Skip to content

Commit

Permalink
Merge pull request #738 from aws-samples/feature/vpc-support
Browse files Browse the repository at this point in the history 
Feature/vpc support
  • Loading branch information
@atjohns
atjohns authored Sep 19, 2024
2 parents f59ea92 + f6fdc00 commit 79e88e7
Show file tree
Hide file tree
Showing 6 changed files with 231 additions and 12 deletions.
50 changes: 48 additions & 2 deletions templates/codebuild-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -545,6 +545,16 @@ Parameters:
Default: ''
Description: >
If enabling upload, the name of the S3 bucket where uploaded documents should be stored
VpcSubnetId:
Type: String
Default: ''
Description: ID of a VPC subnet where all Lambda functions will run, only used if you need Lambda to run in a VPC

VpcSecurityGroupId:
Type: String
Default: ''
Description: ID of a security group where all Lambda functions will run, only used if you need Lambda to run in a VPC

Conditions:
NeedsParentOrigin: !Equals [!Ref ParentOrigin, '']
Expand All @@ -554,6 +564,7 @@ Conditions:
ShouldNotSpecifyWafAcl: !Equals [!Ref WebAppWafAclArn, '']
EnableStreaming: !Equals [!Ref AllowStreamingResponses, true]
EnableUpload: !Equals [!Ref ShouldEnableUpload, true]
NeedsVpc: !And [ !Not [ !Equals [!Ref VpcSubnetId, ''] ], !Not [ !Equals [!Ref VpcSecurityGroupId, ''] ] ]

Resources:
# Bucket where S3 access logs are stored
Expand Down Expand Up @@ -769,6 +780,8 @@ Resources:
InitiateChatLambdaCodeObject: !Ref InitiateChatLambdaCodeObject
ConnectContactFlowId: !Ref ConnectContactFlowId
ConnectInstanceId: !Ref ConnectInstanceId
VpcSubnetId: !Ref VpcSubnetId
VpcSecurityGroupId: !Ref VpcSecurityGroupId
ParentOrigin:
!If
- UseDefaultCloudfrontUrl
Expand All @@ -786,6 +799,8 @@ Resources:
SourceBucket: !Ref SourceBucket
StreamingLambdaCodeObject: !Ref StreamingLambdaCodeObject
TableName: !Join ["-", [!Ref "AWS::StackName", "streaming"]]
VpcSubnetId: !Ref VpcSubnetId
VpcSecurityGroupId: !Ref VpcSecurityGroupId
ParentOrigin:
!If
- UseDefaultCloudfrontUrl
Expand Down Expand Up @@ -1032,8 +1047,17 @@ Resources:

# Lambda function for custom resource
CodeBuildStarterLambda:
Type: AWS::Lambda::Function
Type: AWS::Lambda::Function
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Code:
S3Bucket: !Ref SourceBucket
S3Key: !Ref CustomResourceCodeObject
Expand Down Expand Up @@ -1128,6 +1152,12 @@ Resources:
Type: AWS::IAM::Role
Properties:
Path: /
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -1184,14 +1214,24 @@ Resources:
Condition: ShouldCleanupBuckets
Properties:
ServiceToken: !GetAtt S3CleanupLambda.Arn
ServiceTimeout: 60
Buckets:
- !Ref WebAppBucket

# Lambda function for custom resource
S3CleanupLambda:
Type: AWS::Lambda::Function
Condition: ShouldCleanupBuckets
Condition: ShouldCleanupBuckets
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Code:
S3Bucket: !Ref SourceBucket
S3Key: !Ref CustomResourceCodeObject
Expand All @@ -1207,6 +1247,12 @@ Resources:
Condition: ShouldCleanupBuckets
Properties:
Path: /
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down
58 changes: 55 additions & 3 deletions templates/cognitouserpoolconfig.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,19 @@ Parameters:
Type: Number
Description: >
This is a required parameter.
VpcSubnetId:
Type: String
Default: ''
Description: ID of a VPC subnet where all Lambda functions will run, only used if you need Lambda to run in a VPC

VpcSecurityGroupId:
Type: String
Default: ''
Description: ID of a security group where all Lambda functions will run, only used if you need Lambda to run in a VPC

Conditions:
NeedsVpc: !And [ !Not [ !Equals [!Ref VpcSubnetId, ''] ], !Not [ !Equals [!Ref VpcSecurityGroupId, ''] ] ]

Resources:

Expand All @@ -44,8 +57,17 @@ Resources:
ServiceToken: !GetAtt CognitoUserPoolDomainFunction.Arn

CognitoUserPoolDomainFunction:
Type: AWS::Lambda::Function
Type: AWS::Lambda::Function
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Handler: index.handler
Role: !GetAtt CognitoUserPoolDomainExecutionRole.Arn
Runtime: python3.10
Expand Down Expand Up @@ -146,6 +168,12 @@ Resources:
Type: AWS::IAM::Role
Properties:
Path: /
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -224,8 +252,17 @@ Resources:
Timestamp: !Ref Timestamp

CognitoUserPoolUpdatesFunction:
Type: AWS::Lambda::Function
Type: AWS::Lambda::Function
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Handler: index.handler
Role: !GetAtt CognitoUserPoolDomainExecutionRole.Arn
Runtime: python3.10
Expand Down Expand Up @@ -316,6 +353,12 @@ Resources:
Type: AWS::IAM::Role
Properties:
Path: /
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -364,8 +407,17 @@ Resources:
Properties:
ServiceToken: !GetAtt CleanStackNameFunction.Arn
CleanStackNameFunction:
Type: AWS::Lambda::Function
Type: AWS::Lambda::Function
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Handler: index.handler
Role: !GetAtt CleanStackNameExecutionRole.Arn
Runtime: python3.10
Expand Down
30 changes: 28 additions & 2 deletions templates/lexbot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,21 @@ Parameters:
Type: String
Default: aws-bigdata-blog

VpcSubnetId:
Type: String
Default: ''
Description: ID of a VPC subnet where all Lambda functions will run, only used if you need Lambda to run in a VPC

VpcSecurityGroupId:
Type: String
Default: ''
Description: ID of a security group where all Lambda functions will run, only used if you need Lambda to run in a VPC

Conditions:
EnableQBusiness: !Not [!Equals [!Ref AmazonQAppId, '']]
ExampleBot: !Equals [!Ref AmazonQAppId, '']
DeleteBot: !Equals [!Ref ShouldDeleteBot, true]
NeedsVpc: !And [ !Not [ !Equals [!Ref VpcSubnetId, ''] ], !Not [ !Equals [!Ref VpcSecurityGroupId, ''] ] ]

Resources:
ExampleBotRuntimeRole:
Expand Down Expand Up @@ -367,7 +378,13 @@ Resources:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyDocument:
Version: 2012-10-17
Expand Down Expand Up @@ -436,8 +453,17 @@ Resources:

QnaBusinessLambdaFulfillmentFunction:
Type: AWS::Lambda::Function
Condition: EnableQBusiness
Condition: EnableQBusiness
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
FunctionName: !Join ["-", [!Ref ParentStackName, "Fulfillment-Lambda"]]
Handler: index.lambda_handler
Role: !GetAtt 'LambdaFunctionRole.Arn'
Expand Down
45 changes: 42 additions & 3 deletions templates/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,17 @@ Parameters:
This process is not automated because in many use cases Identity Center will not be in the same account as the bot.
Manual set-up instructions can be found here: https://github.com/aws-samples/aws-lex-web-ui/blob/master/README-qbusiness.md
VpcSubnetId:
Type: String
Default: ''
Description: ID of a VPC subnet where all Lambda functions will run, only used if you need Lambda to run in a VPC

VpcSecurityGroupId:
Type: String
Default: ''
Description: ID of a security group where all Lambda functions will run, only used if you need Lambda to run in a VPC


Rules:
ValidateEitherV1orV2:
RuleCondition: !Not
Expand Down Expand Up @@ -697,6 +708,11 @@ Metadata:
- BotChatBubble
- CustomerChatBubble
- MinimizedButtonColor
- Label:
default: Lambda VPC Support
Parameters:
- VpcSubnetId
- VpcSecurityGroupId
- Label:
default: Q Business Parameters
Parameters:
Expand All @@ -706,6 +722,7 @@ Metadata:
Conditions:
IsLexV2: !Not [ !Equals [!Ref LexV2BotId, ''] ]
NeedsBot: !And [ !Equals [!Ref BotName, ''], !Equals [!Ref LexV2BotId, ''] ]
NeedsVpc: !And [ !Not [ !Equals [!Ref VpcSubnetId, ''] ], !Not [ !Equals [!Ref VpcSecurityGroupId, ''] ] ]
NeedsCognito: !Equals [!Ref CognitoIdentityPoolId, '']
NeedsParentOrigin: !Equals [!Ref WebAppParentOrigin, '']
ShouldForceCognitoLogin: !Equals [!Ref ForceCognitoLogin, true]
Expand All @@ -726,6 +743,8 @@ Resources:
QBusinessLambdaCodeObject: !Sub "${BootstrapPrefix}/qbusiness-lambda-v0.21.5.zip"
AmazonQAppId: !Ref AmazonQAppId
IDCApplicationARN: !Ref IDCApplicationARN
VpcSubnetId: !Ref VpcSubnetId
VpcSecurityGroupId: !Ref VpcSecurityGroupId

CognitoIdentityPool:
Type: AWS::CloudFormation::Stack
Expand Down Expand Up @@ -860,7 +879,9 @@ Resources:
AllowStreamingResponses: !Ref AllowStreamingResponses
ShouldEnableUpload: !Ref ShouldEnableUpload
UploadBucket: !Ref UploadBucket
Timestamp: 1723566731
VpcSubnetId: !Ref VpcSubnetId
VpcSecurityGroupId: !Ref VpcSecurityGroupId
Timestamp: 1726069319

CognitoIdentityPoolConfig:
Type: AWS::CloudFormation::Stack
Expand All @@ -874,14 +895,25 @@ Resources:
CodeBuildProjectName: !GetAtt CodeBuildDeploy.Outputs.CodeBuildProject
CognitoUserPool: !GetAtt CognitoIdentityPool.Outputs.CognitoUserPoolId
CognitoUserPoolClient: !GetAtt CognitoIdentityPool.Outputs.CognitoUserPoolClientId
Timestamp: 1723566731
VpcSubnetId: !Ref VpcSubnetId
VpcSecurityGroupId: !Ref VpcSecurityGroupId
Timestamp: 1726069319

##########################################################################
# Lambda that will validate if user has put in an invalid CSS color/Hex string and fail deployment
##########################################################################
CSSValidationLambda:
Type: AWS::Lambda::Function
Type: AWS::Lambda::Function
Properties:
VpcConfig:
!If
- NeedsVpc
-
SecurityGroupIds:
- !Ref VpcSecurityGroupId
SubnetIds:
- !Ref VpcSubnetId
- !Ref "AWS::NoValue"
Description: 'Lambda invoke wrapper for Custom CFN actions'
Code:
ZipFile: !Sub |
Expand Down Expand Up @@ -928,6 +960,12 @@ Resources:
Type: AWS::IAM::Role
Properties:
Path: /
ManagedPolicyArns:
!If
- NeedsVpc
-
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
- !Ref "AWS::NoValue"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -957,6 +995,7 @@ Resources:
Version: "1.0"
Properties:
ServiceToken: !GetAtt CSSValidationLambda.Arn
ServiceTimeout: 60
MessageTextColor: !Ref MessageTextColor
ChatBackgroundColor: !Ref ChatBackgroundColor
ToolbarColor: !Ref ToolbarColor
Expand Down
Loading

0 comments on commit 79e88e7

Please sign in to comment.