I have some terraform code to deploy a cloudwatch/eventbridge rule that triggers a step function. I want the rule to trigger the step function after every 2 minutes as indicated in the code below:

resource "aws_iam_role" "cw_sfn_role" {
  name               = "cw_sfn_role"
  assume_role_policy = data.aws_iam_policy_document.sfn_trigger_policy.json
}

data "aws_iam_policy_document" "sfn_trigger_policy" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    principals {
      type = "Service"
      identifiers = ["states.amazonaws.com",
      "events.amazonaws.com"]
    }


  }
}

resource "aws_cloudwatch_event_rule" "step_function_trigger_event_rule" {
  name                = "trigger-step-function"
  description         = "Trigger every 2 min"
  schedule_expression = "rate(2 minutes)"
  is_enabled          = true
}


resource "aws_cloudwatch_event_target" "step_function_target" {
  arn      = aws_sfn_state_machine.sfn_state_machine.arn
  rule     = aws_cloudwatch_event_rule.step_function_trigger_event_rule.name
  role_arn = aws_iam_role.cw_sfn_role.arn
}

From the aws console, the rule is attached correctly to the step function but it doesn't trigger it. Also, when i manually create a rule from the aws console, the step function is triggered without any issues. I suspect the problem is either from my assigned policies or schedule_expression. What am I missing here?

CodePudding user response：

As your target is Step Function, it needs to allow invocation permission to its source (CloudWatch Events in your case).

This is similar to Invoke Permission for lambda to allow any source to trigger it.

The role that you specify for CloudWatch Events must include the below permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
             "Action": [ "states:StartExecution" ],
            "Resource": [ "arn:aws:states:*:*:stateMachine:*" ]
        }
     ]
}