Awesome
AWS EventBridge Terraform module
Terraform module to create EventBridge resources.
Supported Features
- Creates AWS EventBridge Resources (bus, rules, targets, permissions, connections, destinations, pipes, schedules and schedule groups)
- Attach resources to an existing EventBridge bus
- Support AWS EventBridge Archives and Replays
- Conditional creation for many types of resources
- Support IAM policy attachments and various ways to create and attach additional policies
Usage
EventBridge Complete
Most common use-case which creates custom bus, rules and targets.
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
rules = {
orders = {
description = "Capture all order data"
event_pattern = jsonencode({ "source" : ["myapp.orders"] })
enabled = true
}
}
targets = {
orders = [
{
name = "send-orders-to-sqs"
arn = aws_sqs_queue.queue.arn
dead_letter_arn = aws_sqs_queue.dlq.arn
},
{
name = "send-orders-to-kinesis"
arn = aws_kinesis_stream.this.arn
dead_letter_arn = aws_sqs_queue.dlq.arn
input_transformer = local.kinesis_input_transformer
},
{
name = "log-orders-to-cloudwatch"
arn = aws_cloudwatch_log_group.this.arn
}
]
}
tags = {
Name = "my-bus"
}
}
EventBridge Bus
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
tags = {
Name = "my-bus"
}
}
EventBridge Rule
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
create_targets = false
rules = {
logs = {
description = "Capture log data"
event_pattern = jsonencode({ "source" : ["my.app.logs"] })
}
}
}
EventBridge Target
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
rules = {
logs = {
description = "Capture log data"
event_pattern = jsonencode({ "source" : ["my.app.logs"] })
}
}
targets = {
logs = [
{
name = "send-logs-to-sqs"
arn = aws_sqs_queue.queue.arn
},
{
name = "send-logs-to-cloudwatch"
arn = aws_cloudwatch_log_stream.logs.arn
}
]
}
}
EventBridge Archive
module "eventbridge_with_archive" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
create_archives = true
archives = {
"my-bus-launch-archive" = {
description = "EC2 AutoScaling Event archive",
retention_days = 1
event_pattern = <<PATTERN
{
"source": ["aws.autoscaling"],
"detail-type": ["EC2 Instance Launch Successful"]
}
PATTERN
}
}
tags = {
Name = "my-bus"
}
}
EventBridge Permission
module "eventbridge_with_permissions" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
create_permissions = true
permissions = {
"099720109477 DevAccess" = {}
"099720109466 ProdAccess" = {}
}
tags = {
Name = "my-bus"
}
}
EventBridge with schedule rule and Lambda target
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
create_bus = false
rules = {
crons = {
description = "Trigger for a Lambda"
schedule_expression = "rate(5 minutes)"
}
}
targets = {
crons = [
{
name = "lambda-loves-cron"
arn = "arn:aws:lambda:ap-southeast-1:135367859851:function:resolved-penguin-lambda"
input = jsonencode({"job": "cron-by-rate"})
}
]
}
}
EventBridge with schedule rule and Step Functions target
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
create_bus = false
rules = {
crons = {
description = "Run state machine everyday 10:00 UTC"
schedule_expression = "cron(0 10 * * ? *)"
}
}
targets = {
crons = [
{
name = "your-awesome-state-machine"
arn = "arn:aws:states:us-east-1:123456789012:stateMachine:your-awesome-state-machine"
attach_role_arn = true
}
]
}
sfn_target_arns = ["arn:aws:states:us-east-1:123456789012:stateMachine:your-awesome-state-machine"]
attach_sfn_policy = true
}
EventBridge Scheduler which triggers Lambda Function
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "example" # "default" bus already support schedule_expression in rules
attach_lambda_policy = true
lambda_target_arns = ["arn:aws:lambda:us-east-1:135367859851:function:resolved-penguin-lambda"]
schedules = {
lambda-cron = {
description = "Trigger for a Lambda"
schedule_expression = "rate(1 day)"
timezone = "Europe/London"
arn = "arn:aws:lambda:us-east-1:135367859851:function:resolved-penguin-lambda"
input = jsonencode({ "job" : "cron-by-rate" })
}
}
}
EventBridge API Destination
module "eventbridge_with_api_destination" {
source = "terraform-aws-modules/eventbridge/aws"
bus_name = "my-bus"
create_connections = true
create_api_destinations = true
attach_api_destination_policy = true
connections = {
smee = {
authorization_type = "OAUTH_CLIENT_CREDENTIALS"
auth_parameters = {
oauth = {
authorization_endpoint = "https://oauth.endpoint.com"
http_method = "GET"
client_parameters = {
client_id = "1234567890"
client_secret = "Pass1234!"
}
oauth_http_parameters = {
body = [{
key = "body-parameter-key"
value = "body-parameter-value"
is_value_secret = false
}]
header = [{
key = "header-parameter-key1"
value = "header-parameter-value1"
}, {
key = "header-parameter-key2"
value = "header-parameter-value2"
is_value_secret = true
}]
query_string = [{
key = "query-string-parameter-key"
value = "query-string-parameter-value"
is_value_secret = false
}]
}
}
}
}
}
api_destinations = {
smee = {
description = "my smee endpoint"
invocation_endpoint = "https://smee.io/hgoubgoibwekt331"
http_method = "POST"
invocation_rate_limit_per_second = 200
}
}
}
Additional IAM policies for Step Function
In addition to all supported AWS service integrations you may want to create and attach additional policies.
There are 5 supported ways to attach additional IAM policies to IAM role used by Step Function:
policy_json- JSON string or heredoc, whenattach_policy_json = true.policy_jsons- List of JSON strings or heredoc, whenattach_policy_jsons = trueandnumber_of_policy_jsons > 0.policy- ARN of existing IAM policy, whenattach_policy = true.policies- List of ARNs of existing IAM policies, whenattach_policies = trueandnumber_of_policies > 0.policy_statements- Map of maps to define IAM statements which will be generated as IAM policy. Requiresattach_policy_statements = true. Seeexamples/completefor more information.
Conditional creation
Sometimes you need to have a way to create resources conditionally but Terraform does not allow usage of count inside module block, so the solution is to specify create arguments.
module "eventbridge" {
source = "terraform-aws-modules/eventbridge/aws"
create = false # to disable all resources
create_bus = false # to control creation of the EventBridge Bus and related resources
create_rules = false # to control creation of EventBridge Rules and related resources
create_targets = false # to control creation of EventBridge Targets and related resources
create_archives = false # to control creation of EventBridge Archives
create_permissions = false # to control creation of EventBridge Permissions
create_role = false # to control creation of the IAM role and policies required for EventBridge
create_connections = false # to control creation of EventBridge Connection resources
create_api_destinations = false # to control creation of EventBridge Destination resources
create_schedule_groups = false # to control creation of EventBridge Schedule Group resources
create_schedules = false # to control creation of EventBridge Schedule resources
create_pipes = false # to control creation of EventBridge Pipes resources
attach_cloudwatch_policy = false
attach_ecs_policy = false
attach_kinesis_policy = false
attach_kinesis_firehose_policy = false
attach_lambda_policy = false
attach_sfn_policy = false
attach_sqs_policy = false
attach_tracing_policy = false
attach_api_destination_policy = false
# ... omitted
}
Examples
- Complete - Creates EventBridge resources (bus, rules and targets) and connect with SQS queues, Kinesis Stream, Step Function, CloudWatch Logs, Lambda Functions, and more.
- HTTP API Gateway - Creates an integration with HTTP API Gateway as event source.
- Using Default Bus - Creates resources in the
defaultbus. - Archive - EventBridge Archives resources in various configurations.
- Permissions - Controls permissions to EventBridge.
- Scheduler - EventBridge Scheduler which works with any bus (recommended way).
- ECS Scheduling Events - Use default bus to schedule events on ECS.
- Lambda Scheduling Events - Trigger Lambda functions on schedule (works only with default bus).
- API Destination - Control access to EventBridge using API destinations.
- Pipes - EventBridge Pipes with lots of configurations.
Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.0 |
| <a name="requirement_aws"></a> aws | >= 5.61 |
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | >= 5.61 |
Modules
No modules.
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_api_destinations"></a> api_destinations | A map of objects with EventBridge Destination definitions. | map(any) | {} | no |
| <a name="input_append_connection_postfix"></a> append_connection_postfix | Controls whether to append '-connection' to the name of the connection | bool | true | no |
| <a name="input_append_destination_postfix"></a> append_destination_postfix | Controls whether to append '-destination' to the name of the destination | bool | true | no |
| <a name="input_append_pipe_postfix"></a> append_pipe_postfix | Controls whether to append '-pipe' to the name of the pipe | bool | true | no |
| <a name="input_append_rule_postfix"></a> append_rule_postfix | Controls whether to append '-rule' to the name of the rule | bool | true | no |
| <a name="input_append_schedule_group_postfix"></a> append_schedule_group_postfix | Controls whether to append '-group' to the name of the schedule group | bool | true | no |
| <a name="input_append_schedule_postfix"></a> append_schedule_postfix | Controls whether to append '-schedule' to the name of the schedule | bool | true | no |
| <a name="input_archives"></a> archives | A map of objects with the EventBridge Archive definitions. | map(any) | {} | no |
| <a name="input_attach_api_destination_policy"></a> attach_api_destination_policy | Controls whether the API Destination policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_cloudwatch_policy"></a> attach_cloudwatch_policy | Controls whether the Cloudwatch policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_ecs_policy"></a> attach_ecs_policy | Controls whether the ECS policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_kinesis_firehose_policy"></a> attach_kinesis_firehose_policy | Controls whether the Kinesis Firehose policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_kinesis_policy"></a> attach_kinesis_policy | Controls whether the Kinesis policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_lambda_policy"></a> attach_lambda_policy | Controls whether the Lambda Function policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_policies"></a> attach_policies | Controls whether list of policies should be added to IAM role | bool | false | no |
| <a name="input_attach_policy"></a> attach_policy | Controls whether policy should be added to IAM role | bool | false | no |
| <a name="input_attach_policy_json"></a> attach_policy_json | Controls whether policy_json should be added to IAM role | bool | false | no |
| <a name="input_attach_policy_jsons"></a> attach_policy_jsons | Controls whether policy_jsons should be added to IAM role | bool | false | no |
| <a name="input_attach_policy_statements"></a> attach_policy_statements | Controls whether policy_statements should be added to IAM role | bool | false | no |
| <a name="input_attach_sfn_policy"></a> attach_sfn_policy | Controls whether the StepFunction policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_sns_policy"></a> attach_sns_policy | Controls whether the SNS policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_sqs_policy"></a> attach_sqs_policy | Controls whether the SQS policy should be added to IAM role for EventBridge Target | bool | false | no |
| <a name="input_attach_tracing_policy"></a> attach_tracing_policy | Controls whether X-Ray tracing policy should be added to IAM role for EventBridge | bool | false | no |
| <a name="input_bus_name"></a> bus_name | A unique name for your EventBridge Bus | string | "default" | no |
| <a name="input_cloudwatch_target_arns"></a> cloudwatch_target_arns | The Amazon Resource Name (ARN) of the Cloudwatch Log Streams you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_connections"></a> connections | A map of objects with EventBridge Connection definitions. | any | {} | no |
| <a name="input_create"></a> create | Controls whether resources should be created | bool | true | no |
| <a name="input_create_api_destinations"></a> create_api_destinations | Controls whether EventBridge Destination resources should be created | bool | false | no |
| <a name="input_create_archives"></a> create_archives | Controls whether EventBridge Archive resources should be created | bool | false | no |
| <a name="input_create_bus"></a> create_bus | Controls whether EventBridge Bus resource should be created | bool | true | no |
| <a name="input_create_connections"></a> create_connections | Controls whether EventBridge Connection resources should be created | bool | false | no |
| <a name="input_create_permissions"></a> create_permissions | Controls whether EventBridge Permission resources should be created | bool | true | no |
| <a name="input_create_pipes"></a> create_pipes | Controls whether EventBridge Pipes resources should be created | bool | true | no |
| <a name="input_create_role"></a> create_role | Controls whether IAM roles should be created | bool | true | no |
| <a name="input_create_rules"></a> create_rules | Controls whether EventBridge Rule resources should be created | bool | true | no |
| <a name="input_create_schedule_groups"></a> create_schedule_groups | Controls whether EventBridge Schedule Group resources should be created | bool | true | no |
| <a name="input_create_schedules"></a> create_schedules | Controls whether EventBridge Schedule resources should be created | bool | true | no |
| <a name="input_create_schemas_discoverer"></a> create_schemas_discoverer | Controls whether default schemas discoverer should be created | bool | false | no |
| <a name="input_create_targets"></a> create_targets | Controls whether EventBridge Target resources should be created | bool | true | no |
| <a name="input_ecs_pass_role_resources"></a> ecs_pass_role_resources | List of approved roles to be passed | list(string) | [] | no |
| <a name="input_ecs_target_arns"></a> ecs_target_arns | The Amazon Resource Name (ARN) of the AWS ECS Tasks you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_event_source_name"></a> event_source_name | The partner event source that the new event bus will be matched with. Must match name. | string | null | no |
| <a name="input_kinesis_firehose_target_arns"></a> kinesis_firehose_target_arns | The Amazon Resource Name (ARN) of the Kinesis Firehose Delivery Streams you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_kinesis_target_arns"></a> kinesis_target_arns | The Amazon Resource Name (ARN) of the Kinesis Streams you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_kms_key_identifier"></a> kms_key_identifier | The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt events on this event bus. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN. | string | null | no |
| <a name="input_lambda_target_arns"></a> lambda_target_arns | The Amazon Resource Name (ARN) of the Lambda Functions you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_number_of_policies"></a> number_of_policies | Number of policies to attach to IAM role | number | 0 | no |
| <a name="input_number_of_policy_jsons"></a> number_of_policy_jsons | Number of policies JSON to attach to IAM role | number | 0 | no |
| <a name="input_permissions"></a> permissions | A map of objects with EventBridge Permission definitions. | map(any) | {} | no |
| <a name="input_pipes"></a> pipes | A map of objects with EventBridge Pipe definitions. | any | {} | no |
| <a name="input_policies"></a> policies | List of policy statements ARN to attach to IAM role | list(string) | [] | no |
| <a name="input_policy"></a> policy | An additional policy document ARN to attach to IAM role | string | null | no |
| <a name="input_policy_json"></a> policy_json | An additional policy document as JSON to attach to IAM role | string | null | no |
| <a name="input_policy_jsons"></a> policy_jsons | List of additional policy documents as JSON to attach to IAM role | list(string) | [] | no |
| <a name="input_policy_path"></a> policy_path | Path of IAM policy to use for EventBridge | string | null | no |
| <a name="input_policy_statements"></a> policy_statements | Map of dynamic policy statements to attach to IAM role | any | {} | no |
| <a name="input_role_description"></a> role_description | Description of IAM role to use for EventBridge | string | null | no |
| <a name="input_role_force_detach_policies"></a> role_force_detach_policies | Specifies to force detaching any policies the IAM role has before destroying it. | bool | true | no |
| <a name="input_role_name"></a> role_name | Name of IAM role to use for EventBridge | string | null | no |
| <a name="input_role_path"></a> role_path | Path of IAM role to use for EventBridge | string | null | no |
| <a name="input_role_permissions_boundary"></a> role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the IAM role used by EventBridge | string | null | no |
| <a name="input_role_tags"></a> role_tags | A map of tags to assign to IAM role | map(string) | {} | no |
| <a name="input_rules"></a> rules | A map of objects with EventBridge Rule definitions. | map(any) | {} | no |
| <a name="input_schedule_group_timeouts"></a> schedule_group_timeouts | A map of objects with EventBridge Schedule Group create and delete timeouts. | map(string) | {} | no |
| <a name="input_schedule_groups"></a> schedule_groups | A map of objects with EventBridge Schedule Group definitions. | any | {} | no |
| <a name="input_schedules"></a> schedules | A map of objects with EventBridge Schedule definitions. | map(any) | {} | no |
| <a name="input_schemas_discoverer_description"></a> schemas_discoverer_description | Default schemas discoverer description | string | "Auto schemas discoverer event" | no |
| <a name="input_sfn_target_arns"></a> sfn_target_arns | The Amazon Resource Name (ARN) of the StepFunctions you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_sns_kms_arns"></a> sns_kms_arns | The Amazon Resource Name (ARN) of the AWS KMS's configured for AWS SNS you want Decrypt/GenerateDataKey for | list(string) | <pre>[<br> "*"<br>]</pre> | no |
| <a name="input_sns_target_arns"></a> sns_target_arns | The Amazon Resource Name (ARN) of the AWS SNS's you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_sqs_target_arns"></a> sqs_target_arns | The Amazon Resource Name (ARN) of the AWS SQS Queues you want to use as EventBridge targets | list(string) | [] | no |
| <a name="input_tags"></a> tags | A map of tags to assign to resources. | map(string) | {} | no |
| <a name="input_targets"></a> targets | A map of objects with EventBridge Target definitions. | any | {} | no |
| <a name="input_trusted_entities"></a> trusted_entities | Additional trusted entities for assuming roles (trust relationship) | list(string) | [] | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_eventbridge_api_destination_arns"></a> eventbridge_api_destination_arns | The EventBridge API Destination ARNs |
| <a name="output_eventbridge_api_destinations"></a> eventbridge_api_destinations | The EventBridge API Destinations created and their attributes |
| <a name="output_eventbridge_archive_arns"></a> eventbridge_archive_arns | The EventBridge Archive ARNs |
| <a name="output_eventbridge_archives"></a> eventbridge_archives | The EventBridge Archives created and their attributes |
| <a name="output_eventbridge_bus"></a> eventbridge_bus | The EventBridge Bus created and their attributes |
| <a name="output_eventbridge_bus_arn"></a> eventbridge_bus_arn | The EventBridge Bus ARN |
| <a name="output_eventbridge_bus_name"></a> eventbridge_bus_name | The EventBridge Bus Name |
| <a name="output_eventbridge_connection_arns"></a> eventbridge_connection_arns | The EventBridge Connection Arns |
| <a name="output_eventbridge_connection_ids"></a> eventbridge_connection_ids | The EventBridge Connection IDs |
| <a name="output_eventbridge_connections"></a> eventbridge_connections | The EventBridge Connections created and their attributes |
| <a name="output_eventbridge_iam_roles"></a> eventbridge_iam_roles | The EventBridge IAM roles created and their attributes |
| <a name="output_eventbridge_permission_ids"></a> eventbridge_permission_ids | The EventBridge Permission IDs |
| <a name="output_eventbridge_permissions"></a> eventbridge_permissions | The EventBridge Permissions created and their attributes |
| <a name="output_eventbridge_pipe_arns"></a> eventbridge_pipe_arns | The EventBridge Pipes ARNs |
| <a name="output_eventbridge_pipe_ids"></a> eventbridge_pipe_ids | The EventBridge Pipes IDs |
| <a name="output_eventbridge_pipe_role_arns"></a> eventbridge_pipe_role_arns | The ARNs of the IAM role created for EventBridge Pipes |
| <a name="output_eventbridge_pipe_role_names"></a> eventbridge_pipe_role_names | The names of the IAM role created for EventBridge Pipes |
| <a name="output_eventbridge_pipes"></a> eventbridge_pipes | The EventBridge Pipes created and their attributes |
| <a name="output_eventbridge_pipes_iam_roles"></a> eventbridge_pipes_iam_roles | The EventBridge Pipes IAM roles created and their attributes |
| <a name="output_eventbridge_role_arn"></a> eventbridge_role_arn | The ARN of the IAM role created for EventBridge |
| <a name="output_eventbridge_role_name"></a> eventbridge_role_name | The name of the IAM role created for EventBridge |
| <a name="output_eventbridge_rule_arns"></a> eventbridge_rule_arns | The EventBridge Rule ARNs |
| <a name="output_eventbridge_rule_ids"></a> eventbridge_rule_ids | The EventBridge Rule IDs |
| <a name="output_eventbridge_rules"></a> eventbridge_rules | The EventBridge Rules created and their attributes |
| <a name="output_eventbridge_schedule_arns"></a> eventbridge_schedule_arns | The EventBridge Schedule ARNs created |
| <a name="output_eventbridge_schedule_group_arns"></a> eventbridge_schedule_group_arns | The EventBridge Schedule Group ARNs |
| <a name="output_eventbridge_schedule_group_ids"></a> eventbridge_schedule_group_ids | The EventBridge Schedule Group IDs |
| <a name="output_eventbridge_schedule_group_states"></a> eventbridge_schedule_group_states | The EventBridge Schedule Group states |
| <a name="output_eventbridge_schedule_groups"></a> eventbridge_schedule_groups | The EventBridge Schedule Groups created and their attributes |
| <a name="output_eventbridge_schedule_ids"></a> eventbridge_schedule_ids | The EventBridge Schedule IDs created |
| <a name="output_eventbridge_schedules"></a> eventbridge_schedules | The EventBridge Schedules created and their attributes |
| <a name="output_eventbridge_targets"></a> eventbridge_targets | The EventBridge Targets created and their attributes |
Authors
Module managed by Sven Lito. Check out serverless.tf to learn more about doing serverless with Terraform.
License
Apache 2 Licensed. See LICENSE for full details.