From 1c66495f7ec7cc85e723c68c5d2d3bf7297ea6ba Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 00:15:08 +0100
Subject: [PATCH] Fix EventBridge rules: use prefix matching instead of
 hardcoded event names

CloudTrail event names include version suffixes (e.g. CreateFunction20150331,
DeleteFunction20150331) which didn't match the hardcoded names. Using prefix
matching (Create*, Delete*, Modify*, etc.) scoped by source service catches
all variants without maintaining explicit lists.

Fixes missing Slack alerts for Lambda creation/deletion and other resources.
---
 terraform/platform/lambdas/main.tf    |  6 ++----
 terraform/platform/monitoring/main.tf | 23 ++++++++++++-----------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 8354e39..1e1e86a 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -854,10 +854,8 @@ resource "aws_cloudwatch_event_rule" "compliance_reporter_trigger" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction20150331", "CreateLoadBalancer",
-        "CreateSecurityGroup", "CreateNatGateway", "CreateVpc", "CreateSubnet",
-        "CreateTargetGroup",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })
diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index c5f461a..e041895 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -88,10 +88,11 @@ resource "aws_cloudwatch_event_rule" "iam_changes" {
     detail = {
       eventSource = ["iam.amazonaws.com"]
       eventName = [
-        "CreateRole", "DeleteRole",
-        "PutRolePolicy", "AttachRolePolicy",
-        "DetachRolePolicy", "DeleteRolePolicy",
-        "CreatePolicy", "DeletePolicy",
+        { "prefix" : "Create" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Put" },
+        { "prefix" : "Attach" },
+        { "prefix" : "Detach" },
       ]
     }
   })
@@ -166,9 +167,8 @@ resource "aws_cloudwatch_event_rule" "resource_creation" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction", "CreateQueue",
-        "CreateTable", "CreateLoadBalancer",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })
@@ -196,10 +196,11 @@ resource "aws_cloudwatch_event_rule" "resource_modification" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "ModifyDBInstance",
-        "DeleteBucket",
-        "StopInstances", "TerminateInstances",
-        "DeleteService", "DeleteFunction",
+        { "prefix" : "Modify" },
+        { "prefix" : "Update" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Stop" },
+        { "prefix" : "Terminate" },
       ]
     }
   })