Skip to content

Commit

Permalink
v0.1.17
Browse files Browse the repository at this point in the history
  • Loading branch information
@rstrahan
rstrahan committed Jul 10, 2024
1 parent 509ac27 commit 3d2df13
Showing 1 changed file with 46 additions and 51 deletions.
97 changes: 46 additions & 51 deletions lambdas/qna_bot_qbusiness_lambdahook/template.yml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
AWSTemplateFormatVersion: "2010-09-09"
Description: >
Amazon Q (Business) Lambda Hook function for using with 'QnABot on AWS'.
Use with the 'no_hits' (CustomNoMatches) item to use Amazon Q when no good answers are found by other methods - v0.1.16
Use with the 'no_hits' (CustomNoMatches) item to use Amazon Q when no good answers are found by other methods - v0.1.17
Parameters:

AmazonQAppId:
Type: String
AllowedPattern: '^[a-zA-Z0-9][a-zA-Z0-9-]{35}$'
AllowedPattern: "^[a-zA-Z0-9][a-zA-Z0-9-]{35}$"
Description: Amazon Q Application ID

IDCApplicationARN:
Expand All @@ -21,7 +20,7 @@ Parameters:
AmazonQRegion:
Type: String
Default: "us-east-1"
AllowedPattern: '^[a-z]{2}-[a-z]+-[0-9]+$'
AllowedPattern: "^[a-z]{2}-[a-z]+-[0-9]+$"
Description: Amazon Q Region

AmazonQEndpointUrl:
Expand All @@ -30,35 +29,34 @@ Parameters:
Description: (Optional) Amazon Q Endpoint (leave empty for default endpoint)

Resources:

QManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Version: "2012-10-17"
Statement:
- Sid: AllowQChat
Effect: Allow
Action:
- "qbusiness:ChatSync"
Resource: !Sub "arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${AmazonQAppId}"
- Sid: AllowQChat
Effect: Allow
Action:
- "qbusiness:ChatSync"
Resource: !Sub "arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${AmazonQAppId}"

QServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
Action:
- sts:AssumeRole
- sts:SetContext
- Effect: Allow
Principal:
AWS:
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
Action:
- sts:AssumeRole
- sts:SetContext
Path: /
ManagedPolicyArns:
- !Ref QManagedPolicy
- !Ref QManagedPolicy

QBusinessModelLayer:
Type: "AWS::Lambda::LayerVersion"
Expand All @@ -68,28 +66,28 @@ Resources:
- python3.12

KMSKey:
Type: 'AWS::KMS::Key'
Type: "AWS::KMS::Key"
Properties:
KeySpec: 'SYMMETRIC_DEFAULT'
KeyUsage: 'ENCRYPT_DECRYPT'
KeySpec: "SYMMETRIC_DEFAULT"
KeyUsage: "ENCRYPT_DECRYPT"
KeyPolicy:
Version: '2012-10-17'
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"

CredentialsTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "jti"
AttributeType: "S"
- AttributeName: "jti"
AttributeType: "S"
KeySchema:
- AttributeName: "jti"
KeyType: "HASH"
- AttributeName: "jti"
KeyType: "HASH"
BillingMode: PAY_PER_REQUEST
SSESpecification:
SSEEnabled: True
Expand All @@ -102,7 +100,7 @@ Resources:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Expand Down Expand Up @@ -132,49 +130,49 @@ Resources:
Statement:
- Effect: Allow
Action:
- "dynamodb:PutItem"
- "dynamodb:GetItem"
- "dynamodb:PutItem"
- "dynamodb:GetItem"
Resource:
- !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamoDBTableName}"
- !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamoDBTableName}"
PolicyName: DynamoDbPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "kms:Decrypt"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:Encrypt"
Resource:
- !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KMSKey}"
- !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KMSKey}"
PolicyName: KmsPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "sso-oauth:CreateTokenWithIAM"
- "sso-oauth:CreateTokenWithIAM"
Resource: "*"
PolicyName: OICDPolicy
- PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "sts:AssumeRole"
- "sts:SetContext"
- "sts:AssumeRole"
- "sts:SetContext"
Resource:
- !GetAtt QServiceRole.Arn
- !GetAtt QServiceRole.Arn
PolicyName: AllowAssumeQRole

QnaItemLambdaHookFunction:
Type: AWS::Lambda::Function
Properties:
# LambdaHook name must start with 'QNA-' to match QnAbot invoke policy
# LambdaHook name must start with 'QNA-' to match QnAbot invoke policy
FunctionName: !Sub "QNA-LAMBDAHOOK-${AWS::StackName}"
Handler: lambdahook.lambda_handler
Role: !GetAtt 'LambdaFunctionRole.Arn'
Role: !GetAtt "LambdaFunctionRole.Arn"
Runtime: python3.12
Layers:
Layers:
- !Ref QBusinessModelLayer
Timeout: 60
MemorySize: 128
Expand All @@ -197,12 +195,10 @@ Resources:
- id: W92
reason: No requirements to set reserved concurrencies.


Outputs:

QnAItemLambdaHookFunctionName:
Description: QnA Item Lambda Hook Function Name (use with no_hits item for optional ask-Amazon-Q-Business fallback)
Value: !Ref 'QnaItemLambdaHookFunction'
Value: !Ref "QnaItemLambdaHookFunction"

QnAItemLambdaHookArgs:
Description: QnA Item Lambda Hook Args (use with no_hits item for optional ask-the-LLM fallback)
Expand All @@ -211,4 +207,3 @@ Outputs:
QnAItemLambdaFunctionRoleArn:
Description: ARN of the Role created for executing the Lambda function
Value: !GetAtt LambdaFunctionRole.Arn

0 comments on commit 3d2df13

Please sign in to comment.