Skip to content

Commit

Permalink
Merge pull request #2419 from krao14/krao14-feature-qbusiness-s3-cdk-…
Browse files Browse the repository at this point in the history 
…python

New serverless pattern - qbusiness-s3-cdk-python
  • Loading branch information
@julianwood
julianwood authored Sep 23, 2024
2 parents ff14c65 + b3938b7 commit 0087452
Show file tree
Hide file tree
Showing 15 changed files with 569 additions and 0 deletions.
73 changes: 73 additions & 0 deletions qbusiness-s3-cdk-python/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
# Amazon Q Business to Amazon Simple Storage Service (Amazon S3)

This pattern contains a sample stack that leverages Amazon Q Business to build a generative AI application to derive insights from content present in an S3 bucket. An AWS Lambda function initiates the crawling and indexing of the documents present in the specified S3 bucket. Users can then ask questions to the Amazon Q Business application to receive a generated response.

Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.

## Requirements
* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
* [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
* [AWS CDK CLI](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html) (AWS CDK) installed
* [Enable AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html)
* [Create Users in AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html). Note down the Instance ARN by going to the AWS IAM Identity Center console --> Settings --> Instance ARN. You will require it when deploying the stack.
* [Create an S3 Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html) and [upload documents](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) that you want to be indexed. If you already have an S3 bucket with data that you want to crawl, you can skip this step.

## Deployment Instructions
1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
```
git clone https://github.com/aws-samples/serverless-patterns
```
1. Change directory to the pattern directory:
```
cd qbusiness-s3-cdk-python
```
1. From the command line, use AWS CDK to deploy the AWS resources for the pattern as specified in the template.yml file:
```
cdk deploy --parameters S3DSBucketName=${YourS3BucketName} --parameters IdentityCenterInstanceArn=${YourIdentityCenterInstanceArn}
```
1. Note the outputs from the CDK deployment process. These contain the resource names and/or ARNs which are used for testing.
# How it works
Please refer to the architecture diagram below:
![End to End Architecture](images/architecture.png)
Here's a breakdown of the steps:
**Amazon Q Business Application:** Amazon Q Business application created with S3 as the data source.
**Amazon S3:** S3 bucket that contains documents to be indexed.
**AWS Lambda:** AWS Lambda function `DataSourceSync` crawls and indexes the content from the S3 bucket. The Amazon Q Business application retrieves data from the indexed content and provides a generated response.
## Testing
1. Go to the Amazon Q Business Console and verify that your application `MyQBusinessApp-${StackName}` has been created.
![Amazon Q Business Application](images/qbusiness-application.png)
1. Click on the Name of the Application. Scroll down to the `Groups and Users` section. Click on `Manage access and Subscriptions`.
![Groups and Users Section](images/groups-users.png)
1. Click on `Add groups and users` and select `Assign existing users and groups`. Click `Next`.
Note: If you have NOT already created a user in the Requirements section, then create one by choosing `Add and assign new users` instead and add the user.
![Assign users](images/assign-users-groups.png)
1. Add the name of the user and click on `Assign`.
![Assign user](images/assign-user.png)
1. Select the user and in the `Change subscription` dropdown, select `Update subscription tier`. In the `New subscription` dropdown, choose `Q Business Lite` and `Confirm`.
![User subscription](images/subscription.png)
1. Go back to your application. Under `Web experience settings`, copy the `Deployed URL` link.
![Deployed URL](images/deployed-url.png)
1. Open the URL in a New Incognito Window. Login to the web experience with the credentials of the created user. Ask a question in the chat interface regarding the documents you have in the S3 bucket provided as a data source.
![Q Business Web Experience](images/chat-interface.png)
## Cleanup
1. Delete the stack
```bash
cdk destroy
```
----
Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
261 changes: 261 additions & 0 deletions qbusiness-s3-cdk-python/app.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,261 @@
#!/usr/bin/env python3
import os

import aws_cdk as cdk

from aws_cdk import (
Stack,
aws_qbusiness as qbusiness,
aws_iam as iam,
CfnParameter,
CfnOutput,
triggers,
aws_lambda as lambda_,
Duration
)
from constructs import Construct

class QBusinessStack(Stack):

def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)

# Parameters
s3_bucket_name = CfnParameter(self, "S3DSBucketName", type="String", description="Enter the S3 bucket name where the contents you want to be indexed are stored.")
identity_center_arn = CfnParameter(self, "IdentityCenterInstanceArn", type="String", description="Enter the ARN of the Amazon Q Business Identity Center instance.")

# Q Business Application
qbusiness_app = qbusiness.CfnApplication(
self, "QBusinessApplication",
display_name=f"MyQBusinessApp-{self.stack_name}",
description="Amazon Q Business Application",
identity_center_instance_arn=identity_center_arn.value_as_string
)

# Web Experience Role
web_exp_role = iam.Role(
self, "QBusinessWebExperienceRole",
assumed_by=iam.ServicePrincipal("application.qbusiness.amazonaws.com"),
role_name=f"QBusinessWebExperienceRole-{self.stack_name}",
description="IAM role for Q Business Web Experience",
inline_policies={"WebExperiencePolicy": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
sid="QBusinessConversationPermission",
actions=[
"qbusiness:Chat",
"qbusiness:ChatSync",
"qbusiness:ListMessages",
"qbusiness:ListConversations",
"qbusiness:DeleteConversation",
"qbusiness:PutFeedback",
"qbusiness:GetWebExperience",
"qbusiness:GetApplication",
"qbusiness:ListPlugins",
"qbusiness:GetChatControlsConfiguration"
],
resources=[qbusiness_app.attr_application_arn]
),
iam.PolicyStatement(
sid="QBusinessKMSDecryptPermissions",
actions=["kms:Decrypt"],
resources=[f"arn:{self.partition}:kms:{self.region}:{self.account}:key/*"],
conditions={
"StringLike": {
"kms:ViaService": f"qbusiness.{self.region}.amazonaws.com"
}
}
),
iam.PolicyStatement(
sid="QBusinessSetContextPermissions",
actions=["sts:SetContext"],
resources=["arn:aws:sts::*:self"],
conditions={
"StringLike": {
"aws:CalledViaLast": "qbusiness.amazonaws.com"
}
}
)
]
)
}
)

# Adding set context action to web experience role
web_exp_role.assume_role_policy.add_statements(iam.PolicyStatement(
sid="QBusinessSetContextPermissions",
actions=["sts:SetContext"],
principals=[iam.ServicePrincipal("application.qbusiness.amazonaws.com")]
))

# Web Experience
qbusiness.CfnWebExperience(
self, "QBusinessWebExperience",
application_id=qbusiness_app.ref,
role_arn=web_exp_role.role_arn
)

# Index
qbusiness_index = qbusiness.CfnIndex(
self, "QBusinessIndex",
display_name="MyQBusinessIndex",
description="My Amazon Q Business Index",
application_id=qbusiness_app.ref
)

# Retriever
qbusiness.CfnRetriever(
self, "QBusinessRetriever",
application_id=qbusiness_app.ref,
configuration=qbusiness.CfnRetriever.RetrieverConfigurationProperty(
native_index_configuration=qbusiness.CfnRetriever.NativeIndexConfigurationProperty(
index_id=qbusiness_index.attr_index_id)
),
display_name="MyQBusinessRetriever",
type="NATIVE_INDEX"
)

# S3 Data Source Role
s3_data_source_role = iam.Role(
self, "S3DataSourceRole",
assumed_by=iam.ServicePrincipal("qbusiness.amazonaws.com"),
inline_policies={"S3DataSourcePolicy": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["s3:GetObject"],
resources=[f"arn:aws:s3:::{s3_bucket_name.value_as_string}/*"],
conditions={
"StringEquals": {
"aws:ResourceAccount": [self.account]
}
}
),
iam.PolicyStatement(
actions=["s3:ListBucket"],
resources=[f"arn:aws:s3:::{s3_bucket_name.value_as_string}"],
conditions={
"StringEquals": {
"aws:ResourceAccount": [self.account]
}
}
),
iam.PolicyStatement(
actions=[
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
resources=[f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}/index/*"]
),
iam.PolicyStatement(
actions=[
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
resources=[
f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}",
f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}/index/*"]
)
]
)
}
)

# S3 Data Source
s3_data_source = qbusiness.CfnDataSource(
self, "S3DataSource",
application_id=qbusiness_app.ref,
display_name="MyS3DataSource",
description="S3 Data Source for Amazon Q Business",
role_arn=s3_data_source_role.role_arn,
configuration={
"connectionConfiguration": {
"repositoryEndpointMetadata": {
"BucketName": s3_bucket_name.value_as_string
}
},
"repositoryConfigurations": {
"document": {
"fieldMappings": [
{
"indexFieldName": "s3_document_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "s3_document_id"
}
]
}
},
"syncMode": "FULL_CRAWL",
"type": "S3",
"version": "1.0.0"
},
index_id=qbusiness_index.attr_index_id,
)

s3_data_source.node.add_dependency(qbusiness_index)

# Create a role for the DataSourceSyncLambda
data_source_sync_lambda_role = iam.Role(
self, "DataSourceSyncLambdaRole",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name("CloudWatchLogsFullAccess")],
inline_policies={
"QBusinessDataSourceSyncPolicy": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=[
"qbusiness:StartDataSourceSyncJob",
"qbusiness:StopDataSourceSyncJob"
],
resources=[
qbusiness_app.attr_application_arn,
f"{qbusiness_app.attr_application_arn}/*"]
)
]
)
}
)

# Lambda function for initiating data source sync
data_source_sync_lambda = lambda_.Function(
self, "DataSourceSyncLambda",
runtime=lambda_.Runtime.PYTHON_3_12,
code=lambda_.Code.from_asset("src/dataSourceSync"),
handler="dataSourceSyncLambda.lambda_handler",
timeout=Duration.minutes(15),
memory_size=1024,
role = data_source_sync_lambda_role,
environment={
"INDEX_ID": qbusiness_index.attr_index_id,
"DS_ID": s3_data_source.attr_data_source_id,
"APP_ID": qbusiness_app.ref
}
)

# Trigger data source sync lambda
triggers.Trigger(self, "data_source_sync_lambda_trigger",
handler=data_source_sync_lambda,
timeout=Duration.minutes(10),
invocation_type=triggers.InvocationType.EVENT
)

# Define the outputs
qbusiness_app_id_output = CfnOutput(
self, "QBusinessApplicationId",
value=qbusiness_app.ref,
description="Amazon Q Business Application ID"
)

s3_data_source_id_output = CfnOutput(
self, "S3DataSourceId",
value=s3_data_source.ref,
description="S3 Data Source ID"
)

app = cdk.App()
QBusinessStack(app, "QBusinessStack")

app.synth()
Loading

0 comments on commit 0087452

Please sign in to comment.