Scalr
Scalr
August 20, 2024

Integrating Terraform Events w/ AWS EventBridge

By
Ryan Fee

Many DevOps teams use Terraform to manage AWS EventBridge. However, using AWS EventBridge to monitor Terraform events is less discussed. We'll review how Scalr's native integration with EventBridge allows you to build event-driven workflows based on Terraform events.

AWS EventBridge Inteface

AWS EventBridge Overview

First, let’s review what AWS EventBridge is:

AWS EventBridge is a powerful serverless event bus that makes it easy to connect your applications with data from various event sources. It delivers real-time data from SaaS applications and AWS services and routes the data to targets like AWS Cloud Watch or Lambda. EventBridge is a key component of AWS event-driven architectures.

Key concepts in EventBridge include:

  • Event Buses: The "pipeline" that receives events from a source and routes them to a target.
  • Rules: Definitions for filtering and routing events to specific targets based on an event pattern.
  • Targets: Destinations for events, such as Lambda functions, SNS topics, SQS queues, Cloudwatch log groups, etc.
  • EventBridge Pipes: Allows you to filter, transform, and enrich events before passing them to a target.

EventBridge integrates with over 90 AWS services as event sources, including CloudWatch, EC2, S3, and CodeCommit, and integrates with many third-party tools. It enables you to easily build event-driven workflows that react to state changes.

Terraform Overview

Terraform is an infrastructure-as-code tool that enables you to provision and manage your AWS and other providers, infrastructure, and resources through declarative configuration files. Terraform and OpenTofu support the AWS provider with resources for managing EventBridge components.

Here are a few examples of the provider and module usage, but full documentation can be found in library.tf

In this example, we’ll create an EventBridge bus with the supported module, create a rule, and then send it to target, in this case, AWS Cloudwatch:

module "eventbridge" {
  source = "terraform-aws-modules/eventbridge/aws"

  bus_name = "scalr-example"

  rules = {
    events = {
      description   = "Capture event data"
      event_pattern = jsonencode({ "source" : ["scalr.events"] })
      enabled       = true
    }
  }

  targets = {
    events = [
      {
        name = "scalr-events-to-cloudwatch"
        arn  = aws_cloudwatch_log_group.this.arn
      }
    ]
  }

  tags = {
    Name = "scalr-example"
  }
}

Use EventBridge to Monitor Terraform

Now that we have covered both tools, let’s review how you can use AWS EventBridge to create an event-driven workflow based on a Terraform event, such as a Terraform apply failing. This is where the Scalr native integration with AWS EventBridge is key.

Common Use Cases

Scalr is a Terraform automation and collaboration tool that remotely executes your terraform code while also integrating with many third-party tools to tie your entire ecosystem together. Because the runs are actually executed in Scalr, Scalr can log events and trigger actions based on the events. Here are a couple of common use cases that are seen with the events triggered from Scalr to EventBridge:

Monitoring and Alerting

The Scalr-EventBridge integration empowers organizations to create sophisticated workflow automation across their ecosystem. Users can design EventBridge rules that trigger specific actions in response to Scalr and Terraform events. For instance, a successful Terraform run could automatically initiate additional resource provisioning, while a failed run in a critical environment could trigger immediate notifications to the operations team. Completion of a large-scale infrastructure update might prompt automated testing routines. 

Audit Logging

Scalr not only can trigger calls to EventBridge based on events, but it can also stream user activity to EventBridge, which allows organizations to create a detailed audit log of all account actions. This comprehensive tracking covers changes made to resources across various Scalr services. Organizations can utilize this audit trail for multiple purposes, including:

  1. Ensuring compliance with regulatory requirements
  2. Troubleshooting issues by reviewing historical actions
  3. Analyzing patterns and trends in Scalr usage over time

This enhanced visibility into user activities and resource modifications helps maintain security, improve operational efficiency, and support decision-making processes.

How Does the Integration Work

Terraform Run Events

Scalr has a pre-built event bus in AWS that can be used for this. The integration is started from the Scalr UI:

AWS EventBridge Configuration in Scalr

After any Terraform run event in Scalr, Scalr will automatically send information about the run to EventBridge. Here is a sample event:

{
  "id": "run-1234567890",
  "account": "test",
  "version": 1,
  "time": "2024-04-19T13:44:02Z",
  "source": "aws.partner/scalr.com/account-name/integration-name",
  "resources": [],
  "region": "us-east-1",
  "detail-type": "RunExecuted",
  "detail": {
    "title": "Scalr run execution completed on workspace 'workspace-name' (environment-name). Run ID: run-1234567890.",
    "event": {
      "run-id": "run-1234567890",
      "source": "vcs",
      "is-dry": false,
      "is-destroy": false,
      "is-agent": false,
      "is-postponed": false,
      "result": "applied",
      "duration": 137000000000.0,
      "account": "account-name",
      "workspace": "workspace-name",
      "environment": "environment-name",
      "user-email": "user@company.com"
    },
    "tags": [
      "scalr-environment:env-1234567890",
      "scalr-workspace:ws-1234567890",
      "scalr-environment-name:environment-name",
      "scalr-workspace-name:workspace-name"
    ],
    "event_type": "success"
  }
}

An EventBridge bus captures the information, and a rule is created in AWS to determine what to do with the information. A common use case is to forward this information to AWS CloudWatch log group so that teams can set up alerts based on Terraform run event failures.

Scalr Audit Logs

Scalr also provides the option to send audit logs to AWS EventBridge. Rather than run events, users can create EventBridge rules based on actions taken in Scalr such as a Terraform workspace deletion, a run being approved, and more. Here is an example of an audit log that is send to EventBridge and then likely forwarded to Cloudwatch or a SaaS solution such as Datadog:

​​{
  "id": "63ddd008eced0487812b1005f06ddff4",
  "version": 0,
  "account": 123456789012,
  "time": "2024-04-19T13:44:02Z",
  "source": "aws.partner/scalr.com/account-name/integration-name",
  "resources": [],
  "region": "us-east-1",
  "detail-type": "AuditLog",
  "detail": {
    "target": {
      "id": "ws-1234567890",
      "type": "workspaces",
      "display-name": "workspace-name",
      "context": {
        "environment": {
          "id": "env-1234567890",
          "display-name": "environment-name"
        },
        "workspace": {
          "id": "ws-1234567890",
          "display-name": "workspace-name"
        },
        "account": {
          "id": "acc-1234567890",
          "display-name": "account-name"
        }
      }
    },
    "timestamp": "2024-04-19T13:44:02.335490",
    "request": {
      "id": "63ddd008eced0487812b1005f06ddff4",
      "action": "create-workspace",
      "ip-address": "10.21.0.30",
      "source": "ui",
      "user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0"
    },
    "actor": {
      "id": "user-1234567890",
      "email": "user@company.com",
      "type": "user",
      "access-token": {
        "id": null,
        "type": "session",
        "token": "...UlzZ-c"
      }
    },
    "outcome": {
      "result": "SUCCESS",
      "status-code": 201
    },
    "tags": [
      "scalr-action:create-workspace",
      "scalr-user-email:user@company.com",
      "scalr-environment:env-1234567890",
      "scalr-environment-name:environment-name",
      "scalr-workspace:ws-1234567890",
      "scalr-workspace-name:workspace-name"
    ]
  }
}

See it in Action

Would you prefer to see a demo of it? In the link below, we review how to integrate Scalr with AWS EventBridge to send audit logs and events in EventBridge:

Scalr Integration w/ AWS EventBridge for Terraform & OpenTofu

Summary

Terraform and Amazon EventBridge make a powerful combination, whether it is using Terraform to automate the creation of EventBridge resources or using Evetbridge to create an event-driven workflow. Up until now, Scalr was the missing piece that tied the two together so that you could actually receive Terraform events in EventBridge itself. This is now available on both free and paid plans; give it a try in Scalr today.

Note: While this blog references Terraform, everything mentioned in here also applies to OpenTofu. New to OpenTofu? It is a fork of Terraform 1.5.7 as a result of the license change from MPL to BUSL by HashiCorp. OpenTofu is an open-source alternative to Terraform that is governed by the Linux Foundation. All features available in Terraform 1.5.7 or earlier are also available in OpenTofu. Find out the history of OpenTofu here.

Don't take our word for it, try it for yourself.

A screenshot of the modules page in the Scalr Platform