fix: EventBridge runtime filtering + remove pending canvas#379
Merged
fix: EventBridge runtime filtering + remove pending canvas#379
Conversation
Prefix filtering belongs in Docker (runtime secret), not the EventBridge rule. The rule itself must be created in Quilt stack IaC for integrated mode. Filed quiltdata/enterprise#1028 for pkgevents bus/source issues. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The EventBridge rule previously filtered on detail.bucket and detail.handle (prefix), but both values come from Secrets Manager and are unavailable at deploy time in integrated-mode stacks where the Quilt IaC creates the rule independently. Simplify the rule to match only source + detail-type, and add runtime prefix filtering in the Docker handler alongside the existing bucket check. This unblocks integrated-mode EventBridge rule creation with zero dependency on secret-derived values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The EventBridge rule previously filtered on detail.bucket and detail.handle (prefix), but both values come from Secrets Manager and are unavailable at deploy time in integrated-mode stacks where the Quilt IaC creates the rule independently. Simplify the rule to match only source + detail-type, and add runtime prefix filtering in the Docker handler alongside the existing bucket check. This unblocks integrated-mode EventBridge rule creation with zero dependency on secret-derived values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove architecture, file lists, and patterns that agents can derive from code. Keep only policy, gotchas, and the critical rule to use project npm scripts (not built-in npm commands) for version bumps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ata/benchling-webhook into 2026-04-11-iac-integrated
The pending canvas was a net negative: it replaced a working canvas with a degraded one (disabled buttons, stripped links, Athena errors) just to show "Updating...", then replaced it again with identical content. Now the canvas stays unchanged until the EventBridge package event confirms the update. Footer shows "Pending update" instead of the misleading "Up to date" when no confirmed timestamp exists. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
drernie
changed the title
AWS LF rejects TableWildcard grants for IAM_ALLOWED_PRINCIPALS. Per-role TableWildcard grants work fine — need to swap the principal. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Iceberg tables are also runtime-created. Both UserAthenaDatabase (7 roles) and IcebergDatabase (2 roles) need per-role TableWildcard grants. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- 02: updated analysis (Iceberg tables also runtime-created) - 03: per-role grants fail without LF admin status - 04: LF admin list is the real blocker - 05: added GitHub-Deployment to LF admin list, deploy succeeded Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
LF TableWildcard grants require LF admin privileges that vary by account. Gate them behind EnableLakeFormationGrants CFT parameter (default Disabled) so deploys don't break on accounts without LF admin setup. Terraform variable added in quiltdata/iac#104. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
source+detail-type— removesdetail.bucketanddetail.handleprefix filter that depended on deploy-time values derived from Secrets Managerapp.py) alongside the existing bucket checkPackagePrefixCloudFormation parameter (no longer needed)Companion PR
Context
See spec/2026-04-11-iac-integrated/01-iac-breakage.md for the full analysis.
Test plan
npm test— 380 Python tests passnpm run test:integration— integration testsnpm run test:local— Docker build + webhook tests🤖 Generated with Claude Code