(aws-ecr): ECR EventBridge rule has incorrect event pattern

[Brads3290]

Describe the bug

Using the CDK, creating an EventBridge rule on an ECR repository creates a rule with the following event pattern:

{
  "resources": ["arn:aws:ecr:ap-southeast-2:<account-id>:repository/my-repository-name"],
  "source": ["aws.ecr"]
}

However when ECR sends the event, "resources" is empty, so the rule never matches (example from https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html#ecr-eventbridge-bus):

{
    "version": "0",
    "id": "13cde686-328b-6117-af20-0e5566167482",
    "detail-type": "ECR Image Action",
    "source": "aws.ecr",
    "account": "123456789012",
    "time": "2019-11-16T01:54:34Z",
    "region": "us-west-2",
    "resources": [], // <--- empty, rule fails
    "detail": {
        "result": "SUCCESS",
        "repository-name": "my-repository-name",
        "image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
        "action-type": "PUSH",
        "image-tag": "latest"
    }
}

Expected Behavior

Use the detail.repository-name field as a filter instead of resources:

{
  "detail": {
    "repository-name": ["my-repository-name"]
  },
  "source": ["aws.ecr"]
}

Current Behavior

Uses resources as a filter, which is empty in the real event

Reproduction Steps

var ecrRepo = new EcrRepository(this, "CiTestEcrRepository", new EcrRepositoryProps());
ecrRepo.OnEvent("EcrRepoEventRule", new OnEventOptions() {
    Target = new LambdaFunction(myLambdaHandler),
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.127.0 (build 6c90efc)

Framework Version

.NET 8

Node.js Version

v18.16.1

OS

MacOS

Language

.NET

Language Version

.NET 8

Other information

No response

[Brads3290]

Also, CDK adds the resources filter even if you specify your own event pattern, including if you set Resources to null or an empty array:

ecrRepo.OnEvent("EcrRepoEventRule", new OnEventOptions() {
    Target = new LambdaFunction(ecrHandler),
    EventPattern = new EventPattern() {
        Source = new[] { "aws.ecr" },
        Resources = null, //Setting to `null` or `new string[0]` doesn't help
        Detail = new Dictionary<string, object>() {
            ["repository-name"] = new[] { ecrRepo.RepositoryName },
        },
    },
});

Result:

{
  "resources": ["arn:aws:ecr:ap-southeast-2:<account-id>:repository/repository-name"],
  "detail": {
    "repository-name": ["repository-name"]
  },
  "source": ["aws.ecr"]
}

[Brads3290]

Workaround is to create the rule directly via the EventBridge CDK Rule construct:

new Rule(this, "EcrRepoEventRule", new RuleProps() {
    Targets = new IRuleTarget[] {
        new LambdaFunction(ecrHandler),
    },
    EventPattern = new EventPattern() {
        Source = new[] { "aws.ecr" },
        Detail = new Dictionary<string, object>() {
            ["repository-name"] = new[] { ecrRepo.RepositoryName },
        },
    },
});

[pahud]

Yes I get this when I synth:

  Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.ecr
        resources:
          - Fn::GetAtt:
              - CiTestEcrRepository95B2A864
              - Arn
      State: ENABLED
      Targets:
        - Arn:
            Fn::GetAtt:
              - Func217E03A4
              - Arn
          Id: Target0

And looks like the resources should be empty according to the doc. And we probably should filter the repository-name in the detail.

[msambol]

I'll take this.

[msambol]

@pahud I started a PR for this but please see my comment in the description. The Lambda trigger does not created on the Lambda side.