From b3d850538919b3b04af8171dd21fabf62bc0a753 Mon Sep 17 00:00:00 2001
From: Christopher Geers <christopher.geers@sysdig.com>
Date: Fri, 5 Apr 2024 16:07:55 -0500
Subject: [PATCH] fix(event-bridge): member account role

* fixes an issue where organization member accounts were each not refering to their respective EB service roles.
---
 modules/services/event-bridge/organizational.tf       | 11 ++---------
 .../services/event-bridge/stackset_template_body.tpl  |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/modules/services/event-bridge/organizational.tf b/modules/services/event-bridge/organizational.tf
index 14f4e6e..41d7e1f 100644
--- a/modules/services/event-bridge/organizational.tf
+++ b/modules/services/event-bridge/organizational.tf
@@ -8,14 +8,9 @@ data "aws_organizations_organization" "org" {
   count = var.is_organizational ? 1 : 0
 }
 
-data "aws_caller_identity" "current" {
-  count = var.is_organizational ? 1 : 0
-}
-
 locals {
-  organizational_unit_ids   = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
-  region_set                = toset(var.regions)
-  eb_rule_stackset_role_arn = var.is_organizational ? "arn:aws:iam::${data.aws_caller_identity.current[0].account_id}:role/${var.name}" : ""
+  organizational_unit_ids = var.is_organizational && length(var.org_units) == 0 ? [for root in data.aws_organizations_organization.org[0].roots : root.id] : toset(var.org_units)
+  region_set              = toset(var.regions)
 }
 
 # stackset to deploy eventbridge rule in organization unit
@@ -41,7 +36,6 @@ resource "aws_cloudformation_stack_set" "eb-rule-stackset" {
     event_pattern        = var.event_pattern
     rule_state           = var.rule_state
     target_event_bus_arn = var.target_event_bus_arn
-    role_arn             = local.eb_rule_stackset_role_arn
   })
 }
 
@@ -60,7 +54,6 @@ resource "aws_cloudformation_stack_set" "mgmt-stackset" {
     event_pattern        = var.event_pattern
     rule_state           = var.rule_state
     target_event_bus_arn = var.target_event_bus_arn
-    role_arn             = aws_iam_role.event_bus_invoke_remote_event_bus[0].arn
   })
 }
 
diff --git a/modules/services/event-bridge/stackset_template_body.tpl b/modules/services/event-bridge/stackset_template_body.tpl
index 21cd710..d4befe1 100644
--- a/modules/services/event-bridge/stackset_template_body.tpl
+++ b/modules/services/event-bridge/stackset_template_body.tpl
@@ -9,4 +9,4 @@ Resources:
       Targets:
         - Id: ${name}
           Arn: ${target_event_bus_arn}
-          RoleArn: ${role_arn}
+          RoleArn: !Sub "arn:aws:iam::$${AWS::AccountId}:role/${name}"