Merge pull request #166 from NataliaTarasovaNatoshir/bedrock-agent-python-ui-wrapper

stack to add api and frontend layer to a bedrock agent

Author: krokoko

README.md

@@ -19,6 +19,8 @@ This repo provides samples to demonstrate how to build your own Generative AI so
 |[Contract Compliance Analysis](samples/contract-compliance-analysis/)| This project automates the analysis of contracts by splitting them into clauses, determining clause types, evaluating compliance against a customer's legal guidelines, and assessing overall contract risk based on the number of compliant clauses. This is achieved through a workflow that leverages Large Language Models via Amazon Bedrock. | Backend + Frontend | Python for Backend, TypeScript (React) for Frontend |
 |[RFP Answers with GenAI](samples/rfp-answer-generation/)| This project provides guidance on how you can use Knowledge Bases for Amazon Bedrock with custom transformations to create draft answers for Request for Proposal (RFP) documents, streamlining the answer of new potential contracts. This is achieved through a workflow that leverages Large Language Models via Amazon Bedrock. | Backend + Frontend | Python for Backend, TypeScript (React) for Frontend |
 | [Code Expert](samples/code-expert/)                                                          | This project addresses the scalability limitations of manual code reviews by leveraging artificial intelligence to perform expert code reviews automatically. It leverages the [Bedrock Batch Step Functions CDK construct](https://github.com/awslabs/generative-ai-cdk-constructs/blob/main/src/patterns/gen-ai/aws-bedrock-batch-stepfn/README.md). | Backend            | Python for Backend and Demo, TypeScript for CDK     |
+|[Bedrock Agent UI Wrapper](samples/bedrock-agent-ui-wrapper/)| This sample provides a CDK construct that creates an API layer and frontend application for Amazon Bedrock Agents. It includes authentication with Amazon Cognito, agent trace streaming, and can be deployed locally or on ECS Fargate. | API layer + Frontend | Python|
+
 
 ## Contributing
 

samples/bedrock-agent-ui-wrapper/.gitignore

@@ -0,0 +1,12 @@
+*.swp
+package-lock.json
+__pycache__
+.pytest_cache
+.venv
+*.egg-info
+.streamlit
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+cdk.context.json

samples/bedrock-agent-ui-wrapper/README.md

@@ -0,0 +1,200 @@
+
+# 📦 Welcome to Capsule!
+
+This is a stack to wrap a Bedrock Agent for simple applications.
+
+- **It provides:**
+    - constructs for an API layer between your Bedrock Agent and your Frontend layer
+    - frontend layer to jumpstart a simplistic app either hosted locally or on ECS Fargate
+
+Capsule stacks support streaming of the agent traces and authentication with Amazon Cognito
+
+![homepage](images/streamlit_homepage.png)
+![chat](images/streamlit_chat.png)
+
+## 🎯 When Should You Use Capsule?
+
+Already have an Amazon Bedrock agent? Capsule helps you transform it into a production-ready chat application with:
+
+- 🔌 **Ready-to-Use API Layer**: Pre-built constructs for seamless communication between Bedrock Agent and frontend
+- 🎯 **Flexible Deployment Options**: Run locally or deploy to ECS Fargate with one command
+- 🔒 **Built-in Security**: Integrated Amazon Cognito authentication
+- 📊 **Real-time Agent Traces**: Built-in streaming support for agent debugging and monitoring
+- 🎨 **Customizable UI**: Streamlit-based interface that you can modify to match your needs
+
+Use Capsule when you need to:
+
+1. **Deploy Your Existing Bedrock Agent as a Chat App**: Transform your agent into a secure, production-ready chat interface in minutes
+2. **Stream Agent Responses in Real-Time**: Leverage GraphQL subscriptions for WebSocket-style streaming of chat interactions
+3. **Secure Your Agent**: Get pre-configured Cognito authentication and API protection out of the box
+4. **Debug Agent Behavior**: Built-in agent trace streaming for quick troubleshooting in chat conversations
+
+Perfect for teams who have a Bedrock Agent and want to quickly deploy it as a chat application without dealing with infrastructure setup and API design.
+
+## 💡 Use Case Examples
+
+### Customer Service Bot
+Deploy a customer service agent with:
+- Custom branding and UI
+- Secure authentication for support staff
+- Real-time conversation monitoring
+
+### Document Analysis Assistant
+Create an AI assistant that:
+- Processes uploaded documents
+- Provides insights and summaries
+- Maintains conversation context
+
+### Internal Knowledge Base Agent
+Build a corporate knowledge assistant with:
+- Secure access control
+- Custom prompt suggestions
+- Integration with internal systems
+
+
+# How to deploy the stack?
+This section describes how to build and deploy the application in an AWS account.
+
+## 1. Prerequisites
+- **AWS Account:**
+    - Make sure you have access to an AWS account and installed the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+    on your local host.
+    - We suggest to configure a named profile to send request to the target account more
+    easily: `aws configure --profile [profile-name]`
+- **Python**: 
+    - This solutions used the Python SDK of the AWS CDK to describe the architecture.
+    - Use Python ^3.12
+- **The AWS CDK**:
+    - The AWS CDK requires a Node.js runtime.
+    - [Install](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html#getting_started_install)
+    the AWS CDK using Node Package Manager: `npm install -g aws-cdk`
+- **Docker**: 
+    - Deploying this CDK application involves building Dockerfiles and
+therefore requires a [Finch](https://runfinch.com/docs/managing-finch/macos/installation/) or Docker installed and virtual machine running.
+
+## 2. Clone the repository
+Clone the project repository to the location of your choice
+
+## 3. Create, activate and set up the Python virtual environment
+Navigate to the project folder and run the following commands (MacOS, Linux)
+
+This project uses [Poetry](https://python-poetry.org/) library for Python packaging
+and dependency management. Install Poetry if you don't have it already
+```bash
+pip install poetry
+```
+
+Create and activate the Python virtual environment:
+```bash
+poetry shell
+```
+
+Install project dependencies
+```bash
+poetry install
+```
+
+For information, here are a few useful Poetry commands:
+
+* `poetry add <package-name>` adds a package to [pyproject.toml](pyproject.toml)
+and update [poetry.lock](poetry.lock)
+* `poetry remove <package-name>` removes a package to [pyproject.toml](pyproject.toml)
+and update [poetry.lock](poetry.lock)
+
+Do not manually modify the file `pyproject.toml` if you wish to update the project
+dependencies. Refer to Poetry's documentation for the full list of [commands](https://python-poetry.org/docs/cli/).
+
+## 4. Configure the stack
+Open the `config.yaml` file located at the project's root. This files gathers the
+configuration of the CDK application and therefore of the deployed architecture. 
+
+Modify this file as required:
+
+ * Provide your agent credentials (agent_id and agent_alias_id). If you leave them empty - a "dummy" Bedrock Agent will be created for you for testing purposes
+ * Configure UI deployment. If you set `deploy_on_fargate: true` - UI will be hosted on ECS Fargate behind a Cloudfront distribution. Otherwise set `deploy_on_fargate: false`, you will be able to access UI by hosting the streamlit app locally
+
+## 5. Bootstrap the CDK environment
+If you never deployed an application in the targeted AWS Region of the selected AWS
+account, you first need to initialize ("bootstrap") the environment.
+
+More concretely, when you bootstrap a CDK environment, the CDK will create a few resources
+it needs to operate (S3 bucket and ECR repository to store the stack's assets, a few
+IAM roles assumed for different tasks, etc.).
+
+Bootstrap your account by running the following command:
+
+```bash
+cdk bootstrap --profile [profile-name]
+```
+
+## 6. Deploy the CDK application
+Since deploying the application involves building Dockerfiles, make sure a Docker/Finch
+daemon is running on your host.
+
+Deploy the stack by running the following command:
+
+```bash
+cdk deploy --profile [profile-name]
+```
+
+## Important: Configuring Cognito URLs for Fargate Deployment
+
+When deploying on Fargate, you need to configure the Cognito authentication URLs. Follow these steps:
+
+### A. Get the URLs from Stack Output
+After stack deployment completes, locate and copy two values from the stack outputs:
+- `CognitoCallbackUrl`
+- `CognitoLogoutUrl`
+
+![Stack output showing Cognito URLs](images/Stack_Output.png)
+
+### B. Navigate to Cognito Settings
+In the AWS Console:
+1. Go to Amazon Cognito
+2. Select the latest `CAPSULE-api-userpool`
+3. Click on "App integration" tab
+4. Under "App clients", find the Capsule App client
+5. Click "Edit"
+
+![Navigating Cognito settings](images/Cognito_1.png)
+
+### C. Update URLs
+In the console:
+1. Click Add another URL and paste the `CognitoCallbackUrl` into "Allowed callback URLs"
+2. Click Add another URL paste the `CognitoLogoutUrl` into "Allowed sign-out URLs"
+3. Click "Save changes"
+
+![Adding callback and sign-out URLs](images/Cognito_2.png)
+
+### D. Wait for Changes
+Allow 1-2 minutes for the changes to propagate before accessing your app.
+
+> ⚠️ Note: Your app won't authenticate properly until these URLs are configured correctly.
+
+
+## 7. Try out your app!
+Talk with your agent:
+
+* Add your app users to the created Cognito Pool
+* If you chose UI deployment on Fargate, go to the `AppUrl` in the stack output parameters
+* Alternatively, host streamlit UI locally:
+    * Create secrets file for streamlit `streamlit_app/.streamlit/secrets.toml`
+    * Fill in secrets with values from the stack output:
+    ```bash
+    COGNITO-APP-CLIENT-ID = "<YOUR COGNITO APP CLIENT ID>"
+    COGNITO-DOMAIN-PREFIX = "<YOUR COGNITO DOMAIN PREFIX>"
+    APPSYNC-API-ENDPOINT = "<YOUR APPSYNC API ENDPOINT>"
+    AWS-REGION = "<YOUR AWS REGION>"
+    REDIRECT_URI = "http://localhost:8501"
+    LOGOUT_URI =  "http://localhost:8501"
+    ```
+    * Run your streamlit app (from the project root folder)
+    ```bash
+    cd streamlit_app
+    streamlit run app.py
+    ```
+
+## 8. Configure your app UI
+* The starting implementation is very basic in terms of messages formatting. Make sure to add formatting or filtering for the trace messages: adjust `format_messages` method in `streamlit_app/app.py` according to your needs
+* In general, change `streamlit_app/app.py` for any UI changes like adding logos, changing prompt suggestions, etc
+* If you need to use additional logic in your app, for example, add presigned url generation for retrieved documents - adjust your UI in `streamlit_app/app.py` and add corresponding appsync mutations in `infra/frontend_construct/frontend_fargate_construct.py`

samples/bedrock-agent-ui-wrapper/RESOURCES.md

@@ -0,0 +1,99 @@
+# Resources Created by the Solution
+
+This document provides a comprehensive list of all AWS resources created by this solution.
+
+## Compute Resources
+- **ECS Fargate Cluster**
+  - Task Definition
+  - Fargate Service
+  - Container running Streamlit application
+  - CloudWatch Log Group for container logs
+
+## Networking
+- **VPC Resources**
+  - VPC with 2 Availability Zones
+  - Public Subnets
+  - Private Subnets
+  - NAT Gateway
+  - Internet Gateway
+  - Route Tables
+  - Network ACLs
+
+- **Load Balancer**
+  - Application Load Balancer
+  - ALB Target Group
+  - ALB Listener (Port 80)
+
+- **Security Groups**
+  - ALB Security Group
+  - ECS Fargate Service Security Group
+
+## Authentication & Authorization
+- **Amazon Cognito**
+  - User Pool
+  - User Pool Client
+  - User Pool Domain
+
+## API & GraphQL
+- **AWS AppSync**
+  - GraphQL API
+  - API Schema
+  - API Resolvers
+  - WebSocket API Endpoint
+
+## Storage & Secrets
+- **AWS Secrets Manager**
+  - AppSync Endpoint Secret
+  - Cognito App Client Secret
+  - Cognito Domain Prefix Secret
+  - Region Secret
+  - Redirect URI Secret
+  - Logout URI Secret
+
+## AI/ML
+- **Amazon Bedrock**
+  - Bedrock Agent
+  - Agent Actions
+  - Agent Schema
+
+## IAM Resources
+- **IAM Roles**
+  - ECS Task Role
+  - ECS Task Execution Role
+  - AppSync Service Role
+  - Bedrock Agent Role
+
+- **IAM Policies**
+  - Task Role Policies
+  - Task Execution Role Policies
+  - AppSync Service Role Policies
+  - Bedrock Agent Role Policies
+
+## Logging & Monitoring
+- **CloudWatch**
+  - Container Log Groups
+  - ALB Access Logs
+  - VPC Flow Logs
+  - Metric Alarms (if configured)
+
+## Resource Naming Convention
+All resources are prefixed with the stack name and construct ID for easy identification:
+- Stack Name: `{stack-name}`
+- Construct ID: `{construct-id}`
+
+## Resource Dependencies
+- VPC is required for ECS Fargate and ALB deployment
+- Cognito User Pool is required for authentication
+- AppSync API depends on Cognito for authorization
+- Secrets Manager secrets are used by the ECS tasks
+- Bedrock Agent depends on the AppSync API for integration
+
+## Clean Up
+When destroying this solution through CDK, all resources will be removed except:
+1. CloudWatch Log Groups
+2. Any manually created resources not part of the CDK stack
+
+## Notes
+- Some resources may incur costs even when not actively used
+- NAT Gateway is deployed in a single AZ to minimize costs
+- ALB is internet-facing and restricted to CloudFront IPs

samples/bedrock-agent-ui-wrapper/app.py

@@ -0,0 +1,33 @@
+#
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
+# with the License. A copy of the License is located at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
+# and limitations under the License.
+#
+
+
+#!/usr/bin/env python3
+import os
+import aws_cdk as cdk
+import yaml
+from yaml.loader import SafeLoader
+from cdk_nag import AwsSolutionsChecks
+
+from infra.capsule_stack import CapsuleStack
+
+with open(os.path.join(os.path.dirname(__file__), "config.yml"), encoding="utf-8") as f:
+    stack_config = yaml.load(f, Loader=SafeLoader)
+
+app = cdk.App()
+env = cdk.Environment(account=os.getenv("CDK_DEFAULT_ACCOUNT"), region=os.getenv("CDK_DEFAULT_REGION"))
+
+CapsuleStack(scope=app, construct_id=stack_config["stack_name"], config=stack_config, env=env)
+cdk.Aspects.of(app).add(AwsSolutionsChecks())
+
+app.synth()