Production-ready AWS EventBridge rules infrastructure managed by Terraform. Create multiple event-driven and scheduled rules from JSON configuration with built-in monitoring, dead letter queues, and multi-environment support.
- JSON-Driven Configuration: Define multiple EventBridge rules in JSON files
- Schedule & Event Patterns: Support for both cron/rate schedules and event patterns
- Multiple Target Types: Lambda, SQS, SNS, ECS, Batch, Kinesis, and more
- Multi-Environment: Separate dev, staging, and production configurations
- Dead Letter Queue: Automatic DLQ for failed event deliveries
- KMS Encryption: Optional encryption for DLQ and SNS topics
- CloudWatch Monitoring: Pre-configured alarms and metrics
- CloudWatch Logs: Event debugging and audit trails
- SNS Alerts: Email notifications for failures
- Comprehensive Tagging: Cost allocation and resource tracking
- Makefile Automation: One-command deployments
- CI/CD Ready: GitHub Actions workflows included
- Security Scanning: TFLint and Checkov integration
- Pre-commit Hooks: Automated validation before commits
- Drift Detection: Monitor infrastructure changes
- AWS CLI configured
- Terraform >= 1.6.0
- Make (optional but recommended)
# 1. Configure your rules
vim rules.json
# Edit rules.json with your EventBridge rules
# 2. Configure environment
vim envs/dev/terraform.tfvars
# 3. Deploy
make deploy-all ENV=devcd infra
terraform init
terraform plan -var-file=../envs/dev/terraform.tfvars
terraform apply -var-file=../envs/dev/terraform.tfvarstemplate-eventbridge-rules/
├── .github/workflows/ # CI/CD pipelines
├── docs/ # Comprehensive documentation
├── envs/ # Environment-specific configs
│ ├── dev/
│ ├── staging/
│ └── prod/
├── examples/ # Usage examples
│ ├── scheduled-lambda/
│ ├── s3-event-processor/
│ └── multi-target/
├── infra/ # Terraform infrastructure
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
├── scripts/ # Automation scripts
├── rules.json # EventBridge rules configuration
├── Makefile # Automation commands
└── README.md
Define your EventBridge rules in JSON format:
[
{
"rule_name": "daily-report",
"description": "Generate daily report at 9 AM UTC",
"schedule_expression": "cron(0 9 * * ? *)",
"enabled": true,
"targets": {
"lambda": {
"arn": "arn:aws:lambda:us-east-1:123456789012:function:report-generator"
}
},
"tags": {
"Purpose": "Reporting"
}
},
{
"rule_name": "s3-upload-processor",
"description": "Process new S3 uploads",
"event_pattern": "{\"source\":[\"aws.s3\"],\"detail-type\":[\"Object Created\"]}",
"enabled": true,
"targets": {
"sqs": {
"arn": "arn:aws:sqs:us-east-1:123456789012:processing-queue"
}
}
}
]| Property | Type | Required | Description |
|---|---|---|---|
rule_name |
string | Yes | Unique rule name |
description |
string | No | Rule description |
schedule_expression |
string | Conditional | Cron or rate expression (use this OR event_pattern) |
event_pattern |
string | Conditional | Event pattern JSON (use this OR schedule_expression) |
enabled |
boolean | No | Enable/disable rule (default: true) |
targets |
object | No | Target configuration (Lambda, SQS, SNS, etc.) |
tags |
object | No | Additional tags for this rule |
# Deployment
make deploy-all ENV=dev # Complete deployment
make plan ENV=prod # Show planned changes
make apply ENV=staging # Apply changes
make destroy ENV=dev # Destroy infrastructure
# Validation
make validate # Validate Terraform
make validate-rules # Validate rules JSON
make fmt # Format code
make security-scan # Run security scans
# Monitoring
make outputs ENV=prod # Show outputs
make list-rules ENV=prod # List all rules
make check-dlq ENV=prod # Check DLQ status
make rule-status ENV=dev # Show rule statuses
# Quality
make pre-commit # Run pre-commit checks
make drift-detect ENV=prod # Detect configuration driftKey variables to configure in envs/{ENV}/terraform.tfvars:
| Variable | Description | Default |
|---|---|---|
environment |
Environment name (dev/staging/prod) | - |
project_name |
Project identifier | eventbridge |
aws_region |
AWS region | us-east-1 |
rules_path |
Path to rules JSON file | ../rules.json |
enable_dlq |
Enable Dead Letter Queue | true |
enable_encryption |
Enable KMS encryption | true |
enable_monitoring |
Enable CloudWatch alarms | true |
create_sns_topic |
Create SNS for alerts | false (dev), true (prod) |
alert_email |
Email for alarm notifications | - |
See docs/CONFIGURATION.md for complete reference.
Pre-configured alarms:
- Failed Invocations: Triggers when event delivery fails
- DLQ Messages: Triggers when messages appear in DLQ
- Configurable thresholds per environment
Monitor key metrics:
- Invocations count
- Failed invocations
- Throttled events
- Dead letter queue depth
Failed events are automatically sent to a DLQ for:
- Troubleshooting failed deliveries
- Replay capability
- Audit trail
Check DLQ status:
make check-dlq ENV=prod- Encryption: KMS encryption for DLQ and SNS (optional)
- IAM: Least privilege access for EventBridge
- Audit: CloudWatch Logs for event tracking
- Validation: Pre-commit hooks and CI/CD checks
- Scanning: TFLint and Checkov security scans
make security-scan # Run TFLint + Checkov
make tflint # Run TFLint only
make checkov # Run Checkov only{
"rule_name": "hourly-cleanup",
"schedule_expression": "rate(1 hour)",
"targets": {
"lambda": {
"arn": "arn:aws:lambda:us-east-1:123456789012:function:cleanup"
}
}
}{
"rule_name": "s3-processor",
"event_pattern": "{\"source\":[\"aws.s3\"],\"detail-type\":[\"Object Created\"]}",
"targets": {
"sqs": {
"arn": "arn:aws:sqs:us-east-1:123456789012:processor-queue"
}
}
}{
"rule_name": "multi-target-rule",
"schedule_expression": "cron(0 12 * * ? *)",
"targets": {
"lambda": {
"arn": "arn:aws:lambda:us-east-1:123456789012:function:processor"
},
"sns": {
"arn": "arn:aws:sns:us-east-1:123456789012:notifications"
}
}
}See examples/ for more use cases.
- Check rule is enabled:
make rule-status ENV=dev - Verify schedule expression/event pattern syntax
- Check CloudWatch Logs:
/aws/events/{project}-{env} - Review target permissions
- Check DLQ:
make check-dlq ENV=prod - Review CloudWatch alarms
- Verify target ARNs are correct
- Check target resource permissions
See docs/TROUBLESHOOTING.md for detailed debugging guides.
Automated workflows:
- Validation: Format, validate, and lint on every push
- Security: Checkov scans on PRs
- Plan: Show Terraform plan on PRs
- Apply: Auto-deploy on merge (optional)
Install hooks:
pip install pre-commit
pre-commit installHooks run automatically on commit:
- Terraform format
- Terraform validate
- TFLint
- Checkov
- JSON validation
Typical monthly costs:
| Component | Usage | Est. Cost |
|---|---|---|
| EventBridge | 1M events/month | $1.00 |
| CloudWatch Logs | 1GB | $0.50 |
| SQS DLQ | Minimal usage | $0.10 |
| KMS | 1 key | $1.00 |
| Total | ~$2.60/month |
EventBridge offers:
- First 14M events/month: FREE (new accounts)
- $1.00 per million events thereafter
- Edit
rules.json - Validate:
make validate-rules - Plan:
make plan ENV=dev - Apply:
make apply ENV=dev
# Validate configuration
make validate
# Check formatting
make fmt
# Run security scans
make security-scan
# Pre-commit checks
make pre-commitMIT License - see LICENSE for details.
- Run
make helpto see all available commands and get help with common tasks - Open a support ticket at https://senora.dev/NewTicket
Built with:
Template Version: 1.0.0 Last Updated: November 2025 Maintained by: Senora.dev