Reputation: 3
I'm trying to send EventBridge events to the Event bus of our backup account, but the bus isn't receiving the events. I've been following this blog post, and translated the example given into Terraform code. The rule in the source account is triggered, but the Event bus in the destination account isn't receiving the events.
Here's the Terraform code for the destination account:
data "aws_cloudwatch_event_bus" "default_bus" {
name = "default"
resource "aws_cloudwatch_event_bus_policy" "copy_rds_backups" {
event_bus_name =
policy = data.aws_iam_policy_document.event_bus_policy.json
data "aws_iam_policy_document" "event_bus_policy" {
statement {
sid = "AWSBackupCopyCompleteEvent"
actions = ["events:PutEvents"]
principals {
type = "AWS"
identifiers = [
resources = ["${data.aws_cloudwatch_event_bus.default_bus.arn}"]
resource "aws_cloudwatch_event_rule" "copy_rds_backups" {
name = "copy_rds_backups"
description = "EventBridge rule for CopyCompleteJob event to trigger cross-region backup copy of RDS resources."
state = "ENABLED"
event_pattern = jsonencode({
source = ["aws.backup"],
account = [{
detail-type = ["Copy Job State Changed"],
detail = {
"state" = ["COMPLETED"],
"resourceType" = ["RDS", "Aurora"]
And the source account:
resource "aws_iam_role" "cloudwatch_backup_event_role" {
name = "cloudwatch-backup-event-role"
description = "Role for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
assume_role_policy = data.aws_iam_policy_document.cloudwatch_assume_role.json
data "aws_iam_policy_document" "cloudwatch_assume_role" {
statement {
effect = "Allow"
actions = [
principals {
type = "Service"
identifiers = [""]
resource "aws_iam_policy_attachment" "cloudwatch_backup_event_policy_attachment" {
name = "cloudwatch-event-policy-attachment"
roles = [
policy_arn = aws_iam_policy.cloudwatch_backup_event_policy.arn
resource "aws_iam_policy" "cloudwatch_backup_event_policy" {
name = "cloudwatch-event-policy"
description = "Policy for CloudWatch Event Rule to notify Backup account vault of RDS backup completion"
policy = data.aws_iam_policy_document.cloudwatch_backup_event_policy.json
data "aws_iam_policy_document" "cloudwatch_backup_event_policy" {
statement {
effect = "Allow"
actions = [
resources = [
resource "aws_cloudwatch_event_rule" "rds_backup_complete" {
name = "rds-backup-complete"
description = "Rule to trigger event when RDS backup is complete"
state = "ENABLED"
event_pattern = jsonencode({
source = ["aws.backup"],
detail-type = ["Copy Job State Change"],
detail = {
"state" = ["COMPLETED"],
"resourceType" = ["RDS", "Aurora"],
"destinationBackupVaultArn" : [{
"prefix": "arn:aws:backup:eu-west-1:DESTINATION_ACCOUNT_ID:backup-vault:",
resource "aws_cloudwatch_event_target" "rds_backup_complete" {
rule =
target_id = "rds-backup-complete"
role_arn = aws_iam_role.cloudwatch_backup_event_role.arn
arn = "arn:aws:events:eu-west-1:DESTINATION_ACCOUNT_ID:event-bus/default"
Upvotes: 0
Views: 31