Cross-Account Event Delivery with AWS EventBridge and CodeCommit
Cross-account event delivery in Amazon Web Services (AWS) facilitates seamless communication and integration between different accounts. In this guide, we will focus on establishing cross-account event delivery using AWS CloudWatch Events and AWS CodeCommit between two AWS accounts.
The primary focus of this guide is to trigger a CodeBuild project(e.g., sample-codebuild-project) in Account A(Event Receiver) when a code merge event occurs in a particular branch(e.g., master branch) in the CodeCommit repository within Account B( Event Sender).
Understanding Cross-Account Event Delivery:
Cross-account event delivery allows events generated in one AWS account to be delivered and processed by resources in another AWS account. This capability is instrumental in building event-driven architectures and enabling collaboration between AWS accounts.
Account A Event Receiver (709326302347)
- Enable Account A to Receive Events: To enable Account A to receive events from Account B, execute the following AWS CLI command:
aws events put-permission --action events:PutEvents --statement-id MySid --principal 494170752669 --region us-west-2 --profile receiverYou can verify the permissions using:
aws events describe-event-bus --profile receiver2. Create a CloudWatch Events rule with CodeCommit as the event source and CodeBuild project as the target
a. Create the trust policy that allows CloudWatch Events to assume the service role. Name the trust policy trustpolicyforcwe.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}b. Create the CodeBuild-Invoke-Role-For-Cloudwatch-Events role and attach the trust policy.
aws iam create-role --role-name CodeBuild-Invoke-Role-For-Cloudwatch-Events --assume-role-policy-document file://trustpolicyforcwe.json --profile receiverc. Create a policy permissionspolicycwe.jsonwhich have the permission to start a sample Codebuild project called sample-codebuild-project
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:StartBuild"
],
"Resource": [
"arn:aws:codebuild:us-west-2:709326302347:project/sample-codebuild-project"
]
}
]
}d. Attach Permissions Policy to Role:
Name the policy as CodePipeline-Permissions-Policy-for-CWE and Role as CodeBuild-Invoke-Role-For-Cloudwatch-Events.
aws iam put-role-policy --role-name CodeBuild-Invoke-Role-For-Cloudwatch-Events --policy-name Codebuild-Permissions-Policy-For-CWE --policy-document file://permissionspolicycwe.json --profile receiver --region us-west-23. Call the put-rule command and include the --name, --event-pattern, and --role-arn parameters
aws events put-rule --name "CodeCommitRepoRule" --event-pattern "{\"source\":[\"aws.codecommit\"],\"detail-type\":[\"CodeCommit Repository State Change\"],\"resources\":[\"arn:aws:codecommit:us-west-2:494170752669:sample-repo\"],\"detail\":{\"referenceType\":[\"branch\"],\"referenceName\":[\"master\"]}}" --role-arn "arn:aws:iam::709326302347:role/CodeBuild-Invoke-Role-For-Cloudwatch-Events" --profile receiver --region us-west-24. To add CodeBuild as a target, call the put-targets command and include the following parameters:
• The --rule parameter is used with the rule name we created by using put-rule.
• The --targets parameter is used with the list Id of the target in the list of targets and the ARN of the target CodeBuild Project.
The command provided indicates that in the rule CodeCommitRepoRule, the target Id is specified as number one, indicating its placement in the list of targets linked to the rule. Furthermore, the command incorporates the ARN for the CodeBuild, indicating that the CodeBuild project initiates automatically when changes occur in the branch within the CodeCommit repository.
aws events put-targets --rule CodeCommitRepoRule --targets "Id"="1","Arn"="arn:aws:codebuild:us-west-2:709326302347:project/test","RoleArn"="arn:aws:iam::709326302347:role/CodeBuild-Invoke-Role-For-Cloudwatch-Events" --profile receiver --region us-west-2Account B as Event Sender (494170752669)
- Send events to Receiver AWS account
a. Create assume-role-policy-document.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}b. Create the role, enter the following command
aws iam create-role --role-name cross-account-codecommit-event-delivery-role --assume-role-policy-document file://assume-role-policy-document.json --profile senderc. Create a file named permission-policy.json with the following content
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"arn:aws:events:us-west-2:709326302347:event-bus/default"
]
}
]
}d. Attach the policy to the role cross-account-codecommit-event-delivery-role
aws iam put-role-policy --role-name cross-account-codecommit-event-delivery-role --policy-name EventBusDeliveryRolePolicy --policy-document file://permission-policy.json --profile sender2. Create a rule that matches the event types to send from this sender account (494170752669) to the receiver account (709326302347).
aws events put-rule --name "CodeCommitEvents" --event-pattern "{\"source\":[\"aws.codecommit\"],\"detail-type\":[\"CodeCommit Repository State Change\"],\"resources\":[\"arn:aws:codecommit:us-west-2:494170752669:sample-repo\"],\"detail\":{\"referenceType\":[\"branch\"],\"referenceName\":[\"master\"]}}" --role-arn "arn:aws:iam::494170752669:role/cross-account-codecommit-event-delivery-role" --profile sender3. Add the receiver account’s(709326302347) default event bus as the target of the rule.
aws events put-targets --rule CodeCommitEvents --targets "Id"="1","Arn"="arn:aws:events:us-west-2:709326302347:event-bus/default","RoleArn"="arn:aws:iam::494170752669:role/cross-account-codecommit-event-delivery-role" --profile senderTo see all the rules in place, head to the “Buses” section within Amazon EventBridge, where you’ll find them listed in both the Sender and Receiver Accounts.
That’s it!. The event-driven setup is ready, and you’re free to explore and experiment with it.
