amazon-web-servicespattern-matchingrulesaws-event-bridgesuffix

How to modify AWS EventBridge Rule to use AND instead of OR filter logic?


I want to trigger an AWS lambda function via EventBridge every time an S3 Object is created in an S3 bucket called "mybucket", but ONLY if its name/key ends with a ".csv"-suffix AND if it was created within the "in"-folder of that bucket. The EventBridge Rule that I currently have is this:

{
  "detail-type": ["Object Created"],
  "source": ["aws.s3"],
  "detail": {
    "bucket": {
      "name": ["mybucket"]
    },
    "object": {
      "key": [{
        "suffix": ".csv"
      }, {
        "prefix": "in/"
      }]
    }
  }
}

I would actually expect this rule to work the correct way BUT it is not, instead it behaves as if there was an OR relation between the suffix and prefix filter conditions. As I understand the AWS Documentation (https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns-content-based-filtering.html#eb-filtering-complex-example) the above rule should define an AND relation between the suffix and prefix filter conditions similar to this example given in the documentation:

{
  "time": [ { "prefix": "2017-10-02" } ],
  "detail": {
    "state": [ { "anything-but": "initializing" } ],
    "c-count": [ { "numeric": [ ">", 0, "<=", 5 ] } ],
    "d-count": [ { "numeric": [ "<", 10 ] } ],
    "x-limit": [ { "anything-but": [ 100, 200, 300 ] } ]
  }
}

Whereas an OR relation would require an extra $or-syntax as in this example given in the documentation:

{
  "detail": {
    "$or": [
      { "c-count": [ { "numeric": [ ">", 0, "<=", 5 ] } ] },
      { "d-count": [ { "numeric": [ "<", 10 ] } ] },
      { "x-limit": [ { "numeric": [ "=", 3.018e2 ] } ] }
    ]
  }
}

So, why is my rule behaving as if there was an OR relation between the suffix and prefix conditions? And what do I need to change to get it working the way I want?


Solution

  • This is not possible at the moment

    There are two ways to setup something that "look like and operator` and do not throw syntax errors, but they will work differently:

    1. Two keys with different filter (as proposed by Peter Bouwdewijn) - the latter filter will overwrite the former, so it will only filter by suffix, prefix will be completely ignored:
      "key": [{"prefix": "example/directory/"}],
      "key": [{"suffix": ".png"}]
      
      Input "key": "other/directory/image.png" will be valid
    2. Provide two filter objects in the same array - they will act as OR operator:
      "key": [{"prefix": "example/directory/"}, {"suffix": ".png"}]
      
      Both inputs "key": "other/directory/image.png" and "key": "example/directory/not_image.txt" will be valid

    See Content-based filtering and Arrays pages of the AWS EventBridge documentation for more info