From 66a232b47fa972b14d24198ad5e3fd1a0d1faf41 Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 00:46:15 +0000 Subject: [PATCH 1/6] allow function to run from lambda console with no CF event as input, to manually re-copy sample files --- pca-server/src/copy-samples/copy-samples.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pca-server/src/copy-samples/copy-samples.py b/pca-server/src/copy-samples/copy-samples.py index dfa9821f..6353a8c7 100644 --- a/pca-server/src/copy-samples/copy-samples.py +++ b/pca-server/src/copy-samples/copy-samples.py @@ -12,7 +12,8 @@ def lambda_handler(event, context): supportfiles_bucket = os.environ['SUPPORTFILES_BUCKET_NAME'] input_bucket = os.environ['INPUT_BUCKET_NAME'] prefix = os.environ['INPUT_BUCKET_RAW_AUDIO'] - if event['RequestType'] != 'Delete': + requestType = event.get('RequestType') + if requestType != 'Delete': try: s3Client = boto3.client('s3') # sample entities @@ -33,4 +34,5 @@ def lambda_handler(event, context): print(e) responseData["Error"] = f"Exception thrown: {e}" status = cfnresponse.FAILED - cfnresponse.send(event, context, status, responseData) + if requestType: + cfnresponse.send(event, context, status, responseData) From 4cdcd5327632e9daac1da932d21f6f289f2cbdbd Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 00:47:12 +0000 Subject: [PATCH 2/6] use SigV4 for S3 signedUrl --- pca-ui/src/lambda/get.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pca-ui/src/lambda/get.js b/pca-ui/src/lambda/get.js index 10adac8d..35821dd0 100644 --- a/pca-ui/src/lambda/get.js +++ b/pca-ui/src/lambda/get.js @@ -1,5 +1,5 @@ const AWS = require("aws-sdk"); -const s3 = new AWS.S3(); +const s3 = new AWS.S3({signatureVersion: 'v4'}); const dataBucket = process.env.DataBucket; const audioBucket = process.env.AudioBucket; From 5b4d27bf657c9b1c32baa21f04281aaf50f1c2b5 Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 00:48:50 +0000 Subject: [PATCH 3/6] generate list of roles to add to any KMS key used to encrypt input or output S3 bucket --- VERSION | 2 +- pca-main-nokendra.template | 6 ++++++ pca-main.template | 6 ++++++ pca-server/cfn/lib/copy-samples.template | 7 +++++++ pca-server/cfn/lib/pca.template | 10 ++++++++++ pca-server/cfn/lib/trigger.template | 7 +++++++ pca-server/cfn/pca-server.template | 11 ++++++++++- pca-ui/cfn/lib/api.template | 6 ++++++ pca-ui/cfn/lib/deploy.template | 7 +++++++ pca-ui/cfn/lib/indexer.template | 6 ++++++ pca-ui/cfn/lib/web.template | 5 +++++ pca-ui/cfn/pca-ui.template | 8 ++++++++ 12 files changed, 79 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 71790396..e6afea6f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.2.3 +0.2.4-a diff --git a/pca-main-nokendra.template b/pca-main-nokendra.template index 0af0e78f..0a450a3d 100644 --- a/pca-main-nokendra.template +++ b/pca-main-nokendra.template @@ -612,3 +612,9 @@ Outputs: Description: PCA admin user Value: !Ref AdminUsername + RolesForKMSKey: + Description: When using KMS key to encrypt S3 input/output buckets, KMS key must grant access to these roles. + Value: !Join + - ', ' + - - !Sub '${PCAUI.Outputs.RolesForKMSKey}' + - !Sub '${PCAServer.Outputs.RolesForKMSKey}' \ No newline at end of file diff --git a/pca-main.template b/pca-main.template index 853d21f7..cfdf8e6a 100644 --- a/pca-main.template +++ b/pca-main.template @@ -758,3 +758,9 @@ Outputs: Description: PCA admin user Value: !Ref AdminUsername + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '${PCAUI.Outputs.RolesForKMSKey}' + - !Sub '${PCAServer.Outputs.RolesForKMSKey}' + diff --git a/pca-server/cfn/lib/copy-samples.template b/pca-server/cfn/lib/copy-samples.template index 9066d8ee..f772832b 100644 --- a/pca-server/cfn/lib/copy-samples.template +++ b/pca-server/cfn/lib/copy-samples.template @@ -70,3 +70,10 @@ Resources: Properties: ServiceToken: !GetAtt CopySamplesFunction.Arn SamplesVersion: 0.2 + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${CopySamplesRole.Arn}"' \ No newline at end of file diff --git a/pca-server/cfn/lib/pca.template b/pca-server/cfn/lib/pca.template index df15687f..49b2eedc 100644 --- a/pca-server/cfn/lib/pca.template +++ b/pca-server/cfn/lib/pca.template @@ -236,3 +236,13 @@ Resources: - CloudWatchLogsLogGroup: LogGroupArn: !GetAtt LogGroup.Arn RoleArn: !GetAtt Role.Arn + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${TranscribeLambdaRole.Arn}"' + - !Sub '"${TranscribeRole.Arn}"' + - !Sub '"${SFProcessTurnRole.Arn}"' + diff --git a/pca-server/cfn/lib/trigger.template b/pca-server/cfn/lib/trigger.template index 1d14e29c..f5c6ef54 100644 --- a/pca-server/cfn/lib/trigger.template +++ b/pca-server/cfn/lib/trigger.template @@ -164,3 +164,10 @@ Resources: - dynamodb:DeleteItem - dynamodb:GetItem Resource: !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName} + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${FileDropTriggerRole.Arn}"' diff --git a/pca-server/cfn/pca-server.template b/pca-server/cfn/pca-server.template index 45b6836a..db630499 100644 --- a/pca-server/cfn/pca-server.template +++ b/pca-server/cfn/pca-server.template @@ -77,4 +77,13 @@ Resources: GlueDatabase: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: lib/glue-database.template \ No newline at end of file + TemplateURL: lib/glue-database.template + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '${CopySamples.Outputs.RolesForKMSKey}' + - !Sub '${Trigger.Outputs.RolesForKMSKey}' + - !Sub '${PCA.Outputs.RolesForKMSKey}' diff --git a/pca-ui/cfn/lib/api.template b/pca-ui/cfn/lib/api.template index eb5d0aeb..f9fb428c 100644 --- a/pca-ui/cfn/lib/api.template +++ b/pca-ui/cfn/lib/api.template @@ -198,3 +198,9 @@ Resources: Outputs: Uri: Value: !Sub https://${Api}.execute-api.${AWS::Region}.amazonaws.com/Prod + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${GetFunctionRole.Arn}"' + - !Sub '"${SwapFunctionRole.Arn}"' diff --git a/pca-ui/cfn/lib/deploy.template b/pca-ui/cfn/lib/deploy.template index ad47cbed..2a21408a 100644 --- a/pca-ui/cfn/lib/deploy.template +++ b/pca-ui/cfn/lib/deploy.template @@ -108,3 +108,10 @@ Resources: AuthClientId: !Ref AuthClientId ApiUri: !Ref ApiUri Region: !Ref AWS::Region + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${Role.Arn}"' \ No newline at end of file diff --git a/pca-ui/cfn/lib/indexer.template b/pca-ui/cfn/lib/indexer.template index 7f0f4333..16831ecf 100644 --- a/pca-ui/cfn/lib/indexer.template +++ b/pca-ui/cfn/lib/indexer.template @@ -127,3 +127,9 @@ Resources: Outputs: TableName: Value: !Ref Table + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${IndexFunctionRole.Arn}"' + - !Sub '"${ConfigureDataBucketRole.Arn}"' \ No newline at end of file diff --git a/pca-ui/cfn/lib/web.template b/pca-ui/cfn/lib/web.template index 229274c9..bbcd8b0f 100644 --- a/pca-ui/cfn/lib/web.template +++ b/pca-ui/cfn/lib/web.template @@ -131,3 +131,8 @@ Outputs: Bucket: Value: !Ref WebBucket + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${EdgeFunctionRole.Arn}"' diff --git a/pca-ui/cfn/pca-ui.template b/pca-ui/cfn/pca-ui.template index d2b88028..8aabfd1c 100644 --- a/pca-ui/cfn/pca-ui.template +++ b/pca-ui/cfn/pca-ui.template @@ -133,3 +133,11 @@ Outputs: WebUri: Value: !GetAtt Web.Outputs.Uri + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '${Api.Outputs.RolesForKMSKey}' + - !Sub '${Indexer.Outputs.RolesForKMSKey}' + - !Sub '${Deploy.Outputs.RolesForKMSKey}' + - !Sub '${Web.Outputs.RolesForKMSKey}' \ No newline at end of file From a6959a82309ada8cf6f30ff251c9d7133fea224a Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 01:00:10 +0000 Subject: [PATCH 4/6] generate list of roles to add to any KMS key used to encrypt input or output S3 bucket --- pca-main.template | 1 + 1 file changed, 1 insertion(+) diff --git a/pca-main.template b/pca-main.template index cfdf8e6a..d3e64b76 100644 --- a/pca-main.template +++ b/pca-main.template @@ -759,6 +759,7 @@ Outputs: Value: !Ref AdminUsername RolesForKMSKey: + Description: When using KMS key to encrypt S3 input/output buckets, KMS key must grant access to these roles. Value: !Join - ', ' - - !Sub '${PCAUI.Outputs.RolesForKMSKey}' From 256a6242c0a4a2639560705299450932d49f6050 Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 13:48:52 +0000 Subject: [PATCH 5/6] generate list of roles to add to any KMS key used to encrypt input or output S3 bucket --- pca-server/cfn/lib/bulk.template | 7 +++++++ pca-server/cfn/pca-server.template | 2 ++ 2 files changed, 9 insertions(+) diff --git a/pca-server/cfn/lib/bulk.template b/pca-server/cfn/lib/bulk.template index 8294a9e3..baddf361 100644 --- a/pca-server/cfn/lib/bulk.template +++ b/pca-server/cfn/lib/bulk.template @@ -132,3 +132,10 @@ Resources: - CloudWatchLogsLogGroup: LogGroupArn: !GetAtt LogGroup.Arn RoleArn: !GetAtt Role.Arn + +Outputs: + + RolesForKMSKey: + Value: !Join + - ', ' + - - !Sub '"${BulkMoveFiles.Arn}"' \ No newline at end of file diff --git a/pca-server/cfn/pca-server.template b/pca-server/cfn/pca-server.template index db630499..4c695b3c 100644 --- a/pca-server/cfn/pca-server.template +++ b/pca-server/cfn/pca-server.template @@ -87,3 +87,5 @@ Outputs: - - !Sub '${CopySamples.Outputs.RolesForKMSKey}' - !Sub '${Trigger.Outputs.RolesForKMSKey}' - !Sub '${PCA.Outputs.RolesForKMSKey}' + - !Sub '${BulkImport.Outputs.RolesForKMSKey}' + From 204b2de8598ff729d35e780afab8c39c61fa6576 Mon Sep 17 00:00:00 2001 From: Bob Strahan Date: Fri, 10 Jun 2022 14:03:19 +0000 Subject: [PATCH 6/6] Roll version to 0.2.4 --- CHANGELOG.md | 8 +++++++- VERSION | 2 +- pca-main-nokendra.template | 2 +- pca-main.template | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0f4ff42f..f7854d05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.2.4] - 2022-06-10 +### Fixed +- Use sigv4 for S3 presignedURLS +- New stack output with list of role ARNS thta need access KMS key (if any) used to encrypt S3 InputBucket, OutputBucket, or BulkUploadBucket + ## [0.2.3] - 2022-06-09 ### Fixed - Simplifies workflow by using new Transcribe API to specify Custom Vocabulary and Vocabulary Filter at the same time as using Language ID. @@ -49,7 +54,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Initial release -[Unreleased]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/compare/v0.2.3...develop +[Unreleased]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/compare/v0.2.4...develop +[0.2.4]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.2.4 [0.2.3]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.2.3 [0.2.2]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.2.2 [0.2.1]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.2.1 diff --git a/VERSION b/VERSION index e6afea6f..abd41058 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.2.4-a +0.2.4 diff --git a/pca-main-nokendra.template b/pca-main-nokendra.template index 0a450a3d..7bc2386c 100644 --- a/pca-main-nokendra.template +++ b/pca-main-nokendra.template @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: Amazon Transcribe Post Call Analytics - PCA (v0.2.3) (uksb-1sn29lk73) +Description: Amazon Transcribe Post Call Analytics - PCA (v0.2.4) (uksb-1sn29lk73) Parameters: diff --git a/pca-main.template b/pca-main.template index d3e64b76..75670bc7 100644 --- a/pca-main.template +++ b/pca-main.template @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: Amazon Transcribe Post Call Analytics - PCA (v0.2.3) (uksb-1sn29lk73) +Description: Amazon Transcribe Post Call Analytics - PCA (v0.2.4) (uksb-1sn29lk73) Parameters: