-1

Trying to create an EventBridge rule to get event 'CreateRole' from source 'aws.iam'.

The events coming from cloudtrail is having an array 'resources' with 3 elements, rolename, arn, account_id. And they have a pattern like:

"Resources": [
                {
                    "ResourceType": "AWS::IAM::Role",
                    "ResourceName": "********gdggdgd***"
                },
                {
                    "ResourceType": "AWS::IAM::Role",
                    "ResourceName": "arn:aws:iam::<account_id>:role/sample-test-5"
                },
                {
                    "ResourceType": "AWS::IAM::Role",
                    "ResourceName": "sample-test-5"
                }
            ]

But the order of these elements is random, in some events role name - sample-test-5 comes as 1st element and in some events it comes in mid or last.

Now inside lambda, using json to extract the rolename, like this:

 role_name = event['Resources'][0]['ResourceName']

so that using role_name can get a client for boto3. But because of random order of elements in array, in some cases unable to get correct role_name and fails to get boto3 client.

Trying to get the rolename directly using boto3 client but that's unavailable. To get the role, parameter rolename needs to be passed:

response = client.get_role(
    RoleName='string'
)

So how can I get the rolename from the raw events having order of elements in a random faishon.

Can I also define a rule in EventBridge rule, so that the sent events comes in a pattern specified by user?

Please share any pointers or examples.

Thanks

Himanshu Singh
  • 199
  • 3
  • 15
  • What are your criteria by which you define "correct role_name"? How would you differentiate the "correct" one from the rest? – Marcin Feb 11 '21 at 03:31

2 Answers2

1

EventBridge allows you to match against arrays depending on your event and rule pattern. You can see a reference https://docs.aws.amazon.com/eventbridge/latest/userguide/arrays-in-eventbridge-event-patterns.html

For example, consider an event pattern that includes the following.

  "resources": [
   "arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f",
   "arn:aws:ec2:us-east-1:111122223333:instance/i-b188560f",
   "arn:aws:ec2:us-east-1:444455556666:instance/i-b188560f",
  ]

This example pattern matches an event that includes the following text, because the first item in the pattern array matches the second item in the event array.

 "resources": [
   "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:eb56d16b-bbf0-401d-b893-d5978ed4a025:autoScalingGroupName/ASGTerminate",
   "arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f" 
  ]

EventBridge doesn't control the order in which events arrive. If you need the events to be in specific order before you need to read them, you probably need to sort it.

From https://stackoverflow.com/a/57714526

>>> from operator import itemgetter
>>> arr = [{'score': 10, 'name': 'Bob'}, {'score': 15, 'name':'Susan'}, {'score': 1, 'name': 'Skippy'}]
>>> sorted(arr, key=itemgetter('score'), reverse=True)
[{'score': 15, 'name': 'Susan'}, {'score': 10, 'name': 'Bob'}, {'score': 1, 'name': 'Skippy'}]
blr
  • 908
  • 4
  • 8
  • Actually the CreateRole was getting encapsulated inside another object returned by EventBridge. That's why I was doing it in wrong way. – Himanshu Singh Feb 12 '21 at 16:03
0

EventBridge sends events inside "details" block. So to access the information for roleName, used following:

role_name = event['detail']['requestParameters']['roleName']

This actually worked.

Also it is confusing if you watch the same event in CloudTrail, which actually shows the original event without encapsulating it inside 'detail' object.

Himanshu Singh
  • 199
  • 3
  • 15