Skip to content

Improve Slack alert quality: person, tags, noise reduction#120

Merged
Alexanderamiri merged 2 commits intomainfrom
fix/slack-alert-quality
Mar 31, 2026
Merged

Improve Slack alert quality: person, tags, noise reduction#120
Alexanderamiri merged 2 commits intomainfrom
fix/slack-alert-quality

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Mar 30, 2026

Summary

  • Show person in alerts: "By: Alexanderamiri via javabin-ci-infra (CI/CD)" instead of just "javabin-ci-infra (CI/CD)". Also adds "— by Alexanderamiri" to the source line. The data was already parsed from the session name but never displayed.
  • Tags on all alert types: Deletion and modification alerts now show tags (team, service, created-by, commit, etc.) — previously only creation alerts did.
  • Consolidate deletion noise: Multiple Delete* events on the same resource within 5 minutes (e.g. DeleteBucketWebsite + DeleteBucket + DeleteBucketPublicAccessBlock) now produce only one alert instead of three.
  • Suppress CI-triggered security findings: SecurityHub and GuardDuty findings for resources recently created/modified/deleted by CI (10-minute window) are suppressed. This prevents noise like "S3 should block public access" firing because CI just deleted a bucket.
  • Unified footer: Replaced context_footer with _build_footer everywhere so IAM changes and console logins also show actor info.

Test plan

  • Merge and let CI deploy the updated lambda
  • Trigger a CI change that creates/modifies/deletes a resource
  • Verify Slack alert shows person name in "By:" line and source line
  • Verify tags appear in deletion/modification alerts
  • Verify only one alert fires for multi-step deletions (e.g. S3 bucket)
  • Verify no SecurityHub/GuardDuty noise for the CI-managed resource

@Alexanderamiri
Improve Slack alert quality: show person, tags, reduce noise
0f73e65 
- Show GitHub actor name in "By:" line and source line instead of just
  the CI role name (e.g. "Alexanderamiri via javabin-ci-infra (CI/CD)")
- Pass tags to deletion and modification alerts (previously only on creation)
- Consolidate related deletion events on same resource (DeleteBucket,
  DeleteBucketWebsite, DeleteBucketPublicAccessBlock → single alert)
- Suppress SecurityHub/GuardDuty findings for resources recently managed
  by CI (10-minute window) to avoid noise from intentional changes
- Unify footer functions: replace context_footer with _build_footer
  so IAM changes and console logins also show actor info
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner March 30, 2026 22:45
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 30, 2026

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 2 to change, 0 to destroy.

Plan output 

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_function.securityhub_summary will be updated in-place
  ~ resource "aws_lambda_function" "securityhub_summary" {
        id                             = "javabin-securityhub-summary"
      ~ last_modified                  = "2026-03-27T02:16:59.000+0000" -> (known after apply)
      ~ source_code_hash               = "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4=" -> "Qe3B8I3nLK88y9g2hWSlTCmA2ioOWPS1kp7hSB7/kSg="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.lambdas.aws_lambda_function.slack_alert will be updated in-place
  ~ resource "aws_lambda_function" "slack_alert" {
        id                             = "javabin-slack-alert"
      ~ last_modified                  = "2026-03-27T02:17:06.000+0000" -> (known after apply)
      ~ source_code_hash               = "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4=" -> "Qe3B8I3nLK88y9g2hWSlTCmA2ioOWPS1kp7hSB7/kSg="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Routine Lambda function updates with source code hash changes for securityhub_summary and slack_alert functions.

  • [routine] Two Lambda functions (securityhub_summary and slack_alert) are being updated in-place with new source code hashes, indicating code deployments
  • [routine] No infrastructure changes, no new resources being created or destroyed
  • [routine] Last modified timestamps will be updated automatically by AWS, no manual intervention required
  • [routine] All other infrastructure components (networking, IAM, monitoring, DNS, compute) remain unchanged
  • [routine] No security group modifications, IAM policy changes, or permission boundary alterations

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 30, 2026

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 2 to change, 0 to destroy.

Plan output 
Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_function.securityhub_summary will be updated in-place
  ~ resource "aws_lambda_function" "securityhub_summary" {
        id                             = "javabin-securityhub-summary"
      ~ last_modified                  = "2026-03-27T02:16:59.000+0000" -> (known after apply)
      ~ source_code_hash               = "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4=" -> "Qe3B8I3nLK88y9g2hWSlTCmA2ioOWPS1kp7hSB7/kSg="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.lambdas.aws_lambda_function.slack_alert will be updated in-place
  ~ resource "aws_lambda_function" "slack_alert" {
        id                             = "javabin-slack-alert"
      ~ last_modified                  = "2026-03-27T02:17:06.000+0000" -> (known after apply)
      ~ source_code_hash               = "HWyF0Gl/AH/wpVpYaK1xCytPrnnOXwka6pH0jZTGFr4=" -> "Qe3B8I3nLK88y9g2hWSlTCmA2ioOWPS1kp7hSB7/kSg="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Routine Lambda function updates for securityhub_summary and slack_alert with code hash changes.

  • [routine] Two Lambda functions (securityhub_summary and slack_alert) are being updated in-place with new source code hashes, indicating code deployments
  • [routine] No infrastructure changes, no new resources being created or destroyed
  • [routine] Lambda function metadata (last_modified timestamp) will be updated automatically by AWS upon deployment
  • [routine] Both functions maintain their existing IAM roles, permissions, and event triggers - no security posture changes
  • [routine] No cost implications - existing Lambda functions are being redeployed with updated code

@Alexanderamiri Alexanderamiri merged commit 95a3e4d into main Mar 31, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the fix/slack-alert-quality branch March 31, 2026 10:12
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Improve Slack alert quality: person, tags, noise reduction (#120)
bf044da 
## Summary
- **Show person in alerts**: "By: Alexanderamiri via javabin-ci-infra
(CI/CD)" instead of just "javabin-ci-infra (CI/CD)". Also adds "— by
Alexanderamiri" to the source line. The data was already parsed from the
session name but never displayed.
- **Tags on all alert types**: Deletion and modification alerts now show
tags (team, service, created-by, commit, etc.) — previously only
creation alerts did.
- **Consolidate deletion noise**: Multiple Delete* events on the same
resource within 5 minutes (e.g. DeleteBucketWebsite + DeleteBucket +
DeleteBucketPublicAccessBlock) now produce only one alert instead of
three.
- **Suppress CI-triggered security findings**: SecurityHub and GuardDuty
findings for resources recently created/modified/deleted by CI
(10-minute window) are suppressed. This prevents noise like "S3 should
block public access" firing because CI just deleted a bucket.
- **Unified footer**: Replaced `context_footer` with `_build_footer`
everywhere so IAM changes and console logins also show actor info.

## Test plan
- [ ] Merge and let CI deploy the updated lambda
- [ ] Trigger a CI change that creates/modifies/deletes a resource
- [ ] Verify Slack alert shows person name in "By:" line and source line
- [ ] Verify tags appear in deletion/modification alerts
- [ ] Verify only one alert fires for multi-step deletions (e.g. S3
bucket)
- [ ] Verify no SecurityHub/GuardDuty noise for the CI-managed resource
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri