@aws-cdk/aws-events: Can't create EventBridge Rule for bus in different region

[morcs]

Describe the bug

I want to add a rule on an Event Bus in a different account and region. If I create a new Rule, the CDK seems to ignore the region in the event bus' ARN and uses the region of the current app instead.

Expected Behavior

I expect the CDK to try to create the rule on the event bus specified. (in this case the event bus ARN is arn:aws:events:eu-west-2:XXXXXXXXXXXX:event-bus/my-event-bus)

Current Behavior

I receive the following error (N.b. The CDK app is deployed in the us-east-1 region).

Error: The stack named XAcctDestinationBusStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: User: arn:aws:sts::YYYYYYYYYYYY:assumed-role/cdk-hnb659fds-cfn-exec-role-YYYYYYYYYYYY-us-east-1/AWSCloudFormation is not authorized to perform: events:PutRule on resource: arn:aws:events:us-east-1:XXXXXXXXXXXX:rule/my-event-bus/XAcctDestinationBusStack-forwardEventsFromSourceBu-SI90TXUR6U6F because no resource-based policy allows the events:PutRule action (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException;

Note that the region in the ARN has been changed to the app region us-east-1, which is why it fails.

Reproduction Steps

const sourceBusArn =
  "arn:aws:events:eu-west-2:XXXXXXXXXXXX:event-bus/my-event-bus";


export class XAcctDestinationBusStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bus = new events.EventBus(this, "bus");

    const sourceBus = events.EventBus.fromEventBusAttributes(
      this,
      "sourceBus",
      {
        eventBusArn: sourceBusArn,
        eventBusName: sourceBusArn,
        eventBusPolicy: "",
      }
    );

    new events.Rule(this, "forwardEventsFromSourceBus", {
      eventBus: sourceBus,
      eventPattern: { source: ["*"] },
      targets: [new targets.EventBus(bus)],
    });
  }
}

Possible Solution

I've looked into the source code and the Rule class seems to construct a new CfnRule, passing in the ARN as eventBusName, I'm not sure how to find the source of CfnRule to see what it's doing with the region.

Additional Information/Context

No response

CDK CLI Version

2.84.0 (build f7c792f)

Framework Version

No response

Node.js Version

16.20.0

OS

MacOS Ventura 13.4

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Looks like AWS::Events::Rule only accept EventBusName rather than the full ARN, which means it seems implicitly assume the same region. If that is the case, I am afraid cross-region might not be supported in CFN?

aws-cdk/packages/aws-cdk-lib/aws-events/lib/rule.ts

Line 114 in 0737b4e

eventBusName: props.eventBus && props.eventBus.eventBusName,

[peterwoodworth]

The API requires the name too instead of ARN. Is this supported by the service even?

[morcs]

The documentation for eventBusName states: "The name or ARN of the event bus associated with the rule." So it's confusingly named but should be able to (and actually will) accept an ARN.

N.b. You can tell that it reads more than just he name because it gets the account ID from the ARN correctly, and I've successfully been able to do this when the external event bus is in the same region as the current stack but in a different account.

I should add the reason I want to do this...we're implementing a separate "DevOps bus" account as per this article: https://github.com/aws-samples/amazon-eventbridge-resource-policy-samples/blob/main/patterns/README.md (I guess the article's author has all their services in the same regions so didn't hit this issue).

In this pattern the rules are created on the bus in the central account by the subscriber accounts, leaving the central bus account cleanly separated from that logic.

[peterwoodworth]

Ah, thanks for clarifying this.

I tested this with an escape hatch, and it resulted in an error. Code:

    const bus = new events.EventBus(this, "bus");

    const sourceBus = events.EventBus.fromEventBusAttributes(
      this,
      "sourceBus",
      {
        eventBusArn: 'arn:aws:events:us-west-2:123456789012:event-bus/DefaultEventBus',
        eventBusName: 'default',
        eventBusPolicy: "",
      }
    );

    const rule = new events.Rule(this, "forwardEventsFromSourceBus", {
      eventBus: sourceBus,
      eventPattern: { source: ["*"] },
      targets: [new targets.EventBus(bus)],
    });

    (rule.node.defaultChild as events.CfnRule).addPropertyOverride('EventBusName', 'arn:aws:events:us-west-2:123456789012:event-bus/default')

Error:

Cross-region api call is not allowed. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException;

It could be a bug with CloudFormation, or maybe I don't have my permissions set up correctly. Are you able to try testing this escape hatch method to ensure the template has the arn instead of the name?