Promiscuous Lambda permissions to cloudwatch events

Hi, I hope someone can give me a bit of a hand here.
I’ve been using serverless for about a year now, and have deployed lots of little projects with it – it’s amazingly helpful.

One nut I can’t seem to crack is this:

I want to use serverless to create stack “A” that has a lambda function.
The purpose of this lambda function is to handle CloudWatch events, but I don’t know the names of all the events at the time stack “A” is created. Those events will come from event rules that I generate dynamically (from a CF stack that I use to create EC2 instances).

What I want to do is deploy EC2 instances via a CF stack, one component of which will create a CloudWatch event rule that invokes the lambda in stack “A” when the instance state changes.

I’m trying to avoid the following:

  • Creating a huge stack that needs to know the names of all event rules, and re-deploying the stack when I add an EC2 instance
  • Creating a distinct Lambda for each of my instances that is created with the stack in which the EC2 instances is being created

I went the long-way around and manually created an “AWS::Lambda::Permission” in my “A” stack that specified a wild-card for the SourceARN, but that isn’t permitted.

It seems the only way I might be able to do it is to update the “A” stack when I create the stack for each EC2 instance, but that seems pretty complicated.

Has anybody faced this situation and overcome it successfully?