Terraform authorisation error creating AWS EventBridge connection to API Destinations

Question

How to fix this? Error: creating EventBridge connection (xxxxx): ValidationException: Failed to create the connection(s). Failed to create the secret because the user is not authorized to perform the operation on secret 'events!connection/xxxx/xxxx'. [...] status code: 400, request id: xxxx

The relevant Terraform code defined:

• An EventBridge rule (aws_cloudwatch_event_rule)
• An EventBridge target (aws_cloudwatch_event_target) that references a rule name and a destination ARN.
• An API Destination (aws_cloudwatch_event_api_destination) that specifies an external webhook URL but is also required (by Terraform AWS provider) to reference a connection ARN.
• A connection (aws_cloudwatch_event_connection):

The particular webhook does not actually require any authentication, so the connection was specified as:

resource "aws_cloudwatch_event_connection" "this" {
  name               = "xxx"
  authorization_type = "API_KEY"
  auth_parameters {
    api_key {
      key   = "Dummy"
      value = "None"   }}}

Is the problem that the Terraform role itself needs additional privileges, or that the .tf file needs to additionally define policies associated with these particular resources?

Answer 1

The docs for AWS EventBridge API Destinations include the note:

To successfully create or update a connection, you must use an account that has permission to use Secrets Manager...

It also references a suggested best-practice (at least for OAuth credentials and when using CloudFormation) that is to manually create a secret (in Secrets Manager) and then reference it from the infra-code. However, it doesn't appear that the Terraform AWS provider currently supports this pattern.

(Incidentally, it would be possible to achieve the same effect without increasing Terraform permissions by instead using a Lambda or SSM Automation executeScript to perform the HTTP request, also gaining more control of how the event is communicated.)