From 08233965e7a1a32e518b08a4d6671ffe702a239d Mon Sep 17 00:00:00 2001
From: Jonathan Goldwasser <jogold@users.noreply.github.com>
Date: Mon, 25 Nov 2019 19:07:05 +0100
Subject: [PATCH] feat(events): add static grantPutEvents() to EventBus (#5133)

* feat(events): add static grantPutEvents() to EventBus

It's currently not possible to restrict `PutEvents` to specific resources.

See https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/permissions-reference-cwe.html

* Update event-bus.ts
---
 packages/@aws-cdk/aws-events/lib/event-bus.ts | 17 ++++++++++
 .../aws-events/test/test.event-bus.ts         | 33 +++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/packages/@aws-cdk/aws-events/lib/event-bus.ts b/packages/@aws-cdk/aws-events/lib/event-bus.ts
index 3111142cd755b..2996baa9665e3 100644
--- a/packages/@aws-cdk/aws-events/lib/event-bus.ts
+++ b/packages/@aws-cdk/aws-events/lib/event-bus.ts
@@ -1,3 +1,4 @@
+import iam = require('@aws-cdk/aws-iam');
 import { Construct, IResource, Lazy, Resource, Stack } from '@aws-cdk/core';
 import { CfnEventBus } from './events.generated';
 
@@ -136,6 +137,22 @@ export class EventBus extends Resource implements IEventBus {
     return new Import(scope, id);
   }
 
+  /**
+   * Permits an IAM Principal to send custom events to EventBridge
+   * so that they can be matched to rules.
+   *
+   * @param grantee The principal (no-op if undefined)
+   */
+  public static grantPutEvents(grantee: iam.IGrantable): iam.Grant {
+    // It's currently not possible to restrict PutEvents to specific resources.
+    // See https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/permissions-reference-cwe.html
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions: ['events:PutEvents'],
+      resourceArns: ['*'],
+    });
+ }
+
   private static eventBusProps(defaultEventBusName: string, props?: EventBusProps) {
     if (props) {
       const { eventBusName, eventSourceName } = props;
diff --git a/packages/@aws-cdk/aws-events/test/test.event-bus.ts b/packages/@aws-cdk/aws-events/test/test.event-bus.ts
index 5250a74e16737..f6d5c1f694b47 100644
--- a/packages/@aws-cdk/aws-events/test/test.event-bus.ts
+++ b/packages/@aws-cdk/aws-events/test/test.event-bus.ts
@@ -1,4 +1,5 @@
 import { expect, haveResource } from '@aws-cdk/assert';
+import iam = require('@aws-cdk/aws-iam');
 import { CfnResource, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { EventBus } from '../lib';
@@ -200,6 +201,38 @@ export = {
       createInvalidBus();
     }, /'eventSourceName' must satisfy: /);
 
+    test.done();
+  },
+
+  'can grant PutEvents'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const role = new iam.Role(stack, 'Role', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
+    });
+
+    // WHEN
+    EventBus.grantPutEvents(role);
+
+    // THEN
+    expect(stack).to(haveResource('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'events:PutEvents',
+            Effect: 'Allow',
+            Resource: '*'
+          }
+        ],
+        Version: '2012-10-17'
+      },
+      Roles: [
+        {
+          Ref: 'Role1ABCC5F0'
+        }
+      ]
+    }));
+
     test.done();
   }
 };