AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > Purple service app for single bus, multi-account-pattern # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst Globals: Function: Timeout: 3 Handler: app.lambda_handler Runtime: python3.9 Tags: pattern: single-bus-multi-account-pattern Parameters: EventBusName: Description: Name of the purple service app event bus Type: String Default: purple-service-event-bus DevOpsEventBusArn: Description: The ARN of the devops event bus # e.g. arn:aws:events:us-east-1:[DEVOPS-ACCOUNT]:event-bus/devops-event-bus Type: String Resources: # Event bus for purple service. In single bus topology # this is the target for the devops event bus rule PurpleServiceEventBus: Type: AWS::Events::EventBus Properties: Name: !Ref EventBusName PurpleServicePublisherE2: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: purple_p_e2/ Policies: - Version: '2012-10-17' Statement: - Effect: Allow Action: - events:PutEvents Resource: "*" Environment: Variables: DEVOPS_EVENT_BUS_ARN: !Ref DevOpsEventBusArn PurpleServiceSubscriberE1: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: purple_s_e1/ Events: PurpleE1Rule: Type: EventBridgeRule Properties: EventBusName: !Ref PurpleServiceEventBus Pattern: source: - com.exampleCorp.BlueService detail-type: - Event1 PurpleServiceSubscriberE3: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: purple_s_e3/ Events: PurpleE3Rule: Type: EventBridgeRule Properties: EventBusName: !Ref PurpleServiceEventBus Pattern: source: - com.exampleCorp.OrangeService detail-type: - Event3 # Rule that is placed on the DevOps event bus for Event 2 PurpleServiceEvent1SubscriptionRule: Type: AWS::Events::Rule Properties: Name: PurpleE1Subscription Description: Cross account rule created by Blue service for event 2 EventBusName: !Ref DevOpsEventBusArn # ARN of the devops event bus EventPattern: source: - com.exampleCorp.BlueService detail-type: - Event1 State: ENABLED Targets: - Id: SendEvent1ToPurpleServiceEventBus Arn: !GetAtt PurpleServiceEventBus.Arn RoleArn: !GetAtt DevOpsEventBusToPurpleServiceEventBusRole.Arn DeadLetterConfig: Arn: !GetAtt PurpleServiceEventBusDlq.Arn # Rule that is placed on the DevOps event bus for Event 2 PurpleServiceEvent3SubscriptionRule: Type: AWS::Events::Rule Properties: Name: PurpleE3Subscription Description: Cross account rule created by Blue service for event 2 EventBusName: !Ref DevOpsEventBusArn # ARN of the devops event bus EventPattern: source: - com.exampleCorp.OrangeService detail-type: - Event3 State: ENABLED Targets: - Id: SendEvent3ToPurpleServiceEventBus Arn: !GetAtt PurpleServiceEventBus.Arn RoleArn: !GetAtt DevOpsEventBusToPurpleServiceEventBusRole.Arn DeadLetterConfig: Arn: !GetAtt PurpleServiceEventBusDlq.Arn # This IAM role allows EventBridge to assume the permissions necessary to send events # from the DevOps event bus to the Blue service event bus. No resource policy is required # on the Blue service event bus. DevOpsEventBusToPurpleServiceEventBusRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - events.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: PutEventsOnPurpleServiceEventBus PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'events:PutEvents' Resource: !GetAtt PurpleServiceEventBus.Arn # Blue service event bus targe DLQ PurpleServiceEventBusDlq: Type: AWS::SQS::Queue # SQS resource policy required to allow target on devops bus to send failed messages to target DLQ PurpleServiceEventBusDlqPolicy: Type: AWS::SQS::QueuePolicy Properties: Queues: - !Ref PurpleServiceEventBusDlq PolicyDocument: Statement: - Action: - "SQS:SendMessage" Effect: "Allow" Resource: !GetAtt PurpleServiceEventBusDlq.Arn Principal: Service: "events.amazonaws.com" Condition: ArnEquals: "aws:SourceArn": [ !GetAtt PurpleServiceEvent1SubscriptionRule.Arn, !GetAtt PurpleServiceEvent1SubscriptionRule.Arn ] Outputs: PurpleServicePublisherE2: Description: Lambda function name for purple service publishing event 2 Value: !Ref PurpleServicePublisherE2 PurpleServiceSubscriberE1: Description: Lambda function name for purple service subscriber to event 1 Value: !Ref PurpleServiceSubscriberE1 PurpleServiceSubscriberE3: Description: Lambda function name for purple service subscriber to event 3 Value: !Ref PurpleServiceSubscriberE3 PurpleServiceEventBusDlqUrl: Description: URL of the SQS Queue for rules DeadLetterConfig Value: !Ref PurpleServiceEventBusDlq PurpleServiceEventBusDlqArn: Description: ARN of the SQS Queue for rules DeadLetterConfig Value: !GetAtt PurpleServiceEventBusDlq.Arn