feat: Add support for setting the condition field in Event Bus permissions (terraform-aws-modules#84)

Co-authored-by: Anton Babenko <[email protected]>

Author: cadrake

examples/with-permissions/README.md

@@ -42,6 +42,7 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|------|
 | [aws_cloudwatch_event_bus.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_bus) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 
 ## Inputs
 

examples/with-permissions/main.tf

@@ -9,6 +9,8 @@ provider "aws" {
   skip_requesting_account_id  = true
 }
 
+data "aws_organizations_organization" "this" {}
+
 module "eventbridge" {
   source = "../../"
 
@@ -23,8 +25,9 @@ module "eventbridge" {
       action = "events:PutEvents"
     }
 
-    "* PublicAccessToExternalBus" = {
+    "* OrgAccessToExternalBus" = {
       event_bus_name = aws_cloudwatch_event_bus.external.name
+      condition_org  = data.aws_organizations_organization.this.id
     }
   }
 

main.tf

@@ -248,6 +248,16 @@ resource "aws_cloudwatch_event_permission" "this" {
 
   action         = lookup(each.value, "action", null)
   event_bus_name = try(each.value["event_bus_name"], aws_cloudwatch_event_bus.this[0].name, var.bus_name, null)
+
+  dynamic "condition" {
+    for_each = try([each.value.condition_org], [])
+
+    content {
+      key   = "aws:PrincipalOrgID"
+      type  = "StringEquals"
+      value = condition.value
+    }
+  }
 }
 
 resource "aws_cloudwatch_event_connection" "this" {