aws-samples
diff --git a/‎qbusiness-s3-cdk-python/README.md‎
Lines changed: 73 additions & 0 deletions b/‎qbusiness-s3-cdk-python/README.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎qbusiness-s3-cdk-python/app.py‎
Lines changed: 261 additions & 0 deletions b/‎qbusiness-s3-cdk-python/app.py‎
Lines changed: 261 additions & 0 deletions
@@ -0,0 +1,73 @@
+# Amazon Q Business to Amazon Simple Storage Service (Amazon S3)
+
+This pattern contains a sample stack that leverages Amazon Q Business to build a generative AI application to derive insights from content present in an S3 bucket. An AWS Lambda function initiates the crawling and indexing of the documents present in the specified S3 bucket. Users can then ask questions to the Amazon Q Business application to receive a generated response. 
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the AWS Pricing page for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+## Requirements
+* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+* [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [AWS CDK CLI](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html) (AWS CDK) installed
+* [Enable AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html)
+* [Create Users in AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html). Note down the Instance ARN by going to the AWS IAM Identity Center console --> Settings --> Instance ARN. You will require it when deploying the stack. 
+* [Create an S3 Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html) and [upload documents](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) that you want to be indexed. If you already have an S3 bucket with data that you want to crawl, you can skip this step.
+
+## Deployment Instructions
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ```
+    git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd qbusiness-s3-cdk-python
+    ```
+1. From the command line, use AWS CDK to deploy the AWS resources for the pattern as specified in the template.yml file:
+    ```
+    cdk deploy --parameters S3DSBucketName=${YourS3BucketName} --parameters IdentityCenterInstanceArn=${YourIdentityCenterInstanceArn}
+    ```
+1. Note the outputs from the CDK deployment process. These contain the resource names and/or ARNs which are used for testing.
+
+# How it works
+Please refer to the architecture diagram below:
+
+![End to End Architecture](images/architecture.png)
+
+Here's a breakdown of the steps:
+
+**Amazon Q Business Application:** Amazon Q Business application created with S3 as the data source. 
+
+**Amazon S3:** S3 bucket that contains documents to be indexed. 
+
+**AWS Lambda:**  AWS Lambda function `DataSourceSync` crawls and indexes the content from the S3 bucket. The Amazon Q Business application retrieves data from the indexed content and provides a generated response.
+
+## Testing
+
+1. Go to the Amazon Q Business Console and verify that your application `MyQBusinessApp-${StackName}` has been created.
+    ![Amazon Q Business Application](images/qbusiness-application.png)
+
+1. Click on the Name of the Application. Scroll down to the `Groups and Users` section. Click on `Manage access and Subscriptions`.
+    ![Groups and Users Section](images/groups-users.png)
+1. Click on `Add groups and users` and select `Assign existing users and groups`. Click `Next`. 
+
+    Note: If you have NOT already created a user in the Requirements section, then create one by choosing `Add and assign new users` instead and add the user. 
+    ![Assign users](images/assign-users-groups.png)
+1. Add the name of the user and click on `Assign`.
+    ![Assign user](images/assign-user.png)
+1. Select the user and in the `Change subscription` dropdown, select `Update subscription tier`. In the `New subscription` dropdown, choose `Q Business Lite` and `Confirm`.
+    ![User subscription](images/subscription.png)
+1. Go back to your application. Under `Web experience settings`, copy the `Deployed URL` link.
+    ![Deployed URL](images/deployed-url.png)
+1. Open the URL in a New Incognito Window. Login to the web experience with the credentials of the created user. Ask a question in the chat interface regarding the documents you have in the S3 bucket provided as a data source.
+    ![Q Business Web Experience](images/chat-interface.png)
+
+## Cleanup
+
+1. Delete the stack
+    ```bash
+    cdk destroy
+    ```
+----
+Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0
@@ -0,0 +1,261 @@
+#!/usr/bin/env python3
+import os
+
+import aws_cdk as cdk
+
+from aws_cdk import (
+    Stack,
+    aws_qbusiness as qbusiness,
+    aws_iam as iam,
+    CfnParameter,
+    CfnOutput,
+    triggers,
+    aws_lambda as lambda_,
+    Duration
+)
+from constructs import Construct
+
+class QBusinessStack(Stack):
+
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        # Parameters
+        s3_bucket_name = CfnParameter(self, "S3DSBucketName", type="String", description="Enter the S3 bucket name where the contents you want to be indexed are stored.")
+        identity_center_arn = CfnParameter(self, "IdentityCenterInstanceArn", type="String", description="Enter the ARN of the Amazon Q Business Identity Center instance.")
+
+        # Q Business Application
+        qbusiness_app = qbusiness.CfnApplication(
+            self, "QBusinessApplication",
+            display_name=f"MyQBusinessApp-{self.stack_name}",
+            description="Amazon Q Business Application",
+            identity_center_instance_arn=identity_center_arn.value_as_string
+        )
+
+        # Web Experience Role
+        web_exp_role = iam.Role(
+            self, "QBusinessWebExperienceRole",
+            assumed_by=iam.ServicePrincipal("application.qbusiness.amazonaws.com"),
+            role_name=f"QBusinessWebExperienceRole-{self.stack_name}",
+            description="IAM role for Q Business Web Experience",
+            inline_policies={"WebExperiencePolicy": iam.PolicyDocument(
+                    statements=[
+                        iam.PolicyStatement(
+                            sid="QBusinessConversationPermission",
+                            actions=[
+                                "qbusiness:Chat",
+                                "qbusiness:ChatSync",
+                                "qbusiness:ListMessages",
+                                "qbusiness:ListConversations",
+                                "qbusiness:DeleteConversation",
+                                "qbusiness:PutFeedback",
+                                "qbusiness:GetWebExperience",
+                                "qbusiness:GetApplication",
+                                "qbusiness:ListPlugins",
+                                "qbusiness:GetChatControlsConfiguration"
+                            ],
+                            resources=[qbusiness_app.attr_application_arn]
+                        ),
+                        iam.PolicyStatement(
+                            sid="QBusinessKMSDecryptPermissions",
+                            actions=["kms:Decrypt"],
+                            resources=[f"arn:{self.partition}:kms:{self.region}:{self.account}:key/*"],
+                            conditions={
+                                "StringLike": {
+                                    "kms:ViaService": f"qbusiness.{self.region}.amazonaws.com"
+                                }
+                            }
+                        ),
+                        iam.PolicyStatement(
+                            sid="QBusinessSetContextPermissions",
+                            actions=["sts:SetContext"],
+                            resources=["arn:aws:sts::*:self"],
+                            conditions={
+                                "StringLike": {
+                                    "aws:CalledViaLast": "qbusiness.amazonaws.com"
+                                }
+                            }
+                        )
+                    ]
+                )
+            }
+        )
+
+        # Adding set context action to web experience role
+        web_exp_role.assume_role_policy.add_statements(iam.PolicyStatement(
+            sid="QBusinessSetContextPermissions",
+            actions=["sts:SetContext"],
+            principals=[iam.ServicePrincipal("application.qbusiness.amazonaws.com")]
+        ))
+
+        # Web Experience
+        qbusiness.CfnWebExperience(
+            self, "QBusinessWebExperience",
+            application_id=qbusiness_app.ref,
+            role_arn=web_exp_role.role_arn
+        )
+
+        # Index
+        qbusiness_index = qbusiness.CfnIndex(
+            self, "QBusinessIndex",
+            display_name="MyQBusinessIndex",
+            description="My Amazon Q Business Index",
+            application_id=qbusiness_app.ref
+        )
+
+        # Retriever
+        qbusiness.CfnRetriever(
+            self, "QBusinessRetriever",
+            application_id=qbusiness_app.ref,
+            configuration=qbusiness.CfnRetriever.RetrieverConfigurationProperty(
+            native_index_configuration=qbusiness.CfnRetriever.NativeIndexConfigurationProperty(
+            index_id=qbusiness_index.attr_index_id)
+            ),  
+            display_name="MyQBusinessRetriever",
+            type="NATIVE_INDEX"
+        )
+
+        # S3 Data Source Role
+        s3_data_source_role = iam.Role(
+            self, "S3DataSourceRole",
+            assumed_by=iam.ServicePrincipal("qbusiness.amazonaws.com"),
+            inline_policies={"S3DataSourcePolicy": iam.PolicyDocument(
+                    statements=[
+                        iam.PolicyStatement(
+                            actions=["s3:GetObject"],
+                            resources=[f"arn:aws:s3:::{s3_bucket_name.value_as_string}/*"],
+                            conditions={
+                                "StringEquals": {
+                                    "aws:ResourceAccount": [self.account]
+                                }
+                            }
+                        ),
+                        iam.PolicyStatement(
+                            actions=["s3:ListBucket"],
+                            resources=[f"arn:aws:s3:::{s3_bucket_name.value_as_string}"],
+                            conditions={
+                                "StringEquals": {
+                                    "aws:ResourceAccount": [self.account]
+                                }
+                            }
+                        ),
+                        iam.PolicyStatement(
+                            actions=[
+                                "qbusiness:BatchPutDocument",
+                                "qbusiness:BatchDeleteDocument"
+                            ],
+                            resources=[f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}/index/*"]
+                        ),
+                        iam.PolicyStatement(
+                            actions=[
+                                "qbusiness:PutGroup",
+                                "qbusiness:CreateUser",
+                                "qbusiness:DeleteGroup",
+                                "qbusiness:UpdateUser",
+                                "qbusiness:ListGroups"
+                            ],
+                            resources=[
+                                f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}",
+                                f"arn:aws:qbusiness:{self.region}:{self.account}:application/{qbusiness_app.ref}/index/*"]
+                            )
+                        ]
+                    )
+                }
+            )
+
+        # S3 Data Source
+        s3_data_source = qbusiness.CfnDataSource(
+            self, "S3DataSource",
+            application_id=qbusiness_app.ref,
+            display_name="MyS3DataSource",
+            description="S3 Data Source for Amazon Q Business",
+            role_arn=s3_data_source_role.role_arn,
+            configuration={
+                "connectionConfiguration": {
+                    "repositoryEndpointMetadata": {
+                        "BucketName": s3_bucket_name.value_as_string
+                    }
+                },
+                "repositoryConfigurations": {
+                    "document": {
+                        "fieldMappings": [
+                            {
+                                "indexFieldName": "s3_document_id",
+                                "indexFieldType": "STRING",
+                                "dataSourceFieldName": "s3_document_id"
+                            }
+                        ]
+                    }
+                },
+                "syncMode": "FULL_CRAWL",
+                "type": "S3",
+                "version": "1.0.0"
+            },
+            index_id=qbusiness_index.attr_index_id,
+        )
+
+        s3_data_source.node.add_dependency(qbusiness_index)
+
+        # Create a role for the DataSourceSyncLambda
+        data_source_sync_lambda_role = iam.Role(
+            self, "DataSourceSyncLambdaRole",
+            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name("CloudWatchLogsFullAccess")],
+                inline_policies={
+                "QBusinessDataSourceSyncPolicy": iam.PolicyDocument(
+                    statements=[
+                        iam.PolicyStatement(
+                            actions=[
+                                "qbusiness:StartDataSourceSyncJob",
+                                "qbusiness:StopDataSourceSyncJob"
+                            ],
+                            resources=[
+                                qbusiness_app.attr_application_arn,
+                                f"{qbusiness_app.attr_application_arn}/*"]
+                            )
+                        ]
+                    )
+                }
+            )
+
+        # Lambda function for initiating data source sync
+        data_source_sync_lambda = lambda_.Function(
+            self, "DataSourceSyncLambda",
+            runtime=lambda_.Runtime.PYTHON_3_12,
+            code=lambda_.Code.from_asset("src/dataSourceSync"),
+            handler="dataSourceSyncLambda.lambda_handler",
+            timeout=Duration.minutes(15),
+            memory_size=1024,
+            role = data_source_sync_lambda_role,
+            environment={
+                "INDEX_ID": qbusiness_index.attr_index_id,
+                "DS_ID": s3_data_source.attr_data_source_id,
+                "APP_ID": qbusiness_app.ref
+            }
+        )
+
+        # Trigger data source sync lambda
+        triggers.Trigger(self, "data_source_sync_lambda_trigger",
+            handler=data_source_sync_lambda,
+            timeout=Duration.minutes(10),
+            invocation_type=triggers.InvocationType.EVENT
+        )
+
+        # Define the outputs
+        qbusiness_app_id_output = CfnOutput(
+            self, "QBusinessApplicationId",
+            value=qbusiness_app.ref,
+            description="Amazon Q Business Application ID"
+        )
+
+        s3_data_source_id_output = CfnOutput(
+            self, "S3DataSourceId",
+            value=s3_data_source.ref,
+            description="S3 Data Source ID"
+        )
+
+app = cdk.App()
+QBusinessStack(app, "QBusinessStack")
+
+app.synth()