EventBridge Bus, Rule & Target

aws-eventbridge

A custom Amazon EventBridge event bus, a rule that filters events by event pattern, and a target — wired end-to-end. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

By default the module creates its own CloudWatch Logs group as the target (plus the resource policy EventBridge needs to write to it), so the whole stack stands up from a single input (bus_name) and is perfect for capturing or auditing events. Point it at any existing destination instead with target_type = "external" and target_arn.

Secure defaults:

• Encryption at rest always on — the bus uses the AWS-owned EventBridge key by default (free); pass bus_kms_key_identifier for a customer-managed key. The target log group is encrypted with AWS-managed CloudWatch Logs encryption unless you supply log_kms_key_id.
• Least-privilege log delivery — the log group resource policy grants only logs:CreateLogStream / logs:PutLogEvents, scoped to that single group and guarded by an aws:SourceAccount condition so only this account's EventBridge can write (confused-deputy protection).
• Reliable delivery — a 24h / 185-attempt retry policy by default, with an optional dead-letter queue on both the bus and the target.

Custom-bus rules must filter by event pattern — AWS only allows schedule_expression rules on the default bus, so this module intentionally does not expose scheduling (use the aws-step-functions/EventBridge Scheduler for that). The default pattern is a catch-all ({"account": ["<id>"]}); set event_pattern for real routing.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).