aws-cloudformation
AWS::Events::Rule RoleArn Property not used for target invoke?
Name of the resource
AWS::Events::Rule
Resource Name
AWS::Events::Rule
Issue Description
AWS::Events::Rule RoleArn Property
Background
I am opening up this issue off the back of a pull request opened within the aws-cloudformation-user-guide repo. The pull request is "Change AWS::Events::Rule Target RoleArn property to 'Conditional' #1178".
The below comment was main by maintainer Patrick Rachford:
This does look like an issue – to report issues with the resources and properties defined in the Resource Spec – you can open an issue here: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues
That will allow the Event and CloudFormation devs to take a look at the underlining issue. I'll keep this doc PR open for kinclay to approve/merge/close. Thanks again for the deep dive.
Problem Overview
The docs define RoleArn as
The Amazon Resource Name (ARN) of the role that is used for target invocation.
Which gives me the impression that the defined RoleArn will be used to invoke the respective targets (defined under the Targets property).
So lets define a role called, Role_X:
Assuming that Role_X has the required policies assigned, is it safe for us to say that Role_X will be used to invoke the respective target(s)? In other words, assuming correct permissions, if we do not define a target specific role (i.e. events-rule-target-rolearn) then Role_X (i.e. the events-rule-rolearn) will be successfully used for invocation of targets.
With that being said, I've observed that when defining the events-rule-rolearn CloudFormation throws the following error:
RoleArn is required for target arn:aws:codebuild:af-south-1:00000000:project/codebuild-project-1. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX; Proxy: null)
As mentioned in the pull request ("Change AWS::Events::Rule Target RoleArn property to 'Conditional' #1178"). The error was only resolved after setting the target specific RoleArn, events-rule-target-rolearn, under the Target definition. Defining the events-rule-rolearn seemed to have no effect on the error. It is also important to note that in my test case, I am only defining one target for invocation. For the full explanation on how I fixed the error please see my pull request comment.
Expected Behavior
When I define the events-rule-rolearn RoleArn, the specified Role should be used by the Events Resource to invoke the defined target(s).
In the case below, the MyEventBridgeEventRuleTargetRole should be used by the MyEventBridgeEventRule resource to invoke the defined CodeBuild target.
MyEventBridgeEventRule:
Type: AWS::Events::Rule
Properties:
Name: MyEventBridgeEventRule
Description: EventBridge Event Rule Description
RoleArn: arn:aws:iam::00000000:role/MyEventBridgeEventRuleTargetRole
Targets:
- Arn: arn:aws:codebuild:af-south-1:000000000:project/c_build
Id: unique-target-id-to-invoke
EventPattern: ...
.
.
.
Observed Behavior
The CloudFormation stack creation process throws the following error:
RoleArn is required for target arn:aws:codebuild:af-south-1:00000000:project/codebuild-project-1. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX; Proxy: null)
Test Cases
Below is a CloudFormation template which yields the above error.
---
AWSTemplateFormatVersion: 2010-09-09
Description: |
Cloudformation EventBridge Event Rule Error.
Error:
RoleArn is required for target arn:aws:codebuild:af-south-1:00000000:project/codebuild-project-1.
(Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException;
Request ID: XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX; Proxy: null)
Assumptions:
- There exists a CodeBuild Project
- There exists an EventBridge Event Role with the permission to run codebuild.
- The role should:
- Allow for events.amazonaws.com to assume the role
- Allow events.amazonaws.com to invoke and run codebuild
Parameters:
#CodeBuild
CodeBuildProjectName:
Default: aws-cb-event-trgt
Description: The AWS CodeBuild Event Target Project Name.
Type: String
MinLength: "1"
CodeBuildProjectArn:
Default: arn:aws:codebuild:af-south-1:00000000:project/codebuild-project-1
Description: The AWS CodeBuild Event Target Project ARN.
Type: String
MinLength: "1"
#EventBridgeEvent
EventBridgeEventRoleArn:
Default: arn:aws:iam::00000000:role/CWEventBridgeCodeBuildTargetRole
Description: The AWS CloudWatch (EventBridge) Event RoleArn.
Type: String
MinLength: "1"
Resources:
MyEventBridgeEventRule:
Type: AWS::Events::Rule
Properties:
Name: MyEventBridgeEventRule
Description: Cloudwatch (EventBridge) Event Rule for triggering CodeBuild based on schedule.
RoleArn: !Ref EventBridgeEventRoleArn
ScheduleExpression: "rate(5 minutes)"
State: ENABLED
Targets:
- Arn: !Ref CodeBuildProjectArn
Id: !Sub "trgt-${CodeBuildProjectName}"
Other Details
For background, please see pull request "Change AWS::Events::Rule Target RoleArn property to 'Conditional' #1178" within the aws-cloudformation-user-guide repo.
I cannot create an event bridge rule due to the same error. Is this issue still unresolved?
Sorry, I misunderstood. I can create it by adding "RoleArn" under "Target:"
Targets:
- Arn: !GetAtt EventBridgeApiDestination.Arn
Id: !Sub ${AWS::StackName}-Rule
RoleArn: !GetAtt IamRole.Arn
you are correct, just encountered this issue myself and this post helped me very much! the thing is that the RoleArn is optional and not marked as required.
Hi @LJArendse. Are you still experiencing this issue? One thing to note, as per the documentation:
If you're setting an event bus in another account as the target and that account granted permission to your account through an organization instead of directly by the account ID, you must specify a RoleArn with proper permissions in the Target structure, instead of here in this parameter.
