aws-events: Cannot grant `putEvents` to Service Principals

[arcrank]

Describe the bug

When trying to grantPutEventsTo an AWS SP, there is a no-op, and no warnings or errors. I would expect if we added a grant to a iam.ServicePrincipal that the underlying grant/policy would be created. We can add an SP to the event bus in the console. Tracing back code I myself didn't necessary find a place where this would have failed, or I would have expected if this was not possible to give a failure message.

Expected Behavior

I would expect the template to have grant policies attached. If for some reason you weren't allowed to add SPs, I would expect a failure message and error.

Current Behavior

Nothing is logged to the terminal when synthing the template snippet is

 "Resources": {
  "bus707364D1": {
   "Type": "AWS::Events::EventBus",
   "Properties": {
    "Name": "MyCustomEventBus"
   },
   "Metadata": {
    "aws:cdk:path": "xxx/bus/Resource"
   }
  },
  "busMyArchiveF1010141": {
   "Type": "AWS::Events::Archive",
   "Properties": {
    "SourceArn": {
     "Fn::GetAtt": [
      "bus707364D1",
      "Arn"
     ]
    },
    "ArchiveName": "MyCustomEventBusArchive",
    "Description": "MyCustomerEventBus Archive",
    "EventPattern": {
     "account": [
      "264988854622"
     ]
    },
    "RetentionDays": 365
   },

Reproduction Steps

    const bus = new events.EventBus(this, 'bus', {
      eventBusName: 'MyCustomEventBus'
    });
    
    bus.archive('MyArchive', {
      archiveName: 'MyCustomEventBusArchive',
      description: 'MyCustomerEventBus Archive',
      eventPattern: {
        account: [cdk.Stack.of(this).account],
      },
      retention: cdk.Duration.days(365),
    });

    bus.grantPutEventsTo(new iam.ServicePrincipal('lambda.amazonaws.com'));

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.23.0

Framework Version

No response

Node.js Version

14

OS

MacOs/Linux

Language

Typescript

Language Version

No response

Other information

No response

[rix0rrr]

This should have worked the way you said. Investigation is required.

[pgarbe]

It also does not work for a cross-account scenario. The grantPutEventsTo function wants to add the permission to the grantee. It doesn't fail but also nothing will be synthesized. In that case it would need to add an EventBusPolicy to the event bus.

Example:

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
eventBus.grantPutEventsTo(new cdk.aws_iam.AccountPrincipal('123456789012'));

Workaround (from StackOverflow):

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
new cdk.aws_events.CfnEventBusPolicy(this, 'XAccountPolicy', {
    statementId: 'AllowXAccountPushEvents',
    action: 'events:PutEvents',
    eventBusName: eventBus.eventBusName,
    principal: '123456789012,
});

Any recommendation @rix0rrr how this should be implemented? Not sure if grantPutEventsTo should create that policy as it would break the pattern. But it should at least fail.

[Isaac-Kleinman]

It seems like the fix for this would be for grantPutEvents() to use iam.Grant.addToPrincipalOrResource() instead of iam.Grant.addToPrincipal().

[hassaku63]

If what you want to do is that put EventBusPolicy to your custom EventBus, it seems currently L2 construct not support this use case. Needs to use CfnEventBusPolicy (same as this comments indicates).

(Below is my idea about how this use case could be implemented..)

According to other service that has resouce based policy such as SNS and SQS, service specific (resource based) Policy class is available and service class provides "addToResourcePolicy()" method.

e.x) addToResourcePolicy method in Topic class and TopicPolicy class

• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html#addwbrtowbrresourcewbrpolicystatement
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicPolicy.html

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

Follow the above, like SNS and SQS, I think it would be a good idea to provide an addToResourcePolicy method for EventBus.

[trondhindenes]

Looks like this is a bug for several IGrantable types. I'm trying:

        self.ec2_events_receiver_bus = aws_events.EventBus(
            self,
            "receiverBus",
            event_bus_name="org-ec2-events",

        )
        self.ec2_events_receiver_bus.grant_all_put_events(
           aws_iam.OrganizationPrincipal(organization_id="myorg")
        )

But that also results in no changes. I'll use resource policy for now, but it would be awesome if this worked as intended.

[areller]

It also does not work for a cross-account scenario. The grantPutEventsTo function wants to add the permission to the grantee. It doesn't fail but also nothing will be synthesized. In that case it would need to add an EventBusPolicy to the event bus.

Example:

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
eventBus.grantPutEventsTo(new cdk.aws_iam.AccountPrincipal('123456789012'));

Workaround (from StackOverflow):

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
new cdk.aws_events.CfnEventBusPolicy(this, 'XAccountPolicy', {
    statementId: 'AllowXAccountPushEvents',
    action: 'events:PutEvents',
    eventBusName: eventBus.eventBusName,
    principal: '123456789012,
});

Any recommendation @rix0rrr how this should be implemented? Not sure if grantPutEventsTo should create that policy as it would break the pattern. But it should at least fail.

is there a workaround like this that works with service principals? @pgarbe

Edit:

This

const policyStatementId = `...`;
const policyStatement = new PolicyStatement({
  sid: policyStatementId,
  effect: Effect.ALLOW,
  actions: ['events:PutEvents'],
  resources: [eventsBus.eventBusArn],
  principals: [new ServicePrincipal(`...`)],
});

new CfnEventBusPolicy(this, policyStatementId, {
  statementId: policyStatementId,
  statement: policyStatement.toStatementJson(),
  eventBusName: `...`,
});

worked for me