Merge branch 'develop' v0.7.11

aws-samples · Oct 9, 2024 · fbd4d0b · fbd4d0b
2 parents 437f206 + de45f39
commit fbd4d0b
Show file tree

Hide file tree

Showing 8 changed files with 201 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.11] - 2024-10-09
+
+### Added
+- Disable checking if Bedrock models are enabled (default is set to true i.e check it which is the right setting for most cases).
+- Allow users to sign-up for access to Web UI when AllowedSignUpEmailDomain is populated (disable if left blank. enabled for all domains if * is entered).
+
 ## [0.7.10] - 2024-08-12
 
 ### Added
@@ -269,6 +275,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Initial release
 
 [Unreleased]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/compare/main...develop
+[0.7.11]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.7.11
+[0.7.10]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.7.10
 [0.7.9]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.7.9
 [0.7.8]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.7.8
 [0.7.7]: https://github.com/aws-samples/amazon-transcribe-post-call-analytics/releases/tag/v0.7.7

diff --git a/README.md b/README.md
@@ -191,6 +191,7 @@ OR, if you opted to follow the steps above to Build and Publish PCA CloudFormati
 * For **Stack name**, use the default value, ``PostCallAnalytics``. 
 * For **AdminUsername,** use the default value, `admin`.
 * For **AdminEmail,** use a valid email address—your temporary password is emailed to this address during the deployment.
+* For **AllowedSignUpEmailDomain** Email address domain (example.com) or comma separated list of email domains (example1.com, example2.com) allowed to signin and signup using the web UI. To allow signup from any domain, enter *. If left empty, signup via the web UI is disabled and users will have to be created using Cognito.
 * For **loadSampleAudioFiles**, change the value to `true`.
 * For **EnableTranscriptKendraSearch**, change the value to ``Yes, create new Kendra Index (Developer Edition)``.
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.7.10
+0.7.11
diff --git a/pca-main-nokendra.template b/pca-main-nokendra.template
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 
-Description: Amazon Transcribe Post Call Analytics - PCA (v0.7.10) (uksb-1sn29lk73, SO9071)
+Description: Amazon Transcribe Post Call Analytics - PCA (v0.7.11) (uksb-1sn29lk73, SO9071)
 
 Parameters:
 
@@ -17,6 +17,18 @@ Parameters:
       AllowedPattern: ".+\\@.+\\..+"
       ConstraintDescription: Must be valid email address eg. [email protected]
 
+  AllowedSignUpEmailDomain:
+    Type: String
+    Default: ""
+    Description: >-
+      Email address domain (example.com) or comma separated list of email domains  (example1.com,
+      example2.com) allowed to signin and signup using the web UI. To allow signup from any domain, 
+      enter *.
+      If left empty, signup via the web UI is disabled and users will have to be created
+      using
+      Cognito.
+    AllowedPattern: '^(\*||([\w-]+\.)+[\w-]{2,6}(, *([\w-]+\.)+[\w-]{2,6})*)$'
+
   BulkUploadBucketName:
     Type: String
     Default: ""
@@ -415,6 +427,15 @@ Parameters:
       - anthropic.claude-v2
     Description: (Optional) If 'CallSummarization' is BEDROCK, which Bedrock model to use.
 
+  TestBedrockModelId:
+    Type: String
+    Default: true
+    AllowedValues:
+        - true
+        - false
+    Description: >
+      Set to false to disable checking if the Bedrock models are enabled. 
+
   SummarizationSageMakerInitialInstanceCount:
     Type: Number
     MinValue: 0
@@ -444,6 +465,7 @@ Metadata:
               Parameters:
                   - AdminUsername
                   - AdminEmail
+                  - AllowedSignUpEmailDomain
             - Label:
                 default: Sample Data
               Parameters:
@@ -545,6 +567,7 @@ Metadata:
                 - Environment
                 - StepFunctionName
                 - ffmpegDownloadUrl 
+                - TestBedrockModelId
 
 Conditions:
   ShouldCreateBulkUploadBucket: !Equals [!Ref BulkUploadBucketName, '']
@@ -563,14 +586,24 @@ Conditions:
     !Equals [!Ref GenAIQuery, 'BEDROCK'],
   ]
   ShouldDeployLLMThirdPartyApiKey: !And [!Not [!Equals [!Ref SummarizationLLMThirdPartyApiKey, '']], !Not [!Equals [!Ref SummarizationLLMThirdPartyApiKey, undefined]]]
-  ShouldTestBedrockModelId: !Or [
-    !Equals [!Ref CallSummarization, 'BEDROCK'], 
-    !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
-    !Equals [!Ref GenAIQuery, 'BEDROCK'],]
-  ShouldTestGenAIQueryBedrockModelId: !Equals [!Ref GenAIQuery, 'BEDROCK']
-  ShouldTestSummarizationBedrockModelId: !Or [
-    !Equals [!Ref CallSummarization, 'BEDROCK'],
-    !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+  ShouldTestBedrockModelId: !And [
+    !Or [
+      !Equals [!Ref CallSummarization, 'BEDROCK'], 
+      !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+      !Equals [!Ref GenAIQuery, 'BEDROCK'],
+    ], 
+    !Equals [!Ref TestBedrockModelId, 'true']
+  ]
+  ShouldTestGenAIQueryBedrockModelId: !And [
+    !Equals [!Ref GenAIQuery, 'BEDROCK'], 
+    !Equals [!Ref TestBedrockModelId, 'true']
+  ]
+  ShouldTestSummarizationBedrockModelId: !And [
+    !Or [
+      !Equals [!Ref CallSummarization, 'BEDROCK'],
+      !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+    ], 
+    !Equals [!Ref TestBedrockModelId, 'true']
   ]
 
 Resources:
@@ -935,6 +968,7 @@ Resources:
       Parameters:
         AdminUsername: !Ref AdminUsername
         AdminEmail: !Ref AdminEmail
+        AllowedSignUpEmailDomain: !Ref AllowedSignUpEmailDomain
         MainStackName: !Ref AWS::StackName
         AudioBucket:
           !If

diff --git a/pca-main.template b/pca-main.template
@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 
-Description: Amazon Transcribe Post Call Analytics - PCA (v0.7.10) (uksb-1sn29lk73, SO9071)
+Description: Amazon Transcribe Post Call Analytics - PCA (v0.7.11) (uksb-1sn29lk73, SO9071)
 
 Parameters:
 
@@ -17,6 +17,18 @@ Parameters:
       AllowedPattern: ".+\\@.+\\..+"
       ConstraintDescription: Must be valid email address eg. [email protected]
 
+  AllowedSignUpEmailDomain:
+    Type: String
+    Default: ""
+    Description: >-
+      Email address domain (example.com) or comma separated list of email domains  (example1.com,
+      example2.com) allowed to signin and signup using the web UI. To allow signup from any domain, 
+      enter *.
+      If left empty, signup via the web UI is disabled and users will have to be created
+      using
+      Cognito.
+    AllowedPattern: '^(\*||([\w-]+\.)+[\w-]{2,6}(, *([\w-]+\.)+[\w-]{2,6})*)$'
+
   BulkUploadBucketName:
     Type: String
     Default: ""
@@ -456,6 +468,15 @@ Parameters:
       - anthropic.claude-v2
     Description: (Optional) If 'CallSummarization' is BEDROCK, which Bedrock model to use. 
 
+  TestBedrockModelId:
+    Type: String
+    Default: true
+    AllowedValues:
+        - true
+        - false
+    Description: >
+      Set to false to disable checking if the Bedrock models are enabled. 
+
   SummarizationSageMakerInitialInstanceCount:
     Type: Number
     MinValue: 0
@@ -485,6 +506,7 @@ Metadata:
               Parameters:
                   - AdminUsername
                   - AdminEmail
+                  - AllowedSignUpEmailDomain
             - Label:
                 default: Sample Data
               Parameters:
@@ -586,6 +608,7 @@ Metadata:
                 - Environment
                 - StepFunctionName
                 - ffmpegDownloadUrl 
+                - TestBedrockModelId
 
 Conditions:
   ShouldCreateBulkUploadBucket: !Equals [!Ref BulkUploadBucketName, '']
@@ -604,14 +627,24 @@ Conditions:
     !Equals [!Ref GenAIQuery, 'BEDROCK'],
   ]
   ShouldDeployLLMThirdPartyApiKey: !And [!Not [!Equals [!Ref SummarizationLLMThirdPartyApiKey, '']], !Not [!Equals [!Ref SummarizationLLMThirdPartyApiKey, undefined]]]
-  ShouldTestBedrockModelId: !Or [
-    !Equals [!Ref CallSummarization, 'BEDROCK'], 
-    !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
-    !Equals [!Ref GenAIQuery, 'BEDROCK'],]
-  ShouldTestGenAIQueryBedrockModelId: !Equals [!Ref GenAIQuery, 'BEDROCK']
-  ShouldTestSummarizationBedrockModelId: !Or [
-    !Equals [!Ref CallSummarization, 'BEDROCK'],
-    !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+  ShouldTestBedrockModelId: !And [
+    !Or [
+      !Equals [!Ref CallSummarization, 'BEDROCK'], 
+      !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+      !Equals [!Ref GenAIQuery, 'BEDROCK'],
+    ], 
+    !Equals [!Ref TestBedrockModelId, 'true']
+  ]
+  ShouldTestGenAIQueryBedrockModelId: !And [
+    !Equals [!Ref GenAIQuery, 'BEDROCK'], 
+    !Equals [!Ref TestBedrockModelId, 'true']
+  ]
+  ShouldTestSummarizationBedrockModelId: !And [
+    !Or [
+      !Equals [!Ref CallSummarization, 'BEDROCK'],
+      !Equals [!Ref CallSummarization, "BEDROCK+TCA"],
+    ], 
+    !Equals [!Ref TestBedrockModelId, 'true']
   ]
 
 Rules:
@@ -1119,6 +1152,7 @@ Resources:
       Parameters:
         AdminUsername: !Ref AdminUsername
         AdminEmail: !Ref AdminEmail
+        AllowedSignUpEmailDomain: !Ref AllowedSignUpEmailDomain
         MainStackName: !Ref AWS::StackName
         AudioBucket:
           !If

diff --git a/pca-ui/cfn/lib/cognito.template b/pca-ui/cfn/lib/cognito.template
@@ -1,4 +1,5 @@
 AWSTemplateFormatVersion: "2010-09-09"
+Transform: AWS::Serverless-2016-10-31
 
 Description: Amazon Transcribe Post Call Analytics - PCA UI - Cognito
 
@@ -10,6 +11,18 @@ Parameters:
   AdminEmail:
       Type: String
 
+  AllowedSignUpEmailDomain:
+    Type: String
+    Default: ""
+    Description: >-
+      Email address domain (example.com) or comma separated list of email domains  (example1.com,
+      example2.com) allowed to signin and signup using the web UI. To allow signup from any domain, 
+      enter *.
+      If left empty, signup via the web UI is disabled and users will have to be created
+      using
+      Cognito.
+    AllowedPattern: '^(\*||([\w-]+\.)+[\w-]{2,6}(, *([\w-]+\.)+[\w-]{2,6})*)$' 
+
   Name:
     Type: String
 
@@ -19,9 +32,17 @@ Parameters:
   Environment:
     Type: String
 
+  CloudWatchLogsExpirationInDays:
+    Type: Number
+    Default: 14
+    Description: The number of days log events are kept in CloudWatch Logs.
+
 Conditions:
   IsProd: !Equals [!Ref Environment, PROD]
 
+  ShouldAllowSignUpEmailDomain:
+    !Not [!Equals [!Ref AllowedSignUpEmailDomain, ""]]
+
 Resources:
 
   # Custom resource to transform input to lowercase.                                             
@@ -68,7 +89,10 @@ Resources:
     Type: "AWS::Cognito::UserPool"
     Properties:
       AdminCreateUserConfig:
-        AllowAdminCreateUserOnly: true
+        AllowAdminCreateUserOnly: !If
+          - ShouldAllowSignUpEmailDomain
+          - false
+          - true
         InviteMessageTemplate:
           EmailMessage:
             !Sub >
@@ -86,6 +110,11 @@ Resources:
         - email
       AutoVerifiedAttributes:
         - email
+      LambdaConfig: !If
+        - ShouldAllowSignUpEmailDomain
+        - PreAuthentication: !GetAtt CognitoUserPoolEmailDomainVerifyFunction.Arn
+          PreSignUp: !GetAtt CognitoUserPoolEmailDomainVerifyFunction.Arn
+        - !Ref AWS::NoValue
       Schema:
         - Required: true
           Name: email
@@ -137,6 +166,67 @@ Resources:
       UserPoolId:
         !Ref PCAUserPool
 
+  CognitoUserPoolEmailDomainVerifyFunction:
+    Type: AWS::Serverless::Function
+    Condition: ShouldAllowSignUpEmailDomain
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs18.x
+      Timeout: 3
+      Environment:
+        Variables:
+          ALLOWED_SIGNUP_EMAIL_DOMAINS: !Ref AllowedSignUpEmailDomain
+      InlineCode: |
+        exports.handler = async (event, context) => {
+          console.log(event);
+          const allowed_domains = (
+              process.env?.ALLOWED_SIGNUP_EMAIL_DOMAINS
+              .split(",").map(domain => {return domain.trim()})
+          );
+          const { email } = event.request?.userAttributes;
+          if (!email || !email.includes('@')) {
+            throw Error('Username does not exists or invalid email address');
+          }
+          const emailDomain = email?.split('@')[1];
+          if (!emailDomain || !allowed_domains) {
+            throw new Error('Server error - invalid configuration');
+          }
+          if (!allowed_domains.includes(emailDomain) && allowed_domains != "*") {
+            throw new Error('Invalid email address domain');
+          }
+          return event;
+        };
+      LoggingConfig:
+        LogGroup:
+          Fn::Sub: /${AWS::StackName}/lambda/CognitoUserPoolEmailDomainVerifyFunction
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: W89
+            reason: Customer can use VPC if desired
+          - id: W92
+            reason: Customer can choose reserved concurrency based on their requirement.
+    DependsOn:
+      - CognitoUserPoolEmailDomainVerifyFunctionLogGroup
+
+  CognitoUserPoolEmailDomainVerifyFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName:
+        Fn::Sub: /${AWS::StackName}/lambda/CognitoUserPoolEmailDomainVerifyFunction
+      RetentionInDays:
+        Ref: CloudWatchLogsExpirationInDays
+
+  CognitoUserPoolEmailDomainVerifyPermission:
+    Type: AWS::Lambda::Permission
+    Condition: ShouldAllowSignUpEmailDomain
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName: !Ref CognitoUserPoolEmailDomainVerifyFunction
+      Principal: cognito-idp.amazonaws.com
+      SourceAccount: !Ref AWS::AccountId
+      SourceArn: !GetAtt PCAUserPool.Arn
+
 Outputs:
   AdminUser:
     Value: !Ref AdminUser

diff --git a/pca-ui/cfn/pca-ui.template b/pca-ui/cfn/pca-ui.template
@@ -16,6 +16,18 @@ Parameters:
       AllowedPattern: ".+\\@.+\\..+"
       ConstraintDescription: Must be valid email address eg. [email protected]
 
+  AllowedSignUpEmailDomain:
+    Type: String
+    Default: ""
+    Description: >-
+      Email address domain (example.com) or comma separated list of email domains  (example1.com,
+      example2.com) allowed to signin and signup using the web UI. To allow signup from any domain, 
+      enter *.
+      If left empty, signup via the web UI is disabled and users will have to be created
+      using
+      Cognito.
+    AllowedPattern: '^(\*||([\w-]+\.)+[\w-]{2,6}(, *([\w-]+\.)+[\w-]{2,6})*)$' 
+
   AudioBucket:
     Type: String
     Default: InputBucketName
@@ -128,6 +140,7 @@ Resources:
       Parameters:
         AdminUsername: !Ref AdminUsername
         AdminEmail: !Ref AdminEmail
+        AllowedSignUpEmailDomain: !Ref AllowedSignUpEmailDomain
         WebUri: !GetAtt Web.Outputs.Uri
         Environment: !Ref Environment
         Name: