-
Notifications
You must be signed in to change notification settings - Fork 1
/
template.yaml
225 lines (207 loc) · 6.81 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
#Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: 2010-09-09
Description: A template to deploy an application that performs Quality Assessment of translations from common language pairs. (uksb-jufi99muea).
Transform: AWS::Serverless-2016-10-31
Metadata:
cfn_nag:
rules_to_suppress:
- id: W68
reason: Access logging not required.
Globals:
Api:
Cors:
AllowMethods: "'OPTIONS,POST'"
AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
AllowOrigin: "'*'"
Auth:
ApiKeyRequired: False
DefaultAuthorizer: AWS_IAM
AddDefaultAuthorizerToCorsPreflight: False
Resources:
Bucket:
Type: AWS::S3::Bucket
#checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
#checkov:skip=CKV_AWS_21: Ensure the S3 bucket has versioning enabled
Metadata:
cfn_nag:
rules_to_suppress:
- id: W35
reason: Access logging not required.
- id: W41
reason: Encryption not required.
- id: W51
reason: Bucket policy not required.
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: True
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- "*"
AllowedMethods:
- PUT
AllowedOrigins:
- "*"
ExposedHeaders:
- x-amz-server-side-encryption
- x-amz-request-id
- x-amz-id-2
- ETag
MaxAge: 300
PromptTable:
Type: AWS::DynamoDB::Table
#checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
#checkov:skip=CKV_AWS_119: Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
#checkov:skip=CKV_AWS_28: Ensure Dynamodb point in time recovery (backup) is enabled
Properties:
TableName: prompt-table
AttributeDefinitions:
- AttributeName: prompt-id
AttributeType: S
KeySchema:
- AttributeName: prompt-id
KeyType: HASH
BillingMode: PAY_PER_REQUEST
SSESpecification:
SSEEnabled: True
DynamoDBUploadResource:
Type: AWS::Serverless::Function
Properties:
Handler: dyanmodb_upload.handler
CodeUri: ./custom_resources/dynamodb_upload
Tracing: Active
MemorySize: 512
Runtime: python3.12
Timeout: 120
ReservedConcurrentExecutions: 1
Environment:
Variables:
DDBTableName: !Select [1, !Split ['/', !GetAtt PromptTable.Arn]]
Policies:
- Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource: !GetAtt PromptTable.Arn
DynamoDBUpload:
Type: Custom::DynamoDBUploadResource
Properties:
ServiceTimeout: 120
ServiceToken: !GetAtt DynamoDBUploadResource.Arn
QualityAssessmentFunction:
Type: AWS::Serverless::Function
#checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
#checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
#checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Metadata:
cfn_nag:
rules_to_suppress:
- id: W89
reason: VPC not required.
- id: W92
reason: Reserved concurrency not required.
- id: F3
reason: PoC Only.
Properties:
CodeUri: ./functions/quality_assessment
Handler: quality_assessment.lambda_handler
Runtime: python3.12
Timeout: 300
MemorySize: 128
ReservedConcurrentExecutions: 1
Environment:
Variables:
DDBTableName: !Select [1, !Split ['/', !GetAtt PromptTable.Arn]]
Layers:
- !Sub arn:aws:lambda:${AWS::Region}:017000801446:layer:AWSLambdaPowertoolsPythonV2:69
Policies:
- Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelResponseStream
Resource: !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*"
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:Scan
- dynamodb:Query
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource: !GetAtt PromptTable.Arn
Events:
GetAllPrompts:
Type: Api
Properties:
Method: GET
Path: /get-all-prompts
UpdatePrompt:
Type: Api
Properties:
Method: POST
Path: /update-prompt
EvaluateTranslation:
Type: Api
Properties:
Method: POST
Path: /evaluate-translation
AuthStack:
Type: AWS::CloudFormation::Stack
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Properties:
TemplateURL: auth.yaml
AuthApiPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !GetAtt AuthStack.Outputs.AuthRoleName
PolicyName: AppPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- execute-api:Invoke
Resource:
- !Sub "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${ServerlessRestApi}/Prod/POST/*"
- !Sub "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${ServerlessRestApi}/Prod/GET/*"
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource:
- !GetAtt QualityAssessmentFunction.Arn
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
Resource: !Sub "${Bucket.Arn}/uploads/*"
Outputs:
Region:
Value: !Ref AWS::Region
IdentityPoolId:
Value: !GetAtt AuthStack.Outputs.IdentityPoolId
S3Bucket:
Value: !Ref Bucket
UserPoolsId:
Value: !GetAtt AuthStack.Outputs.UserPoolId
UserPoolsWebClientId:
Value: !GetAtt AuthStack.Outputs.AppClientIDWeb
Endpoint:
Value: !Sub https://${ServerlessRestApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/Prod