ADR-029: Domain event routing via Amazon EventBridge¶
| Status | Superseded |
| Date | 2026-04-10 |
| Deciders | CTO, Head of Architecture |
| Affects repos | bank-core, bank-kyc, bank-aml, bank-payments, bank-credit, bank-risk-platform, bank-platform, bank-app |
| Superseded by | ADR-051 |
⚠️ This ADR has been superseded by ADR-051.
Superseded. This ADR has been superseded by ADR-051 (EventBridge bus naming convention). Note: ADR-051 only corrects the bus naming convention — the core EventBridge bus-per-domain architecture decisions in this ADR remain valid.
ADR-029: Domain event routing via Amazon EventBridge¶
Status¶
Superseded — 2026-05-01 (by ADR-051)
Context¶
Lambda functions across system domains must react to state changes in other domains without point-to-point coupling. Examples: a payment event triggers AML monitoring; KYC completion triggers account activation; a transaction triggers the insight engine.
The AI-generated ADR-003 assigned this to Kafka topics. That decision is replaced. Inter-Lambda event routing has distinct requirements from CDC: business semantics rather than raw DB records, fan-out to zero or many consumers, no requirement for full ordered historical replay, and a schema contract layer for domain governance. The CDC-to-analytics pipeline is addressed in ADR-003.
Decision¶
Amazon EventBridge is the event bus for all asynchronous inter-Lambda domain events.
Bus topology¶
One custom EventBridge event bus per system domain:
| Bus | Owner domain | Repo |
|---|---|---|
bank.core |
SD01 Core Banking | bank-core |
bank.kyc |
SD02 KYC Platform | bank-kyc |
bank-aml |
SD03 AML Monitoring | bank-aml |
bank.payments |
SD04 Payments | bank-payments |
bank.credit |
SD05 Credit | bank-credit |
bank.risk |
SD06 Risk Platform | bank-risk-platform |
bank.platform |
SD07 Data Platform | bank-platform |
bank.app |
SD08 App | bank-app |
Publishing¶
Lambda publishes to its domain bus only after a confirmed Postgres commit — never before. Event schema follows CloudEvents 1.0. Cross-domain publishing requires a documented contract.
Subscribing¶
Consuming Lambdas attach EventBridge rules to the source domain bus with attribute-level filtering. No consumer is aware of other consumers — full fan-out decoupling.
Schema governance¶
All event schemas are registered in the EventBridge Schema Registry. Versions must be backward-compatible. Breaking changes require a new event type, not a schema mutation.
Reliability¶
Every rule target includes an SQS dead letter queue. Failed invocations retry with exponential backoff (3 attempts). Operations monitoring alerts on DLQ depth > 0.
Synchronous calls¶
EventBridge handles asynchronous events only. Where a Lambda requires a synchronous response from another Lambda (e.g. fraud score on the payment path), direct Lambda invocation is used — not EventBridge.
Rejected alternatives¶
| Option | Reason rejected |
|---|---|
| Apache Kafka | Always-on managed cluster; $200–800/month baseline; over-engineered for event routing |
| Amazon SNS + SQS | No schema registry; less expressive filtering; fan-out more complex to govern |
| Point-to-point Lambda invocation (all calls) | Tight coupling; versioning dependency across domain boundaries |
| Amazon MQ / RabbitMQ | Managed broker; always-on cost; legacy messaging pattern |
Consequences¶
Positive — Serverless; $1/million events, zero baseline cost. Domain buses enforce domain isolation by default. Schema Registry provides a discoverable contract layer across all teams. Rule-based filtering keeps Lambda invocations proportional to actual event volume.
Negative / trade-offs — Asynchronous only; synchronous patterns require separate design. EventBridge has a 256KB event payload limit — large payloads must be stored externally with a reference in the event.
Signoff record¶
| Date | Name | Role | Status |
|---|---|---|---|
| 2026-04-10 | Ross Millen | CTO | Approved |
| 2026-04-10 | Ross Millen | Head of Architecture | Approved |
| 2026-04-10 | Ross Millen | Head of Data | Approved |
Capabilities¶
| Capability | Description | Relationship |
|---|---|---|
| CAP-012 | Merchant name enrichment & logo | enabled — bank.transactions.authorised event triggers enrichment pipeline |
| CAP-038 | Real-time fraud scoring & block | enabled — transaction event triggers asynchronous fraud score update |
| CAP-046 | Real-time account opening (sub-10 minutes) | enabled — bank.kyc.verification_completed event triggers account activation |
| CAP-064 | Customer automation rules (sweep, round-up, rate alert, safety net) | enabled — event-driven rules subscribe to salary credit, balance, and card events |
| CAP-103 | Notification triggering | enabled — domain events trigger notification Lambdas via EventBridge rules |
Related decisions¶
| ADR | Title | Relationship |
|---|---|---|
| ADR-003 | CDC pipeline — Neon Postgres to Snowflake via Firehose and Apache Iceberg | CDC handles analytics ingest; EventBridge handles inter-Lambda routing |
| ADR-025 | API layer — HTTP API Gateway and SST | synchronous Lambda invocation is used alongside EventBridge |
All ADRs
Compiled 2026-05-22 from source/entities/adrs/ADR-029.yaml