setup archival lambda as node lambda

Author: devksingh4

package.json

@@ -5,13 +5,14 @@
   "type": "module",
   "workspaces": [
     "src/api",
-    "src/ui"
+    "src/ui",
+    "src/archival"
   ],
   "packageManager": "[email protected]",
   "scripts": {
     "postinstall": "npm run setup",
     "setup": "git config blame.ignoreRevsFile .git-blame-ignore-revs",
-    "build": "concurrently --names 'api,ui' 'yarn workspace infra-core-api run build' 'yarn workspace infra-core-ui run build'",
+    "build": "concurrently --names 'api,ui,archival' 'yarn workspace infra-core-api run build' 'yarn workspace infra-core-ui run build' 'yarn workspace infra-core-archival run build'",
     "postbuild": "node src/api/createLambdaPackage.js && yarn lockfile-manage",
     "dev": "cross-env DISABLE_AUDIT_LOG=true concurrently --names 'api,ui' 'yarn workspace infra-core-api run dev' 'yarn workspace infra-core-ui run dev'",
     "lockfile-manage": "synp --with-workspace --source-file yarn.lock",
@@ -38,6 +39,7 @@
     "@eslint/eslintrc": "^3.3.1",
     "@eslint/js": "^9.33.0",
     "@playwright/test": "^1.54.2",
+    "@smithy/types": "^4.3.2",
     "@tsconfig/node22": "^22.0.1",
     "@types/ioredis-mock": "^8.2.5",
     "@types/node": "^24.3.0",
@@ -92,4 +94,4 @@
     "pdfjs-dist": "^4.8.69",
     "form-data": "^4.0.4"
   }
-}
+}

src/api/package.json

@@ -16,14 +16,14 @@
   },
   "dependencies": {
     "@aws-sdk/client-cloudfront-keyvaluestore": "^3.859.0",
-    "@aws-sdk/client-dynamodb": "^3.797.0",
-    "@aws-sdk/client-lambda": "^3.835.0",
+    "@aws-sdk/client-dynamodb": "^3.859.0",
+    "@aws-sdk/client-lambda": "^3.859.0",
     "@aws-sdk/client-secrets-manager": "^3.859.0",
-    "@aws-sdk/client-ses": "^3.797.0",
-    "@aws-sdk/client-sqs": "^3.797.0",
-    "@aws-sdk/client-sts": "^3.797.0",
-    "@aws-sdk/signature-v4-crt": "^3.796.0",
-    "@aws-sdk/util-dynamodb": "^3.797.0",
+    "@aws-sdk/client-ses": "^3.859.0",
+    "@aws-sdk/client-sqs": "^3.859.0",
+    "@aws-sdk/client-sts": "^3.859.0",
+    "@aws-sdk/signature-v4-crt": "^3.859.0",
+    "@aws-sdk/util-dynamodb": "^3.859.0",
     "@azure/msal-node": "^3.5.1",
     "@fastify/auth": "^5.0.1",
     "@fastify/aws-lambda": "^6.0.0",

src/archival/build.js

@@ -0,0 +1,40 @@
+/* eslint-disable no-console */
+import esbuild from "esbuild";
+
+const commonParams = {
+  bundle: true,
+  format: "esm",
+  minify: true,
+  outExtension: { ".js": ".mjs" },
+  loader: {
+    ".png": "file",
+    ".pkpass": "file",
+    ".json": "file",
+  }, // File loaders
+  target: "es2022", // Target ES2022
+  sourcemap: true,
+  platform: "node",
+  external: ["@aws-sdk/*"],
+  banner: {
+    js: `
+      import path from 'path';
+      import { fileURLToPath } from 'url';
+      import { createRequire as topLevelCreateRequire } from 'module';
+      const require = topLevelCreateRequire(import.meta.url);
+      const __filename = fileURLToPath(import.meta.url);
+      const __dirname = path.dirname(__filename);
+    `.trim(),
+  }, // Banner for compatibility with CommonJS
+};
+
+esbuild
+  .build({
+    ...commonParams,
+    entryPoints: ["archival/dynamoStream.js"],
+    outdir: "../../dist/archival/",
+  })
+  .then(() => console.log("Archival lambda build completed successfully!"))
+  .catch((error) => {
+    console.error("Archival lambda build failed:", error);
+    process.exit(1);
+  });

src/archival/dynamoStream.ts

@@ -0,0 +1,141 @@
+/* eslint-disable no-console */
+import {
+  FirehoseClient,
+  PutRecordBatchCommand,
+} from "@aws-sdk/client-firehose";
+import { unmarshall } from "@aws-sdk/util-dynamodb";
+import type { DynamoDBStreamEvent, Context } from "aws-lambda";
+import { AttributeValue } from "@aws-sdk/client-dynamodb";
+
+const firehoseClient = new FirehoseClient({});
+
+const FIREHOSE_STREAM_NAME = process.env.FIREHOSE_STREAM_NAME;
+
+if (!FIREHOSE_STREAM_NAME) {
+  console.error("The 'FIREHOSE_STREAM_NAME' environment variable is not set.");
+  throw new Error("'FIREHOSE_STREAM_NAME' is not set.");
+}
+
+const toUtcIsoStringWithoutMillis = (date: Date): string => {
+  return `${date.toISOString().slice(0, 19)}Z`;
+};
+
+/**
+ * Defines a map where keys are DynamoDB table names and values are functions
+ * that extract a meaningful timestamp from a record. The function should
+ * return a value parseable by the `Date` constructor (e.g., ISO 8601 string or epoch milliseconds).
+ */
+const ARCHIVE_TIMESTAMP_MAPPER: Record<
+  string,
+  (record: Record<string, any>) => string | number
+> = {
+  "infra-core-api-room-requests-status": (record) =>
+    record["createdAt#status"].split("#")[0],
+  "infra-core-api-events": (record) => record.createdAt,
+  "infra-core-api-audit-log": (record) => record.createdAt * 1000, // Convert Unix seconds to milliseconds
+};
+
+export const handler = async (
+  event: DynamoDBStreamEvent,
+  _context: Context,
+): Promise<any> => {
+  const firehoseRecordsToSend: { Data: Buffer }[] = [];
+
+  for (const record of event.Records) {
+    // 1. **Filter for TTL Deletions**: We only care about `REMOVE` events initiated by DynamoDB's TTL service.
+    if (
+      record.eventName === "REMOVE" &&
+      record.userIdentity?.principalId === "dynamodb.amazonaws.com"
+    ) {
+      // 2. **Extract Table Name**: The table name is parsed from the event source ARN.
+      //    ARN format: arn:aws:dynamodb:region:account-id:table/TABLE_NAME/stream/...
+      const tableName = record.eventSourceARN?.split("/")[1];
+      if (!tableName) {
+        console.warn(
+          `Could not parse table name from ARN: ${record.eventSourceARN}`,
+        );
+        continue; // Skip this record if the ARN is malformed
+      }
+
+      // 3. **Get and Deserialize Data**: The content of the expired record is in 'OldImage'.
+      const oldImage = record.dynamodb?.OldImage;
+      if (!oldImage) {
+        continue; // Skip if there's no data to archive
+      }
+
+      // The `unmarshall` utility converts the DynamoDB format to a standard JavaScript object.
+      const deserializedData = unmarshall(
+        oldImage as { [key: string]: AttributeValue },
+      );
+
+      // 4. **Construct the Payload**: Add metadata to the original record data.
+      const payload: Record<string, any> = {
+        ...deserializedData,
+        __infra_archive_resource: tableName,
+        __infra_archive_timestamp: toUtcIsoStringWithoutMillis(new Date()), // Default timestamp is 'now'
+      };
+
+      // 5. **Apply Custom Timestamp**: If a specific timestamp extractor is defined for this table, use it.
+      if (tableName in ARCHIVE_TIMESTAMP_MAPPER) {
+        try {
+          const timestampSource =
+            ARCHIVE_TIMESTAMP_MAPPER[tableName](deserializedData);
+          payload.__infra_archive_timestamp = toUtcIsoStringWithoutMillis(
+            new Date(timestampSource),
+          );
+        } catch (e) {
+          const error = e instanceof Error ? e.message : String(e);
+          console.error(
+            `Failed to extract timestamp for record from ${tableName}: ${error}. Using 'now' as timestamp.`,
+          );
+        }
+      }
+
+      firehoseRecordsToSend.push({
+        Data: Buffer.from(JSON.stringify(payload)),
+      });
+    }
+  }
+
+  // 6. **Send Records to Firehose**: If we found any TTL-expired records, send them.
+  if (firehoseRecordsToSend.length > 0) {
+    console.info(
+      `Found ${firehoseRecordsToSend.length} TTL-expired records to archive.`,
+    );
+
+    // The PutRecordBatch API has a limit of 500 records per call. We loop
+    // in chunks of 500 to handle large events gracefully.
+    for (let i = 0; i < firehoseRecordsToSend.length; i += 500) {
+      const batch = firehoseRecordsToSend.slice(i, i + 500);
+      try {
+        const command = new PutRecordBatchCommand({
+          DeliveryStreamName: FIREHOSE_STREAM_NAME,
+          Records: batch,
+        });
+        const response = await firehoseClient.send(command);
+
+        // Log any records that Firehose failed to ingest for monitoring purposes.
+        if (response.FailedPutCount && response.FailedPutCount > 0) {
+          console.error(
+            `Failed to put ${response.FailedPutCount} records to Firehose.`,
+          );
+          // For critical apps, you could inspect `response.RequestResponses` for details.
+        }
+      } catch (e) {
+        const error = e instanceof Error ? e.message : String(e);
+        console.error(`Error sending batch to Firehose: ${error}`);
+        // Re-throwing the exception will cause Lambda to retry the entire event batch.
+        throw e;
+      }
+    }
+  } else {
+    console.info("No TTL-expired records found in this event.");
+  }
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify(
+      `Successfully processed ${firehoseRecordsToSend.length} records.`,
+    ),
+  };
+};

src/archival/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "infra-core-archival",
+  "version": "1.0.0",
+  "description": "Archives DynamoDB TTL-deleted items to Firehose",
+  "type": "module",
+  "main": "index.js",
+  "author": "ACM@UIUC",
+  "license": "BSD-3-Clause",
+  "scripts": {
+    "build": "tsc && node build.js",
+    "prettier": "prettier --check *.ts **/*.ts",
+    "lint": "eslint . --ext .ts --cache",
+    "prettier:write": "prettier --write *.ts **/*.ts"
+  },
+  "devDependencies": {
+    "@types/aws-lambda": "^8.10.138",
+    "@types/node": "^24.3.0",
+    "typescript": "^5.9.2",
+    "esbuild": "^0.25.3"
+  },
+  "dependencies": {
+    "@aws-sdk/client-dynamodb": "^3.585.0",
+    "@aws-sdk/client-firehose": "^3.585.0",
+    "@aws-sdk/util-dynamodb": "^3.585.0"
+  }
+}

src/archival/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "extends": "@tsconfig/node22/tsconfig.json",
+  "compilerOptions": {
+    "module": "Node16",
+    "rootDir": "../",
+    "outDir": "../../dist",
+    "baseUrl": "../"
+  },
+  "ts-node": {
+    "esm": true
+  },
+  "include": ["../api/**/*.ts", "../common/**/*.ts"],
+  "exclude": ["../../node_modules", "../../dist"]
+}