Invoking AWS CloudWatch Event Rule by some event

Question

I have an EventBridge rule that looks like this:

{
  "source": ["redshift.amazonaws.com"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

As you can see I want to invoke that rule on the Cluster Creation event. The problem is the rule above doesn't want to be invoked so it won't trigger specific Lambda that is set as a target of the rule.

As an experiment I've created a mock event on default event bus and sent it. EventBridge rule matches with this event, which looks like this:

{
  "version": "0",
  "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "detail-type": "AWS API Call via CloudTrail",
  "source": "redshift.amazonaws.com",
  "account": "xxxxxxxxxxxx",
  "time": "2023-07-04T10:13:01Z",
  "region": "us-east-1",
  "resources": [],
  "detail": {
    "eventVersion": "1.08",
    "userIdentity": {
      "type": "IAMUser",
      "principalId": "xxxxxxxxxxxxxxxxxxxxx",
      "arn": "arn:aws:iam::xxxxxxxxxxxx:user/xxxxx.xxxxxx@xxxxxx.xxx",
      "accountId": "xxxxxxxxxxxx",
      "accessKeyId": "xxxxxxxxxxxxxxxxxxxx",
      "userName": "xxxxx.xxxxxx@xxxxxx.xxx"
    },
    "eventTime": "2023-07-04T07:03:13Z",
    "eventSource": "redshift.amazonaws.com",
    "eventName": "CreateCluster",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "xx.xx.xx.xxx",
    "userAgent": "xxx",
    "requestParameters": {
      "dBName": "xxx",
      "clusterIdentifier": "some-redshift-cluster",
      "clusterType": "single-node",
      "nodeType": "dc2.large",
      "masterUsername": "xxxxxxxxx",
      "masterUserPassword": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "vpcSecurityGroupIds": [
        "xx-xxxxxxxxxxxxxxxxx"
      ]
}

I've changed each sensitive data to x sign. There is much more info in detail key but I've skipped it.

Value of this detail key is an Event Record content from the CreateCluster event located in an Event History in the CloudTrail after the Redshit Cluster is created. The are no keys like version, id, source etc. on the higher level and I think that's the reason why that rule can't match event of Cluster Creation. How can I edit this rule to make it work on real CreateCluster event that happens while Cluster is created?

Edit: I tried with this pattern for redshift

{
  "source": ["aws.redshift"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

and it doesn't work too. I created even a rule triggered on S3 bucket creation:

{
  "source": ["aws.s3"],
  "detail": {
    "eventSource": ["s3.amazonaws.com"],
    "eventName": ["CreateBucket"],
    "requestParameters": {
      "bucketName": ["some-bucket"]
    }
  }
}

Even for S3 rule has no triggers.

By default, the S3 bucket won't send messages to EventBridge so make sure to [enable](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications-eventbridge.html) them. — codeninja.sj, Jul 06 '23 at 21:52

codeninja.sj · Answer 1 · 2023-07-05T19:52:15.543

2

The record visible in CloudTrail corresponds to a CreateCluster event, not an EventBridge event. This is why you were unable to view the id, source, and version fields. However, when the same CreateCluster event is sent through the EventBridge, it will contain all the mentioned fields (id, source, version), as they are mandatory for EventBridge events. In addition to that, the detail field in the EventBridge event is a placeholder for the CreateCluster event that you saw in CloudTrail.

The CreateCluster event on EventBridge resembles the sample response that you mentioned in the question. However, it's important to note that the actual CreateCluster event on EventBridge contains the value aws.redshift in the source field, not redshift.amazonaws.com.

Therefore, to invoke a lambda function for a CreateCluster event, use the following EventBridge rule:

{
  "source": ["aws.redshift"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["redshift.amazonaws.com"],
    "eventName": ["CreateCluster"],
    "requestParameters": {
      "clusterIdentifier": ["some-redshift-cluster"]
    }
  }
}

Edit:

Try the following link to troubleshoot why your EventBridge rule is not triggering your lambda target: https://repost.aws/knowledge-center/eventbridge-rules-troubleshoot

edited Jul 05 '23 at 19:52

answered Jul 04 '23 at 23:40

codeninja.sj

3,452
1
20
37

Unfortunately this pattern doesn't work. Do you have any ideas what can cause it? I can see such a creation event in event history, but for some reason this pattern can't. – Dawid_K Jul 05 '23 at 09:25
Try to create an event rule for all redshift events `{ "source": ["aws.redshift"] }`, and see whether those events reached your lambda function. If it does, then log those messages and based on them, you can alter your event rule. – codeninja.sj Jul 05 '23 at 09:48
I had created such a rule and then created redshift cluster. Despite the presence of the event in the event history, the lambda did not invoke – Dawid_K Jul 05 '23 at 10:14
How did you create the EventBridge rule and Lambda function? is it manual or from a script? If it's from the script, did you give permission to the EventBridge rule to invoke your lambda function? – codeninja.sj Jul 05 '23 at 12:13
It's built based on a terraform files. I think permissions are set well, because in the example shown in the question (event sent manually) lambda works. I tried with ```aws.config``` as it was suggested in answer below and it works too, but I don't really want to have enabled Config Recording (unless its necessary). The funniest thing is that it used to work couple of days ago. No one changed anything and suddenly, bum! Event pattern can't match the rule with source of ```aws.redshift```. – Dawid_K Jul 05 '23 at 12:24
I don't see any need for `aws config` as you can track the `CreateCluster` events directly on EventBridge. Btw, Unless there are some changes between the EventBridge rule and Lambda function, it is improbable for the trigger to stop functioning. Try [this](https://repost.aws/knowledge-center/eventbridge-rules-troubleshoot) link to troubleshoot your issue, which will help you figure out the actual root cause. – codeninja.sj Jul 05 '23 at 19:41
There's a problem with matching the correct event or something. In the monitoring section I see no invocation, even these failed. In CloudWatch I tried to find ```TriggeredRules``` metric for my rule but there weren't any records. I tried with the source as ```aws.redshift```, ```aws.cloudtrail``` and ```redshift.amazonaws.com``` - no triggers with these. – Dawid_K Jul 06 '23 at 10:31

score 1 · Answer 2 · edited Jul 12 '23 at 19:46

1

To invoke your EventBridge rule on resource creation, I suggest you take the source as aws.config. (with keeping in mind that in future you will move to other resources as well)

You can add AWS::Redshift::Cluster as resource type in the event pattern.

For more info please take a look at these pages -

https://medium.com/@TechStoryLines/receive-sns-alerts-when-new-resources-are-created-in-your-aws-account-db749b16445f

https://techstorylines.hashnode.dev/receive-sns-alerts-when-new-resources-are-created-in-your-aws-account

edited Jul 12 '23 at 19:46

Tyler2P

2,324
26
22
31

answered Jul 05 '23 at 09:46

sahith palika

113
7

Is it possible to specify a name of the cluster, so the rule will match only event of creation one specific cluster with name e.g. "xyz"? – Dawid_K Jul 05 '23 at 10:18
1

Yes, it can be achieved. Add the "resourceName" parameter that matches the Cluster name. Use prefix if you have common naming convention. Eg: you will get email if you create a reource with name "xyza-23-abc" { "detail": { "configurationItem": { "configurationItemStatus": ["ResourceDiscovered"], "resourceType": ["AWS::S3::Bucket"], "resourceName": [{ "prefix": "xyz" }] }, "messageType": ["ConfigurationItemChangeNotification"] }, "detail-type": ["Config Configuration Item Change"], "source": ["aws.config"] } – sahith palika Jul 05 '23 at 10:51
Great, I'll keep it in mind. I would prefer to gather the events from ```aws.redshift```, because ```aws.config``` causes some changes in the code and additional costs. – Dawid_K Jul 05 '23 at 12:26

score -1 · Accepted Answer · answered Jul 07 '23 at 10:19

The problem was with a lack of a Trail in CloudTrail. I've read some texts where was said EventBridge rules don't need the Trail enabled for a proper work. I had no better ideas, so made one and now rule matches event and successfully invokes targets.

It's a weird solutions, that I don't really understand, because in this project I have a lambda being invoked on different EventBridge rule and this one worked well (source of this rule is aws.redshift-data). Perhaps, there are events that can be matched with patterns only with an enabled trail?

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). — Community, Jul 13 '23 at 21:36

Invoking AWS CloudWatch Event Rule by some event

3 Answers3