Avoid Adding a Resource Policy to Lambda While Creating EventBridge Rule Using CDK

Problem Statement:

I want to create n numbers of EventBridge Rules where the target resource is a Lambda using CDK. While creating the Rule, EventBridge automatically creates a resource policy for lambda that look like this:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "EventBridge-Rule-1",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:SUBMIT-JOB-LAMBDA",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:events:us-east-1:XXXXXXXXXXXXX:rule/src-project-file.py"
        }
      }
    },
    {
      "Sid": "EventBridge-Rule-2",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:XXXXXXXXXXXXX:function:SUBMIT-JOB-LAMBDA",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:events:us-east-1:XXXXXXXXXXXXX:rule/src-project-file_2.py"
        }
      }
    }
  ]
}

Currently this policy contains information about two Rules. In future, this policy may have more than 100 statements that will voilate the size of resource policy which is 20KB.

In my case the SourceArn will always start with arn:aws:events:us-east-1:XXXXXXXXXXXXX:rule/src. So I can use the * wildcard in SourceArn and reduce this resource policy to a single statement regardless of the number of Rules.

Possible Solutions?:

How can I avoid adding another resource policy to Lambda while creating a Rule via CDK?
Is it possible to remove the resource policy after adding a Rule via CDK only not via SDK?
Any other solution?

Topics

Serverless Compute Application Integration

Tags

AWS Lambda Amazon EventBridge

Language

English

Piyush

asked 13 days ago154 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Finally I resolved this issue using L1 Rule Construct:

// Creating input for target
const input = JSON.stringify({
  job_name: jobAndRuleName,
  file_path: schedule.file_path,
  cpu: this.get_cpu(schedule?.cpu),
  ram: this.get_ram(this.get_cpu(schedule?.cpu)),
  job_queue: 'JOB-QUEUE',
  job_definition: 'JOB-DEFINITION',
});

// Creating rule
new events.CfnRule(this, jobAndRuleName, {
  name: jobAndRuleName,
  description: `This rule is created via CDK for file: ${schedule.file_path}`,
  scheduleExpression: `cron(${schedule.cron})`,
  state: schedule?.disable ? 'DISABLED' : 'ENABLED',
  targets: [
    {
      arn: this.lambda.functionArn,
      id: 'Target-SUBMIT-JOB-LAMBDA',
      input: input,
    },
  ],
});

Piyush

answered 13 days ago

EXPERT

Oleksii Bebych

reviewed 12 days ago

Relevant content

Eventbridge rule not triggering the target
IndieGameDeveloperFromParallelWorld
asked 7 months ago
EventBridge Rule Target ID
Glenn Comiskey
asked 12 days ago
Incorrect `$.detail.commitId` in codecommit EventBridge Rule using CDK
jc
asked 8 months ago
Creating EventBridge Bus, Lambdas and Security
Accepted Answer
wonderful world
asked 2 years ago
How do I add a CloudWatch log group to use as a target for an EventBridge rule?
AWS OFFICIALUpdated a month ago
How do I use AWS Batch as a target for my EventBridge rule?
AWS OFFICIALUpdated 3 years ago
Why is the EventBridge rule that was created using AWS CLI or AWS CloudFormation failing to invoke its target?
AWS OFFICIALUpdated a year ago
Why wasn't my Lambda function triggered by my EventBridge rule?
AWS OFFICIALUpdated 10 months ago
Monitor the state of BGP peering sessions in a Transit Gateway Connect peer using CloudWatch
EXPERT
George Murimi
published 5 months ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio_Lagrotteria
published a year ago