3

I have a situation where I need to filter out certain events using eventpatterns in eventbridge. I want to run the rule for all events except those where username starts with abc or xyz. I have tried below 2 syntax but none worked :

"userIdentity": {
      "sessionContext": {
        "sessionIssuer": {
          "userName": [
            {
              "anything-but": {
                "prefix": [
                  "abc-",
                  "xyz-"
                ]
              }
            }
          ]
        }
      }
    }

"userIdentity": {
      "sessionContext": {
        "sessionIssuer": {
          "userName": [
            {
              "anything-but": [{
                "prefix": "abc-",
                "prefix": "xyz-"
              }]
            }
          ]
        }
      }
    }

Getting following error on saving the rule : "Event pattern is not valid. Reason: Inside anything but list, start|null|boolean is not supported."

Am I missing something in the syntax or if this is a limitation then is there any alternative to this problem?

oguz ismail
  • 1
  • 16
  • 47
  • 69
Viv
  • 41
  • 1
  • 3
  • 2
    as far as the documentation concerned [Content-based Filtering with Event Patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/content-filtering-with-event-patterns.html) you can't provide multiple `prefixes` – samtoddler Feb 01 '21 at 17:29
  • so is there any alternate way of achieving this(apart from having multiple rules) ? – Viv Feb 01 '21 at 18:52
  • either split up rules or try not to match based on the prefix – samtoddler Feb 01 '21 at 19:16

2 Answers2

4

You can use prefix within an array in event pattern. Here is an example pattern:

{
      "detail": {
        "alarmName": [{
            "prefix": "DemoApp1"
          },
          {
            "prefix": "DemoApp2"
          }
        ],
        "state": {
          "value": [
            "ALARM"
          ]
        },
        "previousState": {
          "value": [
            "OK"
          ]
        }
    }
}

This event will match alarm that has name starting with either DemoApp1 or DemoApp2

seok_7
  • 41
  • 4
1

TLDR: user @samtoddler is sort of correct.

Prefix matches only work on values as called out in https://docs.aws.amazon.com/eventbridge/latest/userguide/content-filtering-with-event-patterns.html#filtering-prefix-matching. They do not work with arrays. You can file a feature request with AWS support but if you'd like to unblock yourself; you it's probably best to either control the prefixes you have for userName (guessing this is something IAM related and in your control).

If that's not possible; consider filtering as much as you can via other properties before sending over to a compute (probably lambda) to performing additional filtering.

blr
  • 908
  • 4
  • 8