update new solution

s3/s3-access-point/README.md

@@ -0,0 +1,16 @@
+# Create S3 Accees Point for retrieve object without PII
+
+For example, one object is
+
+```json
+{
+  "customer_id": "123456",
+  "name": "John Doe",
+  "email": "[email protected]",
+  "phone": "+1234567890",
+  "address": "123 Main St, VN",
+  "account_balance": 5000
+}
+```
+
+We want to another people retrive the data without PII

s3/s3-access-point/data.json

@@ -0,0 +1,26 @@
+[
+  {
+    "customer_id": "123456",
+    "name": "John Doe",
+    "email": "[email protected]",
+    "phone": "+1234567890",
+    "address": "123 Main St, VN",
+    "account_balance": 5000
+  },
+  {
+    "customer_id": "124456",
+    "name": "John Doe2",
+    "email": "[email protected]",
+    "phone": "+1234567890",
+    "address": "123 Main St, VN",
+    "account_balance": 5000
+  },
+  {
+    "customer_id": "126456",
+    "name": "John Doe3",
+    "email": "[email protected]",
+    "phone": "+1234567890",
+    "address": "123 Main St, VN",
+    "account_balance": 5000
+  }
+]

s3/s3-access-point/data.tf

@@ -0,0 +1,10 @@
+data "aws_caller_identity" "current" {}
+
+data "archive_file" "lambda" {
+  type        = "zip"
+  source_dir  = "${path.module}/lambda/"
+  output_path = "${path.module}/lambda.zip"
+}
+data "aws_vpc" "default" {
+  default = true
+}

s3/s3-access-point/lambda/main.py

@@ -0,0 +1,32 @@
+import json
+import boto3
+import os
+
+s3_bucket = os.environ["BUCKET_NAME"]
+
+def lambda_handler(event, context):
+    objectContent = event['getObjectContext'];
+    # The object from S3 is retrieved by the Lambda function
+    s3_url = event['userRequest']["url"]
+    splitted_url = s3_url.split("/")
+
+    s3_object = splitted_url[3].split("?")[0]
+    s3_client = boto3.client('s3')
+    # Get Object
+    obj = s3_client.get_object(Bucket=s3_bucket, Key=s3_object)
+    documents = json.loads(obj['Body'].read())
+    for document in documents:
+        document.pop('name', None)
+        document.pop('email', None)
+        document.pop('phone', None)
+        document.pop('address', None)
+
+    # Convert the document back to a JSON string
+    modified_document = json.dumps(documents)
+    response = s3_client.write_get_object_response(
+        RequestRoute=objectContent["outputRoute"],
+        RequestToken=objectContent['outputToken'],
+        Body=modified_document.encode('utf-8')
+    )
+    # Return the modified object (to the S3 Object Lambda API)
+    return response

s3/s3-access-point/main.tf

@@ -0,0 +1,108 @@
+# Step 1: Create an S3 bucket for storing the customer records
+resource "aws_s3_bucket" "customer_records" {
+  bucket = "${data.aws_caller_identity.current.account_id}-customer-records-bucket"  # Ensure the name is globally unique
+}
+
+# Step 2: Create an IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "lambda_execution_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+# Step 3: Attach policy for Lambda to access the S3 bucket
+resource "aws_iam_policy" "lambda_s3_access_policy" {
+  name = "lambda_s3_access_policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Effect   = "Allow"
+        Resource = "arn:aws:logs:*:*:*"
+      },
+      {
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject"
+        ]
+        Effect = "Allow"
+        Resource = "${aws_s3_bucket.customer_records.arn}/*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_s3_policy_attachment" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = aws_iam_policy.lambda_s3_access_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_s3_object_lambda_policy" {
+  role       = aws_iam_role.lambda_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy"
+}
+
+# Step 4: Create the Lambda function (assuming the Lambda ZIP package is uploaded)
+resource "aws_lambda_function" "remove_pii" {
+  function_name = "removePii"
+  filename      = "lambda.zip"
+  source_code_hash = data.archive_file.lambda.output_base64sha256
+  handler = "main.lambda_handler"  
+  runtime = "python3.10"  # Adjust as per your runtime
+  role    = aws_iam_role.lambda_execution_role.arn
+  timeout = 30
+  environment {
+    variables = {
+        "BUCKET_NAME" = aws_s3_bucket.customer_records.id
+    }
+  }
+}
+
+# Step 5: Create an S3 Object Lambda Access Point
+resource "aws_s3_access_point" "ap" {
+  bucket = aws_s3_bucket.customer_records.id
+  name   = "customer-records-ap"
+
+}
+
+resource "aws_s3_object" "name" {
+  bucket = aws_s3_bucket.customer_records.id
+  key = "data.json"
+  source = "./data.json"
+}
+
+resource "aws_s3control_object_lambda_access_point" "example" {
+  name = "customer-records-obj-ap"
+
+  configuration {
+    supporting_access_point = aws_s3_access_point.ap.arn
+
+    transformation_configuration {
+      actions = ["GetObject"]
+
+      content_transformation {
+        aws_lambda {
+          function_arn = aws_lambda_function.remove_pii.arn
+        }
+      } 
+    }
+  }
+}
+

s3/s3-access-point/output.tf

@@ -0,0 +1,3 @@
+output "s3_bucket_name" {
+  value = aws_s3_bucket.customer_records.id
+}

s3/s3-access-point/provider.tf

@@ -0,0 +1,5 @@
+provider "aws" {
+  region = var.region
+  access_key = var.access_key
+  secret_key = var.secret_key
+}

s3/s3-access-point/result/processed_customer_record.json

@@ -0,0 +1,14 @@
+[
+  {
+    "customer_id": "123456",
+    "account_balance": 5000
+  },
+  {
+    "customer_id": "124456",
+    "account_balance": 5000
+  },
+  {
+    "customer_id": "126456",
+    "account_balance": 5000
+  }
+]

s3/s3-access-point/variables.tf

@@ -0,0 +1,9 @@
+variable "region" {
+  default = "us-east-1"
+}
+variable "access_key" {
+
+}
+variable "secret_key" {
+
+}