From fd324f40de797478e33047b150e290b333da63ad Mon Sep 17 00:00:00 2001
From: can-gaa-hou <jiahaochen535@gmail.com>
Date: Tue, 23 Jun 2026 15:44:06 +0800
Subject: [PATCH 1/2] Add EventBridge sweeper configuration and interval
 variable

---
 crcr/aws/sweeper.tf   | 29 +++++++++++++++++++++++++++++
 crcr/aws/variables.tf |  6 ++++++
 2 files changed, 35 insertions(+)
 create mode 100644 crcr/aws/sweeper.tf

diff --git a/crcr/aws/sweeper.tf b/crcr/aws/sweeper.tf
new file mode 100644
index 00000000..bbd83e3a
--- /dev/null
+++ b/crcr/aws/sweeper.tf
@@ -0,0 +1,29 @@
+# Active sweeper: EventBridge fires the callback lambda on a fixed schedule so it
+# can scan the Redis ZSET of in-progress jobs and time out any "zombie" jobs whose
+# expected-timeout score has elapsed. The callback handler routes on the constant
+# payload below to branch into the cleanup logic.
+
+resource "aws_cloudwatch_event_rule" "sweeper" {
+  name                = "crcr-sweeper-${var.environment}"
+  description         = "Periodic trigger for the cross-repo-ci callback lambda to reap timed-out jobs"
+  schedule_expression = "rate(${var.sweeper_interval_minutes} minutes)"
+  tags                = local.tags
+}
+
+resource "aws_cloudwatch_event_target" "sweeper" {
+  rule      = aws_cloudwatch_event_rule.sweeper.name
+  target_id = "crcr-callback-sweeper"
+  arn       = aws_lambda_function.callback.arn
+
+  input = jsonencode({
+    source = "crcr.sweeper"
+  })
+}
+
+resource "aws_lambda_permission" "sweeper_invoke" {
+  statement_id  = "AllowEventBridgeSweeperInvoke"
+  function_name = aws_lambda_function.callback.function_name
+  action        = "lambda:InvokeFunction"
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.sweeper.arn
+}
diff --git a/crcr/aws/variables.tf b/crcr/aws/variables.tf
index 4e5405e7..c5513dc2 100644
--- a/crcr/aws/variables.tf
+++ b/crcr/aws/variables.tf
@@ -66,3 +66,9 @@ variable "oot_status_ttl" {
   type        = number
   default     = 259200
 }
+
+variable "sweeper_interval_minutes" {
+  description = "How often EventBridge triggers the callback lambda to reap timed-out jobs (minutes)"
+  type        = number
+  default     = 10
+}

From 15a036c20f1680a7da032589eddd1ebaaeae5784 Mon Sep 17 00:00:00 2001
From: can-gaa-hou <jiahaochen535@gmail.com>
Date: Wed, 24 Jun 2026 11:04:08 +0800
Subject: [PATCH 2/2] Add validation for sweeper_interval_minutes to enforce
 minimum value

---
 crcr/aws/variables.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crcr/aws/variables.tf b/crcr/aws/variables.tf
index c5513dc2..63a8ebda 100644
--- a/crcr/aws/variables.tf
+++ b/crcr/aws/variables.tf
@@ -71,4 +71,9 @@ variable "sweeper_interval_minutes" {
   description = "How often EventBridge triggers the callback lambda to reap timed-out jobs (minutes)"
   type        = number
   default     = 10
+
+  validation {
+    condition     = var.sweeper_interval_minutes >= 2
+    error_message = "sweeper_interval_minutes must be >= 2; more frequent sweeps reap too few zombies to be worthwhile."
+  }
 }