Deleting or Disabling a CloudWatch Events Rule | CloudWatch Scheduled Event | Event Bridge attached to AWS Lambda through AWS CLI
Here we talk about Event Bridge (AWS CloudWatch Event Rule).
We all know to perform any configuration related changes to the AWS infrastructure through the console is a hassle because its being getting updated day by day. Recently, in the latest release AWS has stated that users cannot modify the state of event source (especially to disable) through the Lambda console. Here’s are those few components that no longer supports disabling — “The Lambda console no longer supports disabling AWS IoT, Alexa Smart Home, Cognito Sync, Event Bridge (CloudWatch Events) and SNS triggers. Delete these triggers to stop further actions.”
To move forward, I will assume that you have an AWS Account and AWS CLI knowledge. If you don’t, I suggest getting started here.
What’s the problem?
Unable to delete Event Bridge event source trigger added to Lambda through CLI, as it is not considered as an Event Source. Here’s the evidence from AWS CLI Documentation that only 4 kinds of events can be considered as Event Source(s).
To disable/enable/delete any trigger we require an UUID, an unique ID generated when the AWS::Lambda::EventSourceMapping resource creates a mapping between an event source and an AWS Lambda function. The core point to be noted here is “Not every Lambda trigger has UUID. Only event source triggers has the UUID and Event Bridge is not an event source for Lambda according to this documentation”. CLI for ‘list-event-source-mappings..
Since Event Bridge is not an Event Source there’s no way get the UUID for the event bridge trigger. Without UUID, to know how we can perform enable/disable/delete Lambda trigger through CLI please move forward to find the workaround/resolution.
Workaround to disable/enable/delete event trigger without UUID through AWS CLI
Find the ‘statement-id’ aka ‘Sid’ of an event (trigger)added to the Lambda. In this flow ‘Sid’ acts as a ‘UUID’, it is kind of a driving element.
Lambda side: Get Sid (statement-id) and Remove Permission
Follow/execute the following in Chronological Order.
- Fetch Sid (statement-id) associated with event by using get-policy
aws lambda get-policy — function-name my-function — region us-east-1- Note down all the SIDs (statemend-id) that needs to be deleted.
2. Now, revoke the function-use permission from an AWS service. You can get the ID of the statement from the output of GetPolicy by using following command.
aws lambda remove-permission — function-name my-function — statement-id <STATEMENT_ID>- This helped me to remove the Event trigger. Once after the executing above command, refresh the Lambda console and you will no longer find your event trigger.
Event Bridge side: Remove Targets and Delete Rule
- Lists the targets assigned to the specified rule.
aws events list-targets-by-rule --rule "<rule-name>"- Note down the “Target Id(s)” that needs to be removed
2. Remove the specified targets from the specified rule. When the rule is triggered, those targets are no longer be invoked.
aws events remove-target --rule "<rule-name>" — ids "<TARGET_ID>"- This helped to remove specific target from the rule
3. Delete rule after deleting all the targets.
aws events delete-rule — name “enable-lambda-rule”- This helped to delete-rule completely
Finally, through CLI, I am able to remove the EventBridge event triggers added to the Lambda, and delete the EventBridge rules.
In summary, if you need to enable EventBridge trigger for lambda, you will need to use put-targets and add-permission CLI commands. If you need to disable and delete EventBridge trigger for lambda, you will need to use remove-targets and remove-permission CLI commands. If you’d like to verify it using Lambda console and CloudTrail events, please note that CloudTrail delivers an event within 15 minutes of the API call. After updating the trigger, you will find the event within 15 minutes of the API call.