A simple guide on how to deploy a Cloudwatch EventBus with Terraform. If you check the official Terraform documentation, you will notice that it’s quite light and you’ll probably need some guidance at this point.

I also keep my blog updated with new articles with my consulting company, you can check at https://cdcloudlogix.com/blog for more information :)

Passing Cloudwatch Events from one AWS Account to another

This solution would required the need to create an IAM role for allowing CloudWatch Event to PutsEvents into your remote AWS Account.

1. Terraform Providers

This solution is using Terraform version 0.12.16, you can set different aliases as follow. Terraform would then use these providers when we start creating our modules:

Once completed, don’t forget to add your backend configuration:

Keep in mind that bucket naming are unique globally, you will need to use your own unique one.

2. Modules

This project is composed of 2 different modules:

  • ec2-events (Member AWS accounts)
  • eventbus-sqs (Main AWS account)

Let’s start with the module what would be install in your main account.

3. Main AWS account module

This module is divided in several parts, let’s see the EventBus configuration:

EventBus resource declaration

This resource would need the following variable, EventBus would then trust each of your member AWS accounts.

With this, Terraform would iterate each member account and create a resource for each of them. Keep in mind that EventBus is region restricted, which mean you would need to repeat this variable configuration for each of your regions.

Next part of our module is CloudWatch Event link to SQS for collecting EC2 events from the main AWS account:

This part would then generate CloudWatch Event rule, SQS queue and link each other with a target rule.

Final part, create an IAM role for allowing your AWS member account to put events in your main account:

This part conclude the main module, let’s have a look on the member one.

4. Member AWS Account module

This module is a lot more simpler that the previous one, start by declaring CloudWatch Event resource:

Then, target the default EventBus of your main account and create an IAM role for CloudWatch:

Finally, create a policy to assume the previously created IAM role (in the main account) and link it to your IAM role as follow:

Please take note of the following declaration of variables in this module (partially display):

Let’s move on to the final part for deploying all this

5. Final part and deployment

We almost reach the end of this guideline, we just need to call out our modules as follow:

Don’t forget to declare your variables, then just deploy this as follow:

$ terraform init
[...]
$ terraform apply

By triggering some EC2 activities, you should start to see flowing some event into your newly created SQS queue:

SQS Monitoring

You can find all of this configuration at the following Github Repository, any questions, please let me know 😃.

Cloud technologies and solutions lover, https://cdcloudlogix.com