CCM-14961: Allow cross domain bus to put event on DL bus

docs/adr/assets/ADR-003/examples/python/requirements.txt

@@ -1,2 +1,2 @@
-PyJWT==2.8.0
+PyJWT==2.12.0
 requests==2.32.4

infrastructure/terraform/components/dl/README.md

@@ -31,6 +31,7 @@ No requirements.
 | <a name="input_event_anomaly_band_width"></a> [event\_anomaly\_band\_width](#input\_event\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `3` | no |
 | <a name="input_event_anomaly_evaluation_periods"></a> [event\_anomaly\_evaluation\_periods](#input\_event\_anomaly\_evaluation\_periods) | Number of evaluation periods for the anomaly alarm. Each period is defined by event\_anomaly\_period. | `number` | `2` | no |
 | <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
+| <a name="input_eventbus_account_id"></a> [eventbus\_account\_id](#input\_eventbus\_account\_id) | The AWS Account ID for the event bus | `string` | n/a | yes |
 | <a name="input_eventpub_control_plane_bus_arn"></a> [eventpub\_control\_plane\_bus\_arn](#input\_eventpub\_control\_plane\_bus\_arn) | Event publisher control plane | `string` | n/a | yes |
 | <a name="input_eventpub_data_plane_bus_arn"></a> [eventpub\_data\_plane\_bus\_arn](#input\_eventpub\_data\_plane\_bus\_arn) | Event publisher data plane | `string` | n/a | yes |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Flag to force deletion of S3 buckets | `bool` | `false` | no |

infrastructure/terraform/components/dl/cloudwatch_event_bus.tf

@@ -27,3 +27,36 @@ resource "aws_cloudwatch_log_delivery_source" "main_trace_logs" {
   log_type     = "TRACE_LOGS"
   resource_arn = aws_cloudwatch_event_bus.main.arn
 }
+
+data "aws_iam_policy_document" "main_event_bus_document" {
+  statement {
+    sid    = "AllowCrossDomainEventBridgeToPutEvent"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.eventbus_account_id}:root"]
+    }
+
+    actions = [
+      "events:PutEvents",
+    ]
+
+    resources = [
+      aws_cloudwatch_event_bus.main.arn,
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values = [
+        "arn:aws:events:${var.region}:${var.eventbus_account_id}:rule/*-data-plane*"
+      ]
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_bus_policy" "main_event_bus_policy" {
+  policy         = data.aws_iam_policy_document.main_event_bus_document.json
+  event_bus_name = aws_cloudwatch_event_bus.main.name
+}

infrastructure/terraform/components/dl/variables.tf

@@ -196,6 +196,11 @@ variable "eventpub_data_plane_bus_arn" {
   description = "Event publisher data plane"
 }
 
+variable "eventbus_account_id" {
+  type        = string
+  description = "The AWS Account ID for the event bus"
+}
+
 variable "report_scheduler_schedule" {
   type        = string
   description = "Schedule to trigger sender reports"