This Gist demonstrates an approach to removing a specific user's data from an Amazon DynamoDB table that was created as an AWS AppSync data source. It may be helpful for those who need to remove records that are associated with a Cognito User that will be deleted from their Cognito User Pool.
Assuming you have this schema
type Todo @model @auth(rules: [{ allow: owner }]){
id: ID!
name: String!
description: String
}
1. amplify add function
$ amplify add function
? Select which capability you want to add: Lambda function (s
erverless function)
? Provide an AWS Lambda function name: deleteUserData
? Choose the runtime that you want to use: NodeJS
? Choose the function template that you want to use: Hello Wo
rld
Available advanced settings:
- Resource access permissions
- Scheduled recurring invocation
- Lambda layers configuration
- Environment variables configuration
- Secret values configuration
? Do you want to configure advanced settings? Yes
? Do you want to access other resources in this project from
your Lambda function? Yes
? Select the categories you want this function to have access
to. storage
? Select the operations you want to permit on Todo:@model(app
sync) create, read, update, delete
You can access the following resource attributes as environment variables from your Lambda function
API_TEST_GRAPHQLAPIIDOUTPUT
API_TEST_TODOTABLE_ARN
API_TEST_TODOTABLE_NAME
ENV
REGION
? Do you want to invoke this function on a recurring schedule
? No
? Do you want to enable Lambda layers for this function? No
? Do you want to configure environment variables for this fun
ction? No
? Do you want to configure secret values this function can ac
cess? No
? Do you want to edit the local lambda function now? Yes
2. Update the code of the function
const AWS = require('aws-sdk');
AWS.config.update({ region: process.env.REGION });
const dynamodb = new AWS.DynamoDB.DocumentClient();
const tableName = process.env.<USE TABLE NAME FROM LIST>;
exports.handler = async (event) => {
const ownerField = 'owner'; // owner is default value but if you specified ownerField on auth rule, that must be specified here
const identityClaim = 'username'; // username is default value but if you specified identityField on auth rule, that must be specified here
var condition = {}
condition[ownerField] = {
ComparisonOperator: 'EQ'
}
condition[ownerField]['AttributeValueList'] = [event.identity.claims[identityClaim]];
await new Promise(async (res) => {
let LastEvaluatedKey;
do {
let scanParams = {
TableName: tableName,
ScanFilter: condition,
AttributesToGet: ['id', ownerField],
ExclusiveStartKey: LastEvaluatedKey
}
const items = await new Promise(resolve => {
dynamodb.scan(scanParams, (err, data) => {
if (err) {
console.log({ error: 'Could not load items: ' + err });
resolve([]);
} else {
LastEvaluatedKey = data.LastEvaluatedKey;
resolve(data.Items);
}
});
})
if (items.length > 0) {
console.log(`records to be deleted: ${items.length}`);
let deleteParams = {
RequestItems: {
[tableName]: items.map(item => {
return {
DeleteRequest: {
Key: { id: item.id }
}
}
})
}
}
await new Promise(resolve => {
dynamodb.batchWrite(deleteParams, (err, data) => {
resolve();
})
})
}
} while(LastEvaluatedKey)
res();
});
return true; // this means the user data was cleaned up
};
3. Add mutation to graphql schema
type Mutation {
deleteUserData: Boolean! @function(name: "deleteUserData-${env}")
}
4. Run amplify push
5. Invoke deleteUserData mutation from client
Since this operation requires authorization from the owner of the to-be removed records, it is important that the deleteUserData
mutation be invoked BEFORE the user is deleted. The returned value must be true to confirm that records have been properly modified. (Retry until the return value is true in case you have a large number of records.)
Delete owner from array ownership from v2 Graphql Transformer example
For removing ownership from an item, this function will remove the owner from the record. editors
field has the owners.
type Todo @model @auth(rules: [
{ allow: owner },
{ allow: owner, ownerField: "editors", operations: [update, read] }
]) {
id: ID!
name: String!
description: String
editors: [String]
}
type Mutation {
deleteUser: Boolean! @function(name: "deleteUserData-${env}")
}
const groupOwnershipField = 'editors';
var condition = {
[groupOwnershipField]: {
ComparisonOperator: 'CONTAINS',
AttributeValueList: [identityValue]
}
};
await new Promise(async (res) => {
let LastEvaluatedKey;
do {
let queryParams = {
TableName: tableName,
ScanFilter: condition,
ExclusiveStartKey: LastEvaluatedKey
}
const items = await new Promise(resolve => {
dynamodbDocuClient.scan(queryParams, (err, data) => {
if (err) {
console.log({ error: 'Could not load items: ' + err });
resolve([]);
} else {
LastEvaluatedKey = data.LastEvaluatedKey;
resolve(data.Items);
}
});
})
const dateNow = new Date();
if (items.length > 0) {
let updateParams = {
RequestItems: {
[tableName]: items.map(item => {
return {
PutRequest: {
Item: {
...item,
[groupOwnershipField]: item[groupOwnershipField].filter(owner => owner !== identityValue)
}
}
}
})
}
}
await new Promise(resolve => {
dynamodbDocuClient.batchWrite(updateParams, (err, data) => {
resolve();
})
})
}
} while(LastEvaluatedKey)
res();
});
When DataStore is enabled, you should not permanently delete the user's records. Instead, you can mark the record as deleted in order to continue supporting conflict resolution. Assuming you have the same annotated schema, the steps are the same as above.
const AWS = require('aws-sdk');
AWS.config.update({ region: process.env.REGION });
const dynamodb = new AWS.DynamoDB.DocumentClient();
const tableName = process.env.<ADD TABLE ENV PARAM HERE>;
const THIRTY_DAYS_IN_SECONDS = 30 * 24 * 60 * 60;
exports.handler = async (event) => {
const ownerField = 'owner'; // owner is default value but if you specified ownerField on auth rule, that must be specified here
const identityClaim = 'username'; // username is default value but if you specified identityField on auth rule, that must be specified here
var condition = {
[ownerField]: {
ComparisonOperator: 'EQ',
AttributeValueList: [event.identity.claims[identityClaim]]
},
'_deleted': {
ComparisonOperator: 'NE',
AttributeValueList: [true]
}
};
await new Promise(async (res) => {
let LastEvaluatedKey;
do {
let queryParams = {
TableName: tableName,
ScanFilter: condition,
ExclusiveStartKey: LastEvaluatedKey
}
const items = await new Promise(resolve => {
dynamodb.scan(queryParams, (err, data) => {
if (err) {
console.log({ error: 'Could not load items: ' + err });
resolve([]);
} else {
LastEvaluatedKey = data.LastEvaluatedKey;
resolve(data.Items);
}
});
})
const dateNow = new Date();
if (items.length > 0) {
let deleteParams = {
RequestItems: {
[tableName]: items.map(item => {
return {
PutRequest: {
Item: {
...item,
_deleted: true,
_ttl: dateNow.getTime()/1000 + THIRTY_DAYS_IN_SECONDS,
_version: item._version + 1,
_lastChangedAt: dateNow.getTime(),
updatedAt: dateNow.toISOString(),
}
}
}
})
}
}
await new Promise(resolve => {
dynamodb.batchWrite(deleteParams, (err, data) => {
resolve();
})
})
}
} while(LastEvaluatedKey)
res();
});
return true;
};