diff --git a/lambdas/qna_bot_qbusiness_lambdahook/template.yml b/lambdas/qna_bot_qbusiness_lambdahook/template.yml index 4cc554d..4a40918 100644 --- a/lambdas/qna_bot_qbusiness_lambdahook/template.yml +++ b/lambdas/qna_bot_qbusiness_lambdahook/template.yml @@ -1,13 +1,12 @@ AWSTemplateFormatVersion: "2010-09-09" Description: > Amazon Q (Business) Lambda Hook function for using with 'QnABot on AWS'. - Use with the 'no_hits' (CustomNoMatches) item to use Amazon Q when no good answers are found by other methods - v0.1.16 + Use with the 'no_hits' (CustomNoMatches) item to use Amazon Q when no good answers are found by other methods - v0.1.17 Parameters: - AmazonQAppId: Type: String - AllowedPattern: '^[a-zA-Z0-9][a-zA-Z0-9-]{35}$' + AllowedPattern: "^[a-zA-Z0-9][a-zA-Z0-9-]{35}$" Description: Amazon Q Application ID IDCApplicationARN: @@ -21,7 +20,7 @@ Parameters: AmazonQRegion: Type: String Default: "us-east-1" - AllowedPattern: '^[a-z]{2}-[a-z]+-[0-9]+$' + AllowedPattern: "^[a-z]{2}-[a-z]+-[0-9]+$" Description: Amazon Q Region AmazonQEndpointUrl: @@ -30,35 +29,34 @@ Parameters: Description: (Optional) Amazon Q Endpoint (leave empty for default endpoint) Resources: - QManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Sid: AllowQChat - Effect: Allow - Action: - - "qbusiness:ChatSync" - Resource: !Sub "arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${AmazonQAppId}" - + - Sid: AllowQChat + Effect: Allow + Action: + - "qbusiness:ChatSync" + Resource: !Sub "arn:${AWS::Partition}:qbusiness:${AWS::Region}:${AWS::AccountId}:application/${AmazonQAppId}" + QServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - - Effect: Allow - Principal: - AWS: - - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root - Action: - - sts:AssumeRole - - sts:SetContext + - Effect: Allow + Principal: + AWS: + - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root + Action: + - sts:AssumeRole + - sts:SetContext Path: / ManagedPolicyArns: - - !Ref QManagedPolicy + - !Ref QManagedPolicy QBusinessModelLayer: Type: "AWS::Lambda::LayerVersion" @@ -68,28 +66,28 @@ Resources: - python3.12 KMSKey: - Type: 'AWS::KMS::Key' + Type: "AWS::KMS::Key" Properties: - KeySpec: 'SYMMETRIC_DEFAULT' - KeyUsage: 'ENCRYPT_DECRYPT' + KeySpec: "SYMMETRIC_DEFAULT" + KeyUsage: "ENCRYPT_DECRYPT" KeyPolicy: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - - Effect: Allow - Principal: - AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' - Action: 'kms:*' - Resource: '*' + - Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: "kms:*" + Resource: "*" CredentialsTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - - AttributeName: "jti" - AttributeType: "S" + - AttributeName: "jti" + AttributeType: "S" KeySchema: - - AttributeName: "jti" - KeyType: "HASH" + - AttributeName: "jti" + KeyType: "HASH" BillingMode: PAY_PER_REQUEST SSESpecification: SSEEnabled: True @@ -102,7 +100,7 @@ Resources: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Principal: @@ -132,27 +130,27 @@ Resources: Statement: - Effect: Allow Action: - - "dynamodb:PutItem" - - "dynamodb:GetItem" + - "dynamodb:PutItem" + - "dynamodb:GetItem" Resource: - - !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamoDBTableName}" + - !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DynamoDBTableName}" PolicyName: DynamoDbPolicy - PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - - "kms:Decrypt" - - "kms:Encrypt" + - "kms:Decrypt" + - "kms:Encrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KMSKey}" + - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${KMSKey}" PolicyName: KmsPolicy - PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - - "sso-oauth:CreateTokenWithIAM" + - "sso-oauth:CreateTokenWithIAM" Resource: "*" PolicyName: OICDPolicy - PolicyDocument: @@ -160,21 +158,21 @@ Resources: Statement: - Effect: Allow Action: - - "sts:AssumeRole" - - "sts:SetContext" + - "sts:AssumeRole" + - "sts:SetContext" Resource: - - !GetAtt QServiceRole.Arn + - !GetAtt QServiceRole.Arn PolicyName: AllowAssumeQRole QnaItemLambdaHookFunction: Type: AWS::Lambda::Function Properties: - # LambdaHook name must start with 'QNA-' to match QnAbot invoke policy + # LambdaHook name must start with 'QNA-' to match QnAbot invoke policy FunctionName: !Sub "QNA-LAMBDAHOOK-${AWS::StackName}" Handler: lambdahook.lambda_handler - Role: !GetAtt 'LambdaFunctionRole.Arn' + Role: !GetAtt "LambdaFunctionRole.Arn" Runtime: python3.12 - Layers: + Layers: - !Ref QBusinessModelLayer Timeout: 60 MemorySize: 128 @@ -197,12 +195,10 @@ Resources: - id: W92 reason: No requirements to set reserved concurrencies. - Outputs: - QnAItemLambdaHookFunctionName: Description: QnA Item Lambda Hook Function Name (use with no_hits item for optional ask-Amazon-Q-Business fallback) - Value: !Ref 'QnaItemLambdaHookFunction' + Value: !Ref "QnaItemLambdaHookFunction" QnAItemLambdaHookArgs: Description: QnA Item Lambda Hook Args (use with no_hits item for optional ask-the-LLM fallback) @@ -211,4 +207,3 @@ Outputs: QnAItemLambdaFunctionRoleArn: Description: ARN of the Role created for executing the Lambda function Value: !GetAtt LambdaFunctionRole.Arn -