AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > Orange service app for for single bus, multi-account-pattern # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: Function: Handler: app.lambda_handler Runtime: python3.9 Timeout: 3 Parameters: EventBusName: Description: Name of the orange service app event bus Type: String Default: orange-service-event-bus DevOpsEventBusArn: Description: The ARN of the devops event bus # e.g. arn:aws:events:us-east-1:[DEVOPS-ACCOUNT]:event-bus/devops-event-bus Type: String Resources: # Event bus for orange service. In single bus topology # this is the target for the devops event bus rule OrangeServiceEventBus: Type: AWS::Events::EventBus Properties: Name: !Ref EventBusName OrangeServicePublisherE3: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: orange_p_e3/ Policies: - Version: '2012-10-17' Statement: - Effect: Allow Action: - events:PutEvents Resource: "*" Environment: Variables: DEVOPS_EVENT_BUS_ARN: !Ref DevOpsEventBusArn OrangeServiceSubscriberE2: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: orange_s_e2/ Events: OrangeE2Rule: Type: EventBridgeRule Properties: EventBusName: !Ref OrangeServiceEventBus Pattern: source: - com.exampleCorp.PurpleService detail-type: - Event2 # Rule that is placed on the DevOps event bus for Event 2 OrangeServiceEvent2SubscriptionRule: Type: AWS::Events::Rule Properties: Name: OrangeE2Subscription Description: Cross account rule created by Orange service for event 2 EventBusName: !Ref DevOpsEventBusArn # ARN of the devops event bus EventPattern: source: - com.exampleCorp.PurpleService detail-type: - Event2 State: ENABLED Targets: - Id: SendEvent2ToOrangeServiceEventBus Arn: !GetAtt OrangeServiceEventBus.Arn RoleArn: !GetAtt DevOpsEventBusToOrangeServiceEventBusRole.Arn DeadLetterConfig: Arn: !GetAtt OrangeServiceEventBusDlq.Arn # This IAM role allows EventBridge to assume the permissions necessary to send events # from the DevOps event bus to the Orange service event bus. No resource policy is required # on the Orange service event bus. DevOpsEventBusToOrangeServiceEventBusRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: PutEventsOnOrangeServiceEventBus PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'events:PutEvents' Resource: !GetAtt OrangeServiceEventBus.Arn # Orange service event bus targe DLQ OrangeServiceEventBusDlq: Type: AWS::SQS::Queue # SQS resource policy required to allow target on devops bus to send failed messages to target DLQ OrangeServiceEventBusDlqPolicy: Type: AWS::SQS::QueuePolicy Properties: Queues: - !Ref OrangeServiceEventBusDlq PolicyDocument: Statement: - Action: - "SQS:SendMessage" Effect: "Allow" Resource: !GetAtt OrangeServiceEventBusDlq.Arn Principal: Service: "events.amazonaws.com" Condition: ArnEquals: "aws:SourceArn": !GetAtt OrangeServiceEvent2SubscriptionRule.Arn Outputs: OrangeServicePublisherE3: Description: Lambda function name for Orange service publishing event 3 Value: !Ref OrangeServicePublisherE3 OrangeServiceSubscriberE2: Description: Lambda function name for orange service subscriber to event 2 Value: !Ref OrangeServiceSubscriberE2 OrangeServiceEventBusDlqUrl: Description: URL of the SQS Queue for rules DeadLetterConfig Value: !Ref OrangeServiceEventBusDlq OrangeServiceEventBusDlqArn: Description: ARN of the SQS Queue for rules DeadLetterConfig Value: !GetAtt OrangeServiceEventBusDlq.Arn