Motivation

Event filtering is insufficiently tested and implemented in too many places in LocalStack 😢
Before we can unify all existing implementations, we need a robust AWS-validated test suite.

Existing implementations in LocalStack:

1. [localstack] test_event_pattern in the EventBridge provider implements a simplistic check whether a key is present in ~1 LOC.
2. [localstack] filter_event (inner method!) in the EventBridge provider implements the Amazon EventBridge event patterns in ~200 LOC. The implementation is confusing (e.g., operators are implemented multiple times), hard to maintain, and has several refactoring TODOs.
3. [moto-ext] _does_event_match within the EventPattern models of moto-ext implements the same Amazon EventBridge event patterns in ~50 LOC. The implementation is short and concise (e.g., mapping operators to functions < => lt) but incomplete. LocalStack patches this implementation in the EventBridge provider. Hence, it is not used within LocalStack.
4. [localstack-ext] filter_event in the Pipes utils is a copy/pasted implementation from EventBridge. It was temporarily copied because the EventBridge implementation was not re-usable but will be unified within this PR. It implements Amazon EventBridge Pipes filtering, which appears to be the same implementation as for EventBridge.
5. [localstack] filter_stream_record in the Lambda Event Source Mapping (ESM) utils is ~110 LOC. It implements the Lambda event filtering, which appears to be the same implementation as for Pipes and EventBridge. We know from other sources that ESM and Pipes use the same infrastructure at AWS.
6. [localstack] _evaluate_nested_filter_policy_on_dict within the "SubscriptionFilter" of SNS is ~130 LOC. It implements Amazon SNS subscription filter policies, which appear very similar to the EventBridge implementation. However, this implementation is not identical (e.g., does not support the wildcard operator).
7. [moto-ext] _compute_body_checks within the SNS utils in moto-ext implements Amazon SNS subscription filter policies is ~340 LOC. In addition to the matching functionality, moto-ext also implements the filter validation using a complexity calculation in _validate_filter_policy. These extra ~170 LOC also cover several exception cases. According to @bentsku, our moto-ext implementation also got backported to upstream moto.

AWS recently (2024-02-01) open-sourced https://github.com/aws/event-ruler. This rule engine implements the above filtering patterns. It is written in Java in ~6k LOC. Their blog post mentions that the internals are built on top of finite state machines, which can be updated dynamically with new rules.

Changes

• Make test_event_pattern in the event provider use our EventBridge filtering implementation
• Add a suite of ~70 aws-validated tests based on the documentation of the filtering patterns. The tests mainly based on the original Amazon EventBridge event patterns but also inspired from the open source event ruler and discovered edge cases. The test suite has a good initial operator coverage but misses further edge cases and exception cases.
• Extract the implementation from the EventBridge provider into a separate utils file
• Refactor (e.g., filter_event => matches_event) and fix several issues in the EventBridge filter_events method and its helpers (e.g., improved handling of numeric operators and improved list intersections handling)
• Refactor (e.g., filter_stream_record => does_match_event) and fix several issues (e.g., operator casing, numeric conditions, raising exceptions)

Testing

Within localstack/services/events/provider.py, test_event_pattern can be used to invoke different implementation within LocalStack.

Discussion

Raising exceptions instead of silently ignoring the error case and returning True/False is a behavior change that can help us to make issues more visible. Background processes should handle such exceptions better (e.g., The SQS ESM implementation just drops the entire batch upon unhandled exceptions). At AWS, more exceptions are probably caught earlier because the rule engine can validate rules before actually doing a matching.