index aada931b05e59..69ba3a749574f 100644 --- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts +++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts @@ -215,38 +215,6 @@ export = { test.done(); }, - - 'can grant PutEvents'(test: Test) { - // GIVEN - const stack = new Stack(); - const role = new iam.Role(stack, 'Role', { - assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), - }); - - // WHEN - EventBus.grantPutEvents(role); - - // THEN - expect(stack).to(haveResource('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'events:PutEvents', - Effect: 'Allow', - Resource: '*', - }, - ], - Version: '2012-10-17', - }, - Roles: [ - { - Ref: 'Role1ABCC5F0', - }, - ], - })); - - test.done(); - }, 'can grant PutEvents to a specific event bus'(test: Test) { // GIVEN const stack = new Stack(); @@ -257,7 +225,7 @@ export = { const eventBus = new EventBus(stack, 'EventBus'); // WHEN - eventBus.grantPutEventsTo(role); + eventBus.grantPutEvents(role); // THEN expect(stack).to(haveResource('AWS::IAM::Policy', { diff --git a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts index da4d9c0ac917c..7c65ddcaec34b 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts @@ -22,14 +22,25 @@ export class EventBridgeDestination implements lambda.IDestination { * Returns a destination configuration */ public bind(_scope: Construct, fn: lambda.IFunction, _options?: lambda.DestinationOptions): lambda.DestinationConfig { - this.eventBus.grantPutEventsTo(fn); + if (this.eventBus) { + this.eventBus.grantPutEvents(fn); + + return { + destination: this.eventBus.eventBusArn, + }; + } + + const existingDefaultEventBus = _scope.node.tryFindChild('DefaultEventBus'); + let eventBus = (existingDefaultEventBus as events.EventBus) || events.EventBus.fromEventBusArn(_scope, 'DefaultEventBus', Stack.of(fn).formatArn({ + service: 'events', + resource: 'event-bus', + resourceName: 'default', + })); + + eventBus.grantPutEvents(fn); return { - destination: this.eventBus && this.eventBus.eventBusArn || Stack.of(fn).formatArn({ - service: 'events', - resource: 'event-bus', - resourceName: 'default', - }), + destination: eventBus.eventBusArn, }; } } diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts index 4f32441b2c269..70dda9ef43893 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts @@ -60,55 +60,6 @@ test('event bus as destination', () => { }); }); -test('event bus as destination defaults to default event bus', () => { - // WHEN - new lambda.Function(stack, 'Function', { - ...lambdaProps, - onSuccess: new destinations.EventBridgeDestination(), - }); - - // THEN - expect(stack).toHaveResource('AWS::Lambda::EventInvokeConfig', { - DestinationConfig: { - OnSuccess: { - Destination: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':events:', - { - Ref: 'AWS::Region', - }, - ':', - { - Ref: 'AWS::AccountId', - }, - ':event-bus/default', - ], - ], - }, - }, - }, - }); - - expect(stack).toHaveResource('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'events:PutEvents', - Effect: 'Allow', - Resource: '*', - }, - ], - Version: '2012-10-17', - }, - }); -}); - test('lambda as destination', () => { // GIVEN const successLambda = new lambda.Function(stack, 'SuccessFunction', lambdaProps); @@ -220,7 +171,26 @@ test('lambda payload as destination', () => { { Action: 'events:PutEvents', Effect: 'Allow', - Resource: '*', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':events:', + { + Ref: 'AWS::Region', + }, + ':', + { + Ref: 'AWS::AccountId', + }, + ':event-bus/default', + ], + ], + }, }, ], Version: '2012-10-17', diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json index 510fe8cef21a8..009327c46da7e 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json +++ b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json @@ -219,7 +219,26 @@ { "Action": "events:PutEvents", "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/default" + ] + ] + } }, { "Action": "lambda:InvokeFunction", diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/integ.lambda-chain.expected.json b/packages/@aws-cdk/aws-lambda-destinations/test/integ.lambda-chain.expected.json index 5fc64df8417f3..5fc2d65b80387 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/integ.lambda-chain.expected.json +++ b/packages/@aws-cdk/aws-lambda-destinations/test/integ.lambda-chain.expected.json @@ -39,7 +39,26 @@ { "Action": "events:PutEvents", "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/default" + ] + ] + } } ], "Version": "2012-10-17" @@ -289,7 +308,26 @@ { "Action": "events:PutEvents", "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":event-bus/default" + ] + ] + } } ], "Version": "2012-10-17" From 6533ffacf4ec3f929fac44e42e05c7962b2a0055 Mon Sep 17 00:00:00 2001 From: DaWyz Date: Sat, 6 Mar 2021 12:22:47 -0800 Subject: [PATCH 5/6] Removing breaking change as it's a stable module --- packages/@aws-cdk/aws-events/lib/event-bus.ts | 20 +++++++++-- .../aws-events/test/test.event-bus.ts | 34 ++++++++++++++++++- .../lib/event-bridge.ts | 4 +-- 3 files changed, 53 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts index 2ec2cbbc64466..dee779d0ebe2d 100644 --- a/packages/@aws-cdk/aws-events/lib/event-bus.ts +++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts @@ -54,7 +54,7 @@ export interface IEventBus extends IResource { * * @param grantee The principal (no-op if undefined) */ - grantPutEvents(grantee: iam.IGrantable): iam.Grant; + grantPutEventsTo(grantee: iam.IGrantable): iam.Grant; } /** @@ -146,7 +146,7 @@ abstract class EventBusBase extends Resource implements IEventBus { }); } - public grantPutEvents(grantee: iam.IGrantable): iam.Grant { + public grantPutEventsTo(grantee: iam.IGrantable): iam.Grant { return iam.Grant.addToPrincipal({ grantee, actions: ['events:PutEvents'], @@ -188,6 +188,22 @@ export class EventBus extends EventBusBase { return new ImportedEventBus(scope, id, attrs); } + /** + * Permits an IAM Principal to send custom events to EventBridge + * so that they can be matched to rules. + * + * @param grantee The principal (no-op if undefined) + */ + public static grantPutEvents(grantee: iam.IGrantable): iam.Grant { + // It's currently not possible to restrict PutEvents to specific resources. + // See https://docs.aws.amazon.com/eventbridge/latest/userguide/permissions-reference-eventbridge.html + return iam.Grant.addToPrincipal({ + grantee, + actions: ['events:PutEvents'], + resourceArns: ['*'], + }); + } + private static eventBusProps(defaultEventBusName: string, props?: EventBusProps) { if (props) { const { eventBusName, eventSourceName } = props; diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts index 69ba3a749574f..aada931b05e59 100644 --- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts +++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts @@ -215,6 +215,38 @@ export = { test.done(); }, + + 'can grant PutEvents'(test: Test) { + // GIVEN + const stack = new Stack(); + const role = new iam.Role(stack, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // WHEN + EventBus.grantPutEvents(role); + + // THEN + expect(stack).to(haveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'events:PutEvents', + Effect: 'Allow', + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + Roles: [ + { + Ref: 'Role1ABCC5F0', + }, + ], + })); + + test.done(); + }, 'can grant PutEvents to a specific event bus'(test: Test) { // GIVEN const stack = new Stack(); @@ -225,7 +257,7 @@ export = { const eventBus = new EventBus(stack, 'EventBus'); // WHEN - eventBus.grantPutEvents(role); + eventBus.grantPutEventsTo(role); // THEN expect(stack).to(haveResource('AWS::IAM::Policy', { diff --git a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts index 7c65ddcaec34b..9cdcc5c86a83b 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/lib/event-bridge.ts @@ -23,7 +23,7 @@ export class EventBridgeDestination implements lambda.IDestination { */ public bind(_scope: Construct, fn: lambda.IFunction, _options?: lambda.DestinationOptions): lambda.DestinationConfig { if (this.eventBus) { - this.eventBus.grantPutEvents(fn); + this.eventBus.grantPutEventsTo(fn); return { destination: this.eventBus.eventBusArn, @@ -37,7 +37,7 @@ export class EventBridgeDestination implements lambda.IDestination { resourceName: 'default', })); - eventBus.grantPutEvents(fn); + eventBus.grantPutEventsTo(fn); return { destination: eventBus.eventBusArn, From d342bb522fcf946da0d6d05532b7caf81d5b40d8 Mon Sep 17 00:00:00 2001 From: DaWyz Date: Mon, 8 Mar 2021 17:03:28 -0800 Subject: [PATCH 6/6] Deprecate static grantPutEvent method --- packages/@aws-cdk/aws-events/lib/event-bus.ts | 15 +++++++++ .../aws-events/test/test.event-bus.ts | 32 +++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts index dee779d0ebe2d..f3125499369b3 100644 --- a/packages/@aws-cdk/aws-events/lib/event-bus.ts +++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts @@ -193,6 +193,7 @@ export class EventBus extends EventBusBase { * so that they can be matched to rules. * * @param grantee The principal (no-op if undefined) + * @deprecated use grantAllPutEvents instead */ public static grantPutEvents(grantee: iam.IGrantable): iam.Grant { // It's currently not possible to restrict PutEvents to specific resources. @@ -204,6 +205,20 @@ export class EventBus extends EventBusBase { }); } + /** + * Permits an IAM Principal to send custom events to EventBridge + * so that they can be matched to rules. + * + * @param grantee The principal (no-op if undefined) + */ + public static grantAllPutEvents(grantee: iam.IGrantable): iam.Grant { + return iam.Grant.addToPrincipal({ + grantee, + actions: ['events:PutEvents'], + resourceArns: ['*'], + }); + } + private static eventBusProps(defaultEventBusName: string, props?: EventBusProps) { if (props) { const { eventBusName, eventSourceName } = props; diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts index aada931b05e59..67637c0c19536 100644 --- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts +++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts @@ -247,6 +247,38 @@ export = { test.done(); }, + + 'can grant PutEvents using grantAllPutEvents'(test: Test) { + // GIVEN + const stack = new Stack(); + const role = new iam.Role(stack, 'Role', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // WHEN + EventBus.grantAllPutEvents(role); + + // THEN + expect(stack).to(haveResource('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'events:PutEvents', + Effect: 'Allow', + Resource: '*', + }, + ], + Version: '2012-10-17', + }, + Roles: [ + { + Ref: 'Role1ABCC5F0', + }, + ], + })); + + test.done(); + }, 'can grant PutEvents to a specific event bus'(test: Test) { // GIVEN const stack = new Stack();