EventBridge Rules to Invoke Lambda and StepFunction

AWS EventBridge is an occasion bus system for loosely coupling completely different providers and sources in a publish/subscribe sample. A service can publish an occasion (i.e., a message) and a number of different providers can subscribe to that occasion.

The subscription mechanism is completed by way of particular person guidelines that outline the sample of an occasion to be catched on the occasion bus and outline a number of targets to be referred to as upon that occasion, e.g. a Lambda perform or a StepFunction state machine.



Motivation

This publish is meant to function a blueprint for find out how to invoke these two providers with guidelines and find out how to cope with typical authorization challenges alongside the way in which. The required sources are outlined as a CloudFormation template in JSON, however can simply be transformed to YAML.

I created a check Lambda perform and a check StepFunction state machine to be referred to as by their respective EventBridge rule. I refer to those sources in CloudFormation as TestLambdaFunction and TestStateMachine, however these are simply their logical IDs and shall be changed with ARNs when deployed.



Invoke StepFunction State Machine

This CloudFormation template defines an occasion rule with ID InvokeStateMachineEventRule and identify start-state-machine that listens on the default occasion bus for occasions whose detail-type is about to start-state-machine.

Targets are sources which can be invoked when a rule is triggered. The intrinsic perform Fn::GetAtt returns the ARN of TestStateMachine specified because the goal useful resource.
Moreover, every goal should outline an IAM position as RoleArn which is used to invoke the useful resource.

{
  "InvokeStateMachineEventRule": {
    "Kind": "AWS::Occasions::Rule",
    "Properties": {
      "EventBusName": "default",
      "EventPattern": {
        "detail-type": ["start-state-machine"],
      },
      "Title": "start-state-machine",
      "State": "ENABLED",
      "Targets": [
        {
          "Arn": {
            "Fn: :GetAtt": ["TestStateMachine","Arn"]
          },
          "Id": "TestStateMachine",
          "RoleArn": {
            "Fn: :GetAtt": ["InvokeStateMachineIamRole","Arn"]
          },
        },
      ],
    },
  },
}
Enter fullscreen mode

Exit fullscreen mode

The IAM position is outlined as InvokeStateMachineIamRole and incorporates an inline coverage that enables the states:StartExecution motion for the TestStateMachine useful resource. Because the position is utilized by an EventBridge rule to invoke one other service useful resource (i.e. StepFunction state machine), an extra AssumeRolePolicyDocument is supplied to permit the position to be taken from EventBridge (i. e. principal occasions.amazonaws.com).

{
  "InvokeStateMachineIamRole": {
    "Kind": "AWS::IAM::Position",
    "Properties": {
      "Insurance policies": [
        {
          "PolicyName": "InvokeStateMachineRolePolicy",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": ["states:StartExecution"],
                "Useful resource": [
                  {
                    "Fn: :GetAtt": ["TestStateMachine", "Arn"]
                  }
                ],
              },
            ],
          },
        },
      ],
    },
  },
  "AssumeRolePolicyDocument": {
    "Model": "2012-10-17",
    "Assertion": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": ["events.amazonaws.com"],
        },
        "Motion": "sts:AssumeRole",
      },
    ],
  },
}

Enter fullscreen mode

Exit fullscreen mode



Invoke Lambda Operate

This occasion rule InvokeLambdaFunctionEventRule is much like the earlier one, besides that it’s named start-lambda-function and listens for occasions whose detail-type is about to start-lambda-function. Additionally, the goal useful resource is TestLambdaFunction and RoleArn was deliberately omitted.

{
  "InvokeLambdaFunctionEventRule": {
    "Kind": "AWS::Occasions::Rule",
    "Properties": {
      "EventBusName": "default",
      "EventPattern": {
        "detail-type": ["start-lambda-function"],
      },
      "Title": "start-lambda-function",
      "State": "ENABLED",
      "Targets": [
        {
          "Arn": {
            "Fn: :GetAtt": ["TestLambdaFunction","Arn"]
          },
          "Id": "TestLambdaFunction",
        },
      ],
    },
  },
}
Enter fullscreen mode

Exit fullscreen mode

If we offer a RoleArn for the TestLambdaFunction goal, it’s going to throw an error when deploying it:

UPDATE_FAILED: InvokeLambdaFunctionEventRule (AWS::Occasions::Rule)
RoleArn shouldn’t be supported for goal arn:aws:lambda:eu-central-1:xxxxxxxxxxxx:perform:eventbridge-rule-example-dev-test.

Not like different providers, Lambda makes use of resource-based permissions to permit different AWS providers to invoke this perform in your behalf. Subsequently, we have to add an InvokeLambdaFunctionPermission definition that enables the Lambda:InvokeFunction motion for the TestLambdaFunction useful resource (i.e. perform identify). Additionally this permission is utilized by an EventBridge rule to invoke this Lambda perform. Subsequently, we have to specify the principal occasions.amazonaws.com and the ARN of InvokeLambdaFunctionEventRule that truly calls the perform.

{
  "InvokeLambdaFunctionPermission": {
    "Kind": "AWS::Lambda::Permission",
    "Properties": {
      "FunctionName": {
        "Fn: :GetAtt": ["TestLambdaFunction", "Arn"],
      },
      "Motion": "lambda:InvokeFunction",
      "Principal": "occasions.amazonaws.com",
      "SourceArn": {
        "Fn: :GetAtt": ["InvokeLambdaFunctionEventRule", "Arn"]
      },
    },
  },
}
Enter fullscreen mode

Exit fullscreen mode



GitHub Repository

I deployed all sources utilizing the Serverless Framework, however solely to shortly create the Lambda perform and StepFunction state machine. All of the essential sources are outlined as AWS CloudFormation templates and are legitimate when deployed in different methods, e.g. AWS SAM, AWS CLI, and so on.

Be happy to take a look at the complete template and deploy it by yourself AWS account: GitHub respository

Add a Comment

Your email address will not be published. Required fields are marked *