Setup auto reconciliation of S3 objects in Dynamo

Author: devksingh4

src/api/functions/s3.ts

@@ -14,6 +14,7 @@ export type CreatePresignedPutInputs = {
   mimeType: string;
   md5hash?: string; // Must be a base64-encoded MD5 hash
   urlExpiresIn?: number;
+  metadata?: Record<string, string>;
 };
 
 export async function createPresignedPut({
@@ -24,13 +25,15 @@ export async function createPresignedPut({
   mimeType,
   md5hash,
   urlExpiresIn,
+  metadata,
 }: CreatePresignedPutInputs) {
   const command = new PutObjectCommand({
     Bucket: bucketName,
     Key: key,
     ContentLength: length,
     ContentType: mimeType,
     ContentMD5: md5hash,
+    Metadata: metadata,
   });
 
   const expiresIn = urlExpiresIn || 900;

src/api/routes/roomRequests.ts

@@ -128,10 +128,11 @@ const roomRequestRoutes: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not get username from request.",
         });
       }
+      const createdAt = new Date().toISOString();
       const requestId = request.params.requestId;
       const semesterId = request.params.semesterId;
       const attachmentS3key = request.body.attachmentInfo
-        ? `roomRequests/${requestId}/${request.body.status}/${request.id}/${request.body.attachmentInfo.filename}`
+        ? `reconciled/roomRequests/${requestId}/${request.id}/${request.body.attachmentInfo.filename}`
         : undefined;
       const getReservationData = new QueryCommand({
         TableName: genericConfig.RoomRequestsStatusTableName,
@@ -157,12 +158,24 @@ const roomRequestRoutes: FastifyPluginAsync = async (fastify, _options) => {
             region: genericConfig.AwsRegion,
           });
         }
+        if (!attachmentS3key) {
+          throw new InternalServerError({ message: "Failed to handle file." });
+        }
         uploadUrl = await createPresignedPut({
           s3client: fastify.s3Client,
-          key: attachmentS3key!,
+          key: attachmentS3key,
           bucketName: fastify.environmentConfig.AssetsBucketId,
           length: fileSizeBytes,
           mimeType: contentType,
+          metadata: {
+            dynamoTable: genericConfig.RoomRequestsStatusTableName,
+            dynamoPrimaryKey: JSON.stringify({
+              requestId,
+              "createdAt#status": `${createdAt}#${request.body.status}`,
+            }),
+            dynamoAttribute: "attachmentS3key",
+            dynamoPendingAttributeName: "pendingAttachmentS3key",
+          },
         });
       }
       const createdNotified =
@@ -178,7 +191,6 @@ const roomRequestRoutes: FastifyPluginAsync = async (fastify, _options) => {
           message: "Could not find original reservation requestor",
         });
       }
-      const createdAt = new Date().toISOString();
       const itemPut = {
         TableName: genericConfig.RoomRequestsStatusTableName,
         Item: marshall(

src/s3UploadConfirmer/main.py

@@ -0,0 +1,167 @@
+import json
+import boto3
+import urllib.parse
+from typing import Dict, Any, Optional
+import logging
+
+# Configure logging
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+# Initialize AWS clients
+dynamodb = boto3.client("dynamodb")
+s3 = boto3.client("s3")
+
+
+def lambda_handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
+    """
+    Lambda function to handle S3 upload events and update DynamoDB.
+
+    Expects S3 object metadata:
+    - dynamoTable: DynamoDB table name
+    - dynamoPrimaryKey: JSON string of primary key
+    - dynamoAttribute: Target attribute name to set with value from pending attribute
+    - dynamoPendingAttributeName: Source pending attribute name to remove
+    """
+    try:
+        # Process each S3 event record
+        for record in event["Records"]:
+            process_s3_record(record)
+
+        return {
+            "statusCode": 200,
+            "body": json.dumps("Successfully processed S3 events"),
+        }
+
+    except Exception as e:
+        logger.error(f"Error processing S3 event: {str(e)}", exc_info=True)
+        raise
+
+
+def process_s3_record(record: Dict[str, Any]) -> None:
+    """Process a single S3 event record."""
+
+    # Extract S3 event details
+    bucket = record["s3"]["bucket"]["name"]
+    key = urllib.parse.unquote_plus(record["s3"]["object"]["key"])
+
+    logger.info(f"Processing upload for bucket={bucket}, key={key}")
+
+    # Get object metadata
+    metadata = get_object_metadata(bucket, key)
+
+    if not metadata:
+        logger.warning(f"No metadata found for object {key}. Skipping DynamoDB update.")
+        return
+
+    # Extract required metadata fields
+    dynamo_table = metadata.get("dynamotable")
+    dynamo_primary_key_json = metadata.get("dynamoprimarykey")
+    dynamo_attribute = metadata.get("dynamoattribute")
+    dynamo_pending_attribute = metadata.get("dynamopendingattributename")
+
+    # Validate required metadata - exit early if any are missing
+    if not dynamo_table:
+        logger.warning(f"Missing dynamoTable metadata for {key}")
+        return
+
+    if not dynamo_primary_key_json:
+        logger.warning(f"Missing dynamoPrimaryKey metadata for {key}")
+        return
+
+    if not dynamo_attribute:
+        logger.warning(f"Missing dynamoAttribute metadata for {key}")
+        return
+
+    if not dynamo_pending_attribute:
+        logger.warning(f"Missing dynamoPendingAttributeName metadata for {key}")
+        return
+
+    # Parse primary key
+    try:
+        primary_key = json.loads(dynamo_primary_key_json)
+    except json.JSONDecodeError as e:
+        logger.error(f"Failed to parse dynamoPrimaryKey JSON: {e}")
+        return
+
+    # Update DynamoDB - all variables are guaranteed to be strings now
+    update_dynamodb(
+        table_name=dynamo_table,
+        primary_key=primary_key,
+        target_attribute=dynamo_attribute,
+        pending_attribute=dynamo_pending_attribute,
+    )
+
+    logger.info(f"Successfully updated DynamoDB for {key}")
+
+
+def get_object_metadata(bucket: str, key: str) -> Optional[Dict[str, str]]:
+    """Retrieve metadata from S3 object."""
+    try:
+        response = s3.head_object(Bucket=bucket, Key=key)
+        return response.get("Metadata", {})
+    except Exception as e:
+        logger.error(f"Error getting metadata for {bucket}/{key}: {str(e)}")
+        return None
+
+
+def update_dynamodb(
+    table_name: str,
+    primary_key: Dict[str, str],
+    target_attribute: str,
+    pending_attribute: str,
+) -> None:
+    """
+    Update DynamoDB item, moving value from pending attribute to target attribute.
+
+    Args:
+        table_name: DynamoDB table name
+        primary_key: Primary key as dict (e.g., {"requestId": "123", "createdAt#status": "..."})
+        target_attribute: The confirmed attribute name (e.g., "attachmentS3key")
+        pending_attribute: The pending attribute name (e.g., "pendingAttachmentS3key")
+    """
+
+    # Convert primary key to DynamoDB format
+    dynamo_key = {k: {"S": v} for k, v in primary_key.items()}
+
+    try:
+        # Build update expression to move pending attribute value to target attribute
+        # SET target = pending, REMOVE pending
+        update_expression = "SET #target = #pending REMOVE #pending"
+
+        expression_attribute_names = {
+            "#target": target_attribute,
+            "#pending": pending_attribute,
+        }
+
+        # Condition: pending attribute should exist and equal the uploaded s3 key
+        condition_expression = (
+            "attribute_exists(#pending) AND #pending = :expected_s3key"
+        )
+
+        dynamodb.update_item(
+            TableName=table_name,
+            Key=dynamo_key,
+            UpdateExpression=update_expression,
+            ExpressionAttributeNames=expression_attribute_names,
+            ConditionExpression=condition_expression,
+            ReturnValues="ALL_NEW",
+        )
+
+        logger.info(
+            f"Updated DynamoDB table={table_name}, "
+            f"key={primary_key}, "
+            f"moved value from {pending_attribute} to {target_attribute}"
+        )
+
+    except dynamodb.exceptions.ConditionalCheckFailedException:
+        logger.info(
+            f"Skipping update for {table_name} with key {primary_key}. "
+            f"This is expected if the file was already confirmed or uploaded without metadata."
+        )
+    except Exception as e:
+        logger.error(
+            f"Error updating DynamoDB table={table_name}, key={primary_key}: {str(e)}",
+            exc_info=True,
+        )
+        raise

terraform/envs/prod/main.tf

@@ -129,9 +129,11 @@ module "frontend" {
 }
 
 module "assets" {
-  source                   = "../../modules/assets"
-  ProjectId                = var.ProjectId
-  BucketAllowedCorsOrigins = ["https://${var.CorePublicDomain}"]
+  source                      = "../../modules/assets"
+  ProjectId                   = var.ProjectId
+  BucketAllowedCorsOrigins    = ["https://${var.CorePublicDomain}"]
+  ConfirmerLambdaArnPrimary   = module.lambdas.s3_confirmer_function_arn
+  ConfirmerLambdaArnSecondary = module.lambdas_usw2.s3_confirmer_function_arn
 }
 
 resource "aws_lambda_event_source_mapping" "queue_consumer" {

terraform/envs/qa/main.tf

@@ -132,9 +132,11 @@ module "frontend" {
 }
 
 module "assets" {
-  source                   = "../../modules/assets"
-  ProjectId                = var.ProjectId
-  BucketAllowedCorsOrigins = ["https://${var.CorePublicDomain}", "http://localhost:5173"]
+  source                      = "../../modules/assets"
+  ProjectId                   = var.ProjectId
+  BucketAllowedCorsOrigins    = ["https://${var.CorePublicDomain}", "http://localhost:5173"]
+  ConfirmerLambdaArnPrimary   = module.lambdas.s3_confirmer_function_arn
+  ConfirmerLambdaArnSecondary = module.lambdas_usw2.s3_confirmer_function_arn
 }
 
 // Multi-Region Failover: US-West-2

terraform/modules/assets/main.tf

@@ -103,6 +103,48 @@ resource "aws_iam_policy" "bucket_access" {
   policy      = data.aws_iam_policy_document.bucket_access.json
 }
 
+resource "aws_lambda_permission" "allow_bucket_primary" {
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = var.ConfirmerLambdaArnPrimary
+  principal     = "s3.amazonaws.com"
+  source_arn    = module.buckets.bucket_info[var.PrimaryRegion].arn
+}
+
+resource "aws_lambda_permission" "allow_bucket_secondary" {
+  for_each      = module.buckets.buckets_info
+  statement_id  = "AllowExecutionFromS3Bucket"
+  action        = "lambda:InvokeFunction"
+  function_name = var.ConfirmerLambdaArnSecondary
+  principal     = "s3.amazonaws.com"
+  source_arn    = module.buckets.bucket_info[var.SecondaryRegion].arn
+}
+
+
+resource "aws_s3_bucket_notification" "primary_bucket_notification" {
+  bucket = module.buckets.bucket_info[var.PrimaryRegion].id
+  lambda_function {
+    lambda_function_arn = var.ConfirmerLambdaArnPrimary
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "reconciled/"
+  }
+
+  depends_on = [aws_lambda_permission.allow_bucket_primary]
+}
+
+
+resource "aws_s3_bucket_notification" "secondary_bucket_notification" {
+  bucket = module.buckets.bucket_info[var.SecondaryRegion].id
+  lambda_function {
+    lambda_function_arn = var.ConfirmerLambdaArnSecondary
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "reconciled/"
+  }
+
+  depends_on = [aws_lambda_permission.allow_bucket_secondary]
+}
+
+
 output "access_policy_arn" {
   description = "ARN of the IAM policy for bucket access"
   value       = aws_iam_policy.bucket_access.arn

terraform/modules/assets/variables.tf

@@ -17,3 +17,12 @@ variable "BucketAllowedCorsOrigins" {
   type        = list(string)
   description = "List of URLs that bucket can be read/written from."
 }
+
+variable "ConfirmerLambdaArnPrimary" {
+  type = string
+}
+
+variable "ConfirmerLambdaArnSecondary" {
+  type = string
+}
+