DEV Community: Julian Michel The latest articles on DEV Community by Julian Michel (@jumic). https://dev.to/jumic https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1019146%2F8c63e1e6-fa20-4424-bf93-b391fcdefe24.jpeg DEV Community: Julian Michel https://dev.to/jumic en Automating secure CloudWatch Alarms with CDK Monitoring Constructs and encrypted SNS Julian Michel Sun, 30 Mar 2025 20:02:49 +0000 https://dev.to/aws-builders/automating-secure-cloudwatch-alarms-with-cdk-monitoring-constructs-and-encrypted-sns-2hmp https://dev.to/aws-builders/automating-secure-cloudwatch-alarms-with-cdk-monitoring-constructs-and-encrypted-sns-2hmp <p>The <a href="https://aws.amazon.com/architecture/well-architected/" rel="noopener noreferrer">AWS Well-Architected Framework</a> describes how to implement cloud applications. For example, the <a href="https://aws.amazon.com/architecture/well-architected//" rel="noopener noreferrer">Reliability Pillar</a> advises architects and developers to set up proper monitoring, such as using CloudWatch Alarms. The <a href="https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/" rel="noopener noreferrer">Security Pillar</a> defines how to build secure applications. Since both need to be combined in cloud applications, this blog post describes how to configure secure CloudWatch Alarms.</p> <p>This blog post is based on <a href="https://aws.amazon.com/cdk/" rel="noopener noreferrer">AWS CDK</a> as an Infrastructure as Code solution. The example project uses a Lambda function that will be enhanced with CloudWatch Alarms. The Alarms are created using <a href="https://github.com/cdklabs/cdk-monitoring-constructs" rel="noopener noreferrer">cdk-monitoring-constructs</a>, a construct that can automatically set up monitoring for CDK projects. To ensure a secure configuration, it uses <a href="https://github.com/cdklabs/cdk-nag" rel="noopener noreferrer">cdk-nag</a>, which throws error messages for insecure AWS resources.</p> <h2> Initial project setup </h2> <p>This example is based on a new TypeScript CDK project. First, install cdk-monitoring-constructs and cdk-nag to enable these features.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>cdk-monitoring-constructs npm <span class="nb">install </span>cdk-nag </code></pre> </div> <p>A simple Lambda function is added. For this Lambda function, we will create CloudWatch Alarms later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">nodeLambda</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MyFunction</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_22_X</span><span class="p">,</span> <span class="na">entry</span><span class="p">:</span> <span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">../src/my-lambda.ts</span><span class="dl">'</span><span class="p">),</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">handler</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Monitoring configuration </h2> <p>The main setup is done for cdk-monitoring-constructs. The SNS Topic will send email notifications when an alarm is triggered.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">alarmTopic</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AlarmTopic</span><span class="dl">'</span><span class="p">);</span> <span class="nx">alarmTopic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span><span class="k">new</span> <span class="nx">subscription</span><span class="p">.</span><span class="nc">EmailSubscription</span><span class="p">(</span><span class="dl">'</span><span class="s1">example@example.org</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>The MonitoringFacade defines the base configuration for cdk-monitoring-constructs. In this example, the CloudWatch dashboard isn't used, so <code>createDashboard</code> is set to <code>false</code>. The properties in <code>alarmFactoryDefaults</code> are set to very sensitive values - so alarms are triggered quickly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">monitoring</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">MonitoringFacade</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Monitoring</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">dashboardFactory</span><span class="p">:</span> <span class="k">new</span> <span class="nc">DefaultDashboardFactory</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">createDashboard</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">dashboardNamePrefix</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="p">}),</span> <span class="na">alarmFactoryDefaults</span><span class="p">:</span> <span class="p">{</span> <span class="na">alarmNamePrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">MyApp</span><span class="dl">'</span><span class="p">,</span> <span class="na">actionsEnabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="k">new</span> <span class="nc">SnsAlarmActionStrategy</span><span class="p">({</span> <span class="na">onAlarmTopic</span><span class="p">:</span> <span class="nx">alarmTopic</span><span class="p">,</span> <span class="p">}),</span> <span class="na">evaluationPeriods</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">datapointsToAlarm</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Now there are two options. It is possible to create alarms for a specific resource, such as the Lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">monitoring</span><span class="p">.</span><span class="nf">monitorLambdaFunction</span><span class="p">({</span> <span class="na">lambdaFunction</span><span class="p">:</span> <span class="nx">myLambda</span><span class="p">,</span> <span class="na">addFaultCountAlarm</span><span class="p">:</span> <span class="p">{</span> <span class="na">Critical</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxErrorCount</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Or, alarms can be created for all resource of a specific type created in the project. The configuration also defines the alarm metric and threshold.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">monitoring</span><span class="p">.</span><span class="nf">monitorScope</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">lambda</span><span class="p">:</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="na">addFaultCountAlarm</span><span class="p">:</span> <span class="p">{</span> <span class="na">Critical</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxErrorCount</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> Check and improve security </h2> <p>It's time to verify that the application is secure. This is done be done using cdk-nag. This line in the CDK application (bin folder) enables the cdk-nag AWS Solutions Checks<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">cdk</span><span class="p">.</span><span class="nx">Aspects</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="k">new</span> <span class="nc">AwsSolutionsChecks</span><span class="p">());</span> </code></pre> </div> <p>When running <code>cdk synth</code>, cdk-nag displays an error: <code>The SNS theme does not require publishers to use SSL</code>. So let's enable <code>enforceSSL</code> to have a secure configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">alarmTopic</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AlarmTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>To test the alarm, change the Lambda function so that it always fails, for example, upload invalid code. Then run the lambda function and wait for the alarm to become active. The alarm history will show state transitions and errors while the alarm action is triggered. The error messages indicates that it can't publish messages to the SNS topic.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwb9y9s23h35k8vdxgh3u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwb9y9s23h35k8vdxgh3u.png" alt="CloudWatch Alarm history - missing SNS permission" width="800" height="314"></a></p> <p>Enabling <code>enforceSSL</code> has set a deny action for traffic without SSL encryption on the SNS Topic. CloudWatch can't publish messages anymore because no permissions were granted. So explicitly grant the publish permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">alarmTopic</span><span class="p">.</span><span class="nf">grantPublish</span><span class="p">(</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">cloudwatch</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>After this change, SNS notifications will be sent to all subscribers. Let's increase the security even more. SNS Topics also support KMS encryption, so specify a KMS key as <code>masterKey</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const alarmTopic = new sns.Topic(this, 'AlarmTopic', { enforceSSL: true, masterKey: kmsKey, }); </code></pre> </div> <p>Alarm notifications will fail again, see the alarm history.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqkoxrkcdd1xrn1o79rr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqkoxrkcdd1xrn1o79rr.png" alt="CloudWatch Alarm history - missing KMS permission" width="800" height="270"></a></p> <p>Similar to the previous error, permissions for the CloudWatch service are missing in the KMS Key. So let's grant the encrypt/decrypt permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">kmsKey</span><span class="p">.</span><span class="nf">grantEncryptDecrypt</span><span class="p">(</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">cloudwatch</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>Another test shows that alarm notifications can be successfully sent to the KMS-encrypted SNS topic - everything works!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40km1e20la6bg16ofrd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy40km1e20la6bg16ofrd.png" alt="CloudWatch Alarm history - no error" width="800" height="253"></a></p> <h2> Triggering CloudWatch Alarms manually </h2> <p>Sometimes it is also helpful to trigger CloudWatch alarms manually. You don't need to implement a wrong lambda function to trigger an alarm, just use this CLI command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudwatch set-alarm-state <span class="se">\</span> <span class="nt">--alarm-name</span> <span class="s2">"MyApp-MyFunction-Fault-Count-Critical"</span> <span class="se">\</span> <span class="nt">--state-value</span> ALARM <span class="nt">--state-reason</span> <span class="s2">"Alarm test"</span> </code></pre> </div> <p>Instead of the <code>ALARM</code> value, you can also specify <code>OK</code> to reset the alarm.</p> <h2> Summary and lessons learned </h2> <p>You've learned how to create CloudWatch Alarms with cdk-monitoring-constructs - and how to implement a secure configuration:</p> <ul> <li>Enforce SSL in the SNS topic and specify a KMS key.</li> <li>Grant permissions for the CloudWatch service in the KMS topic and KMS key.</li> </ul> <p>If you encounter problems with alarm actions, always check the alarm history in the CloudWatch console. It shows the error message that occurred when the alarm was delivered.</p> awscdk monitoring cloudwatch security Embedding Q Business into existing applications Julian Michel Mon, 30 Dec 2024 16:42:25 +0000 https://dev.to/aws-builders/embedding-q-business-into-existing-applications-3nii https://dev.to/aws-builders/embedding-q-business-into-existing-applications-3nii <p>Amazon Q Business has gotten some new features in the last few months. One of them is the ability to <a href="https://aws.amazon.com/about-aws/whats-new/2024/10/embed-amazon-q-business-applications-user-interface/" rel="noopener noreferrer">embed Q Business</a> into other applications. This blog post gives some guidance on how this works and what to consider when adding Q Business to another application.</p> <h2> Why? </h2> <p>Often companies use other tools such as MS SharePoint or Confluence as their intranet. In case Q Business should not be treated as a separate tool, it can be integrated into existing applications. Users can then simply open a page that contains Q Business. For example, this screenshot shows the integration into a Confluence page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fruvzw78epxbosp8wszbz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fruvzw78epxbosp8wszbz.png" alt="Q Business embedded into Confluence" width="800" height="582"></a></p> <h2> How does it work? </h2> <p>First, you need to whitelist the site that embeds Q Business in the Q Business configuration. Open the new "Amazon Q embedded" configuration and add the URL of the site, such as <code>https://julianmichel.de</code>. Don't include the specific path and a trailing slash at the end.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9n1stguttn4fhpgpljht.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9n1stguttn4fhpgpljht.png" alt="Allowed websites ocnfoguration" width="800" height="345"></a></p> <p>Next, copy the URL of your Q Business application:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns3tnt033jfoli4dtutd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns3tnt033jfoli4dtutd.png" alt="Copy Q Business URL" width="800" height="270"></a></p> <p>Then create an iFrame in the application and reference the URL you copied in the previous step. For example, in Confluence, search for the iFrame element.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw375183fjk9lqlbwfvcf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw375183fjk9lqlbwfvcf.png" alt="Confluence: add iFrame" width="800" height="252"></a></p> <p>Then paste the URL you copied earlier.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figp9l1n6ecuufx1ltwth.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figp9l1n6ecuufx1ltwth.png" alt="Confluence: paste Q Business URL" width="725" height="708"></a></p> <p>You can also do the same change in a plain HTML file by adding the iFrame element.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"https://pgs3zrql.chat.qbusiness.us-east-1.on.aws/"</span> <span class="na">title=</span><span class="s">"QBusiness"</span><span class="nt">&gt;&lt;/iframe&gt;</span> </code></pre> </div> <p>For more details, see the <a href="https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/embed-amazon-q-business.html" rel="noopener noreferrer">Embedded Q Business</a> section in the documentation.</p> <h2> Testing </h2> <p>You are now ready to open the Confluence page. Q Business will not load directly. Instead, it displays a login page. Press the Sign In-button.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0cazkh8ro54yjkrf025.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0cazkh8ro54yjkrf025.png" alt="Sign in" width="800" height="532"></a></p> <p>It opens a new tab that handles the login process using the SSO capabilities in AWS IAM Identity Center. You can close this tab.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6p8ybptciuwjafgmuc6a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6p8ybptciuwjafgmuc6a.png" alt="Sign in successful" width="800" height="728"></a></p> <p>Next, it displays Q Business integrated into the Confluence page.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknur8qxszqsrt73h6zm5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknur8qxszqsrt73h6zm5.png" alt="Q Business embedded into Confluence" width="800" height="705"></a></p> <p>The integration into the custom HTML page also works. Again, the sign in page is displayed.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F865c7ngt1ua451847ofc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F865c7ngt1ua451847ofc.png" alt="Q Business embedded into custom HTML page" width="800" height="423"></a></p> <p>Once you have completed the sign in process, you will see Q Business integrated into the page.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F17gcp1vr00bxsg80d2re.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F17gcp1vr00bxsg80d2re.png" alt="Q Business embedded into custom HTML page works too" width="800" height="493"></a></p> <h2> Error handling </h2> <p>What to do if embedding Q Business doesn't work? If you get this error and Q Business doesn't load at all, check the URL you configured before. It is probably incorrect.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudiwh4ux1akiaojwqdkk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudiwh4ux1akiaojwqdkk.png" alt="Q Business doesn't work" width="800" height="435"></a></p> <p>If the Grant Permission button doesn't work, check the output in Web Developer Tools.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3wa09xipqj5hyuhs1f80.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3wa09xipqj5hyuhs1f80.png" alt="Q Business Grant Access Button" width="800" height="443"></a></p> <p>For example, I received this error when accessing the page in Google Chrome's incognito mode: <code>requestStorageAccess: Request denied because the embedded site has never been interacted with as a top-level context</code>.</p> <p>Root cause: Third-party cookies are blocked in incognito mode. I had to enable them and it worked.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftaq5oofpcl2r6ik6vm9f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftaq5oofpcl2r6ik6vm9f.png" alt="Enable third-party cookies" width="756" height="602"></a></p> <p>Also check the iFrame <code>sandbox</code> attribute settings if used in the iFrame.</p> <h2> Whitelisting URLs with IaC </h2> <p>Of course, it makes sense to configure the URL of the embedded web packages using Infrastructure as Code. In an earlier post, I described <a href="https://dev.to/aws-builders/deploy-amazon-q-business-with-aws-cdk-example-and-best-practices-4ff8">how to deploy Q Business using AWS CDK</a>. In the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-webexperience.html" rel="noopener noreferrer">WebExperience resource</a>, you can specify an array of URLs in the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-webexperience.html#cfn-qbusiness-webexperience-origins" rel="noopener noreferrer"><code>origins</code></a> property. Unfortunately, the property isn't called embedded URLs or anything like that, so it's different from the naming in the AWS console.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnWebExperience</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebExperience</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">webExperienceRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="na">origins</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">https://jumic-reinvent.atlassian.net</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://julianmichel.de</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h2> Summary </h2> <p>Embedded Q Business is a great feature for integrating Q Business into existing applications. From my point of view, it improves the user experience when users can access it in familiar applications. </p> <p>Unfortunately, you have to log in to Q Business first. But this is not a design decision by AWS - it is related to web security standards.</p> <p>If Q Business Embedded doesn't work out of the box, you can use the web developer tools to debug it.</p> qbusiness chatbot awscdk genai How to create an AWS account without a debit/credit card (in Germany) Julian Michel Fri, 04 Oct 2024 20:26:11 +0000 https://dev.to/aws-builders/how-to-create-an-aws-account-without-a-debitcredit-card-in-germany-4n6l https://dev.to/aws-builders/how-to-create-an-aws-account-without-a-debitcredit-card-in-germany-4n6l <p>When you create a new AWS account, you must enter a debit or credit card as your default payment method. You cannot create an AWS account without a debit or credit card, such as Mastercard or Visa. As of the end of July this year, it is now possible to sign up for a new AWS account in Germany without using a debit or credit card. Instead, you will need to link your AWS account to your bank account (see <a href="https://aws.amazon.com/about-aws/whats-new/2024/07/aws-account-using-bank-account-germany/" rel="noopener noreferrer">official announcement</a>).</p> <h2> Why do we need this feature? </h2> <p>Credit cards are not widely used in Germany. Many people prefer the German <a href="https://en.wikipedia.org/wiki/Girocard" rel="noopener noreferrer">girocard</a>. Even in the young age group (18-27 years), <a href="https://de.statista.com/statistik/daten/studie/867648/umfrage/umfrage-zum-kreditkartenbesitz-in-deutschland-nach-altersklassen/#:~:text=Zum%20Zeitpunkt%20der%20Erhebung%20gaben,etwa%2047%20Prozent%20ein%20Kreditkarte." rel="noopener noreferrer">only around 50 percent</a> had a credit card in 2020.</p> <p>Telling people in Germany that they should sign up for an AWS account could be difficult. Students can't sign up because they don't have a credit card, so they won't be trained in AWS. </p> <p>I suppose this was one of the reasons why AWS now allows AWS accounts to be created with a bank account in Germany. For now, this feature is not available in other countries.</p> <h2> Why should you know about this (in Germany)? </h2> <p>If you are teaching AWS to German students or other people, you can tell them that this alternative payment method exists. This article shows how to set up an AWS account without a debit or credit card - you will understand the process and be able to tell others about it.</p> <h2> Select the payment method </h2> <p>Sign up for your AWS account as usual. On the Billing Information page, select Germany as your billing country. Once you select Germany, the form will display the additional payment method type "Bank Account". Select this option.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk30xqcm40q3wtvgbvz0e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk30xqcm40q3wtvgbvz0e.png" alt="Billing information" width="647" height="1204"></a></p> <p>The form shows additional information about how AWS links your bank account. It uses a service called <a href="https://truelayer.com" rel="noopener noreferrer">TrueLayer</a>.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1qmvvw2w86kq8p9h3fz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh1qmvvw2w86kq8p9h3fz.png" alt="Additional information: TrueLayer" width="710" height="1111"></a></p> <p>You are asked to open TrueLayer.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphobruv7sbq0t6vikf7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphobruv7sbq0t6vikf7.png" alt="Open TrueLayer?" width="800" height="202"></a></p> <h2> Link your bank account </h2> <p>Next, select your German bank from the drop-down list. You can't enter a foreign bank here.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomwcdkc14rnprzd6089d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomwcdkc14rnprzd6089d.png" alt="Select your bank" width="800" height="933"></a></p> <p>The TrueLayer service explains what information is shared. TrueLayer also reads your account balance - but doesn't share it with AWS. <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fird75sfs5lnr27ux5da1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fird75sfs5lnr27ux5da1.png" alt="TrueLayer shared data" width="800" height="928"></a></p> <p>You will be directed to your bank account. Log in and confirm that TrueLayer is allowed to read the requested data.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqd5z0huxb9z0suoc3stc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqd5z0huxb9z0suoc3stc.png" alt="Login to your bank account" width="800" height="890"></a></p> <h2> Continue the registration process </h2> <p>After confirming access to your bank details, the information will be transferred to AWS and you will see the last four digits of your bank account number on the registration form. This confirms that your bank account has been successfully linked.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8a1uhuo9pyuvznvswpv3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8a1uhuo9pyuvznvswpv3.png" alt="Bank account has been successfully linked" width="655" height="1142"></a></p> <p>Everything else is the same as using a debit or credit card. Once your AWS account is created, you can also verify your bank account in the payment preferences.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpuzp1gda70whvglzys73.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpuzp1gda70whvglzys73.png" alt="AWS payment preferences" width="800" height="764"></a></p> <h2> Summary </h2> <p>It works - you can easily link your bank account. I was able to sign up for an AWS account without a debit or credit card. The process is straightforward, there is no time-consuming verification like with some other services.</p> aws account billing germany How to publish custom cdk-nag rules and rule packs with Projen Julian Michel Mon, 23 Sep 2024 20:27:56 +0000 https://dev.to/aws-builders/how-to-publish-custom-cdk-nag-rules-and-rule-packs-with-projen-g1i https://dev.to/aws-builders/how-to-publish-custom-cdk-nag-rules-and-rule-packs-with-projen-g1i <p><a href="https://github.com/cdklabs/cdk-nag/" rel="noopener noreferrer">cdk-nag</a> is a small tool for checking AWS CDK applications for (security) best practices. It provides rules and rule packs that can be applied to a CDK application. The rules are evaluated during <code>cdk synth</code>, which has the benefit of providing feedback to developers early in the development cycle. Similar capabilities can be implemented using the <a href="https://aws.amazon.com/security-hub/" rel="noopener noreferrer">AWS Security Hub</a>. However, cdk-nag has the advantage of finding issues before deployment.</p> <p>cdk-nag provides five <a href="https://github.com/cdklabs/cdk-nag?tab=readme-ov-file#available-rules-and-packs" rel="noopener noreferrer">rules packs</a> that can be used right out of the box:</p> <ul> <li>AWS Solutions</li> <li>HIPAA Security</li> <li>NIST 800-53 rev 4</li> <li>NIST 800-53 rev 5</li> <li>PCI DSS 3.2.1</li> </ul> <p>If one of these rule packs meets your organization's needs, you can directly use it. If you have custom rules, you can define your own rules and rule packs to make them available to all your projects. The <a href="https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md" rel="noopener noreferrer">documentation</a> shows how to create them, but there is no information on how to publish them. So this blog post shows how to publish custom cdk-nag rules and rule packs.</p> <h2> Preconditions </h2> <p>You must have access to <a href="https://github.com/" rel="noopener noreferrer">GitHub</a> in order to create and use GitHub repositories. The Projen features used in this blog post are only available on GitHub.</p> <p>To publish the cdk-nag ruleset, you must use an npm registry such as <a href="https://www.npmjs.com/" rel="noopener noreferrer">npmjs.com</a>. In this blog post, the rule pack is published as a private npm package, which requires a <a href="https://www.npmjs.com/products" rel="noopener noreferrer">paid npmjs account</a>. If you are using a self-hosted npm registry, this is not a strict requirement.</p> <h2> Create a new Projen project </h2> <p>Projen is another open source project - it manages project configurations. Similar to AWS CDK, which creates CloudFormation templates, a Projen project is synthesized into project configurations, including GitHub actions, linter configuration, and so on. </p> <p>cdk-nag rules and rule packs are published as a software library, so Projen provides everything needed to publish them. Also, cdk-nag itself uses Projen to publish new releases. The Projen type <code>awscdk-construct</code> contains everything needed to manage the project, including the GitHub workflows to publish new releases. With jsii it is also possible to publish releases in other programming languages like Java or Python. To create the new project, run this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx projen new awscdk-construct </code></pre> </div> <h2> Add cdk-nag dependency </h2> <p>First, add cdk-nag as new dependency in file <code>.projenrc.ts</code>. Insert the following line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">peerDeps</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">cdk-nag</span><span class="dl">'</span><span class="p">],</span> </code></pre> </div> <p>Then run <code>npx projen</code> to install it.</p> <h2> Implement a custom rule and rule pack </h2> <p>Now add one or more custom rules and a rule pack. See the <a href="https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md" rel="noopener noreferrer">documentation</a> and the <a href="https://github.com/cdklabs/cdk-nag/tree/main/src" rel="noopener noreferrer">cdk-nag repository</a> on GitHub for more information. As an example, use the following rule and rule pack.</p> <p>Implement a rule that checks if SSE is enabled in S3 buckets. This is just an example - it probably makes more sense to use KMS encryption instead. Add a new file <code>src/rules/S3DefaultEncryptionSSE.ts</code> and paste the content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">parse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CfnResource</span><span class="p">,</span> <span class="nx">Stack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CfnBucket</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NagRuleCompliance</span><span class="p">,</span> <span class="nx">NagRules</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cdk-nag/lib</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/** * S3 Buckets are encrypted S3 SSE encryption * @param node the CfnResource to check */</span> <span class="k">export</span> <span class="k">default</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">defineProperty</span><span class="p">(</span> <span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">CfnResource</span><span class="p">):</span> <span class="nx">NagRuleCompliance</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">node</span> <span class="k">instanceof</span> <span class="nx">CfnBucket</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">node</span><span class="p">.</span><span class="nx">bucketEncryption</span> <span class="o">==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">NON_COMPLIANT</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">encryption</span> <span class="o">=</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">node</span><span class="p">).</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">node</span><span class="p">.</span><span class="nx">bucketEncryption</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">encryption</span><span class="p">.</span><span class="nx">serverSideEncryptionConfiguration</span> <span class="o">==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">NON_COMPLIANT</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sse</span> <span class="o">=</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">node</span><span class="p">).</span><span class="nf">resolve</span><span class="p">(</span> <span class="nx">encryption</span><span class="p">.</span><span class="nx">serverSideEncryptionConfiguration</span><span class="p">,</span> <span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">rule</span> <span class="k">of</span> <span class="nx">sse</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">defaultEncryption</span> <span class="o">=</span> <span class="nx">Stack</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">node</span><span class="p">).</span><span class="nf">resolve</span><span class="p">(</span> <span class="nx">rule</span><span class="p">.</span><span class="nx">serverSideEncryptionByDefault</span><span class="p">,</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">defaultEncryption</span> <span class="o">==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">NON_COMPLIANT</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">sseAlgorithm</span> <span class="o">=</span> <span class="nx">NagRules</span><span class="p">.</span><span class="nf">resolveIfPrimitive</span><span class="p">(</span> <span class="nx">node</span><span class="p">,</span> <span class="nx">defaultEncryption</span><span class="p">.</span><span class="nx">sseAlgorithm</span><span class="p">,</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">sseAlgorithm</span> <span class="o">!=</span> <span class="dl">'</span><span class="s1">AES256</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">NON_COMPLIANT</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">COMPLIANT</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NagRuleCompliance</span><span class="p">.</span><span class="nx">NOT_APPLICABLE</span><span class="p">;</span> <span class="p">}</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nf">parse</span><span class="p">(</span><span class="nx">__filename</span><span class="p">).</span><span class="nx">name</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>Also add a custom rule pack. This one contains a reference to the new rule and an existing rule from cdk-nag. Paste the contents into file <code>src/MyCustomChecks.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CfnResource</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NagMessageLevel</span><span class="p">,</span> <span class="nx">NagPack</span><span class="p">,</span> <span class="nx">NagPackProps</span><span class="p">,</span> <span class="nx">rules</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cdk-nag</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">IConstruct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">S3DefaultEncryptionSSE</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./rules/S3DefaultEncryptionSSE</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MyCustomChecks</span> <span class="kd">extends</span> <span class="nc">NagPack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">props</span><span class="p">?:</span> <span class="nx">NagPackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">props</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">packName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">MyCustom</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="nf">visit</span><span class="p">(</span><span class="nx">node</span><span class="p">:</span> <span class="nx">IConstruct</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">node</span> <span class="k">instanceof</span> <span class="nx">CfnResource</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">applyRule</span><span class="p">({</span> <span class="na">info</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSL not enabled in this bucket.</span><span class="dl">'</span><span class="p">,</span> <span class="na">explanation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSL must be enabled to encrypt traffic.</span><span class="dl">'</span><span class="p">,</span> <span class="na">level</span><span class="p">:</span> <span class="nx">NagMessageLevel</span><span class="p">.</span><span class="nx">ERROR</span><span class="p">,</span> <span class="na">rule</span><span class="p">:</span> <span class="nx">rules</span><span class="p">.</span><span class="nx">s3</span><span class="p">.</span><span class="nx">S3BucketSSLRequestsOnly</span><span class="p">,</span> <span class="na">node</span><span class="p">:</span> <span class="nx">node</span><span class="p">,</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nf">applyRule</span><span class="p">({</span> <span class="na">info</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSE encryption not set for this bucket.</span><span class="dl">'</span><span class="p">,</span> <span class="na">explanation</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SSE encryption must be enabled to encrypt files in this bucket.</span><span class="dl">'</span><span class="p">,</span> <span class="na">level</span><span class="p">:</span> <span class="nx">NagMessageLevel</span><span class="p">.</span><span class="nx">ERROR</span><span class="p">,</span> <span class="na">rule</span><span class="p">:</span> <span class="nx">S3DefaultEncryptionSSE</span><span class="p">,</span> <span class="na">node</span><span class="p">:</span> <span class="nx">node</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Replace the existing content in <code>src/index.ts</code> and export the two files created before.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="o">*</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./MyCustomChecks</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="o">*</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./rules/S3DefaultEncryptionSSE</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p>It is also recommended to add some test cases. First remove the generated default example test case by deleting file <code>test/hello.test.ts</code>. For the rule, add a new test case in file <code>test/S3DefaultEncryptionSSE.test.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">App</span><span class="p">,</span> <span class="nx">Stack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CfnBucket</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">S3DefaultEncryptionSSE</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../src/rules/S3DefaultEncryptionSSE</span><span class="dl">'</span><span class="p">;</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">Non-Complient Bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Stack</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CfnBucket</span><span class="p">(</span><span class="nx">stack</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">S3DefaultEncryptionSSE</span><span class="p">(</span><span class="nx">bucket</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Non-Compliant</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">Complient Bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Stack</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CfnBucket</span><span class="p">(</span><span class="nx">stack</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketEncryption</span><span class="p">:</span> <span class="p">{</span> <span class="na">serverSideEncryptionConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">serverSideEncryptionByDefault</span><span class="p">:</span> <span class="p">{</span> <span class="na">sseAlgorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES256</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nc">S3DefaultEncryptionSSE</span><span class="p">(</span><span class="nx">bucket</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Compliant</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>To complete this step, run <code>npx projen build</code> to build and test the code. If successful, proceed to the next step.</p> <h2> Release to npmjs </h2> <p>To import the rule pack into another project, it must be published to npmjs. This will be done by Github actions generated by Projen. To release an internal library, add a scope to property <code>name</code> in <code>.projenrc.ts</code>. In my case, I added <code>@jumic</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@jumic/cdk-nag-custom-rules</span><span class="dl">'</span><span class="p">,</span> </code></pre> </div> <p>Also, enable npm release and set access level to <code>RESTRICTED</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">releaseToNpm</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="nx">npmAccess</span><span class="p">:</span> <span class="nx">NpmAccess</span><span class="p">.</span><span class="nx">RESTRICTED</span><span class="p">,</span> </code></pre> </div> <p>At <a href="https://www.npmjs.com/" rel="noopener noreferrer">npmjs.com</a>, open Access Tokens in the navigation and generate a new access token.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxh88kj6gvc6wibuq70zd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxh88kj6gvc6wibuq70zd.png" alt="Generate access token" width="" height=""></a></p> <p>Enter a token name such as <code>GitHub</code>.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjkn2i73rr6l5ddykouc7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjkn2i73rr6l5ddykouc7.png" alt="Token name" width="" height=""></a></p> <p>Define packages and scope.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiqh2hanqrnzxux9oow8r.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiqh2hanqrnzxux9oow8r.png" alt="Packages and scope" width="" height=""></a></p> <p>As a result, npmjs will display the generated access token. This needs to be copied to GitHub.</p> <p>On GitHub, go to the repository settings for your repository. Create a new secret.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F014syeag6keof1pj0t2e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F014syeag6keof1pj0t2e.png" alt="New repository secret" width="" height=""></a></p> <p>Enter the name <code>NPM_TOKEN</code>, which is the default name Projen expects. Then paste the access token.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9w2q30u72im27bzz9l9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9w2q30u72im27bzz9l9.png" alt="Add secret" width="" height=""></a></p> <p>Once you have completed these configuration steps, commit your source code to the repository. The GitHub actions will start to build the project and publish it to npmjs. </p> <p>Check the status on GitHub and make sure that the workflow is running successfully.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5ribvx641jj4um0dlic.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy5ribvx641jj4um0dlic.png" alt="Check GitHub" width="" height=""></a></p> <p>Also, go to the npmjs packages and check if the release is available.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn6aaj2cgl58vitsx1io.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn6aaj2cgl58vitsx1io.png" alt="Check npmjs" width="" height=""></a></p> <p>If both checks pass, the custom cdk-nag rule package has been successfully released.</p> <h2> Adding your rule pack to a new CDK project </h2> <p>It's time to test the new rule pack. Create a new CDK project or use an existing CDK project. As this library was published as a private package, login to npmjs to access private packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm login </code></pre> </div> <p>Now you can install the dependency to your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @jumic/cdk-nag-custom-rules </code></pre> </div> <p>In the <code>bin</code> folder, add the new rule pack to the CDK application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">cdk</span><span class="p">.</span><span class="nx">Aspects</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">app</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="k">new</span> <span class="nc">MyCustomChecks</span><span class="p">())</span> </code></pre> </div> <p>Then execute <code>cdk synth</code> and it will show all invalid resources.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuuu5ywpnd4m69f6cceid.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuuu5ywpnd4m69f6cceid.png" alt="cdk synth" width="" height=""></a></p> <p>In case that all checks are passed, you will see the standard CDK output.</p> <h2> Summary </h2> <p>Publishing cdk-nag rule packs with Projen works great. It is a very useful combination of tools for publishing custom cdk-nag rule packs. Once configured, changes are continuously published to the registry.</p> <p>Using CDK in multiple programming languages? Just add more jsii targets to <code>.projenrc.ts</code> to publish packages for Python, Java, ... (see <a href="https://projen.io/docs/project-types/aws-cdk-construct-library#publishing" rel="noopener noreferrer">Projen documentation</a>).</p> <p><a href="https://github.com/jumic/cdk-nag-custom-rules" rel="noopener noreferrer">Full source code on GitHub</a></p> cdk projen security aws AWS SQS as an alternative to traditional application integration middleware Julian Michel Sun, 15 Sep 2024 22:28:55 +0000 https://dev.to/aws-builders/aws-sqs-as-an-alternative-to-traditional-application-integration-middleware-3jml https://dev.to/aws-builders/aws-sqs-as-an-alternative-to-traditional-application-integration-middleware-3jml <p>Application integration is a common scenario in IT landscapes. A source system sends data that is consumed by a target system. There are various integration middleware that provide integration capabilities for third-party software. They implement features such as data quality checks or data conversation before it is sent to the target system.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6hyzbqmweth86zj72i49.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6hyzbqmweth86zj72i49.png" alt="Source and target application integrated by integration middleware" width="800" height="217"></a></p> <h2> Limitations of traditional integration middleware </h2> <p>As always, standard software is great for the use cases for which it was designed. Before working on AWS projects, I integrated shop floor data with ERP systems using traditional middleware. This software solution met all the business requirements. However, problems appeared when large amounts of data needed to be transferred. This particular software solution wasn't built for high traffic.</p> <p>It was possible to implement some workarounds for this problem. However, it always felt like a workaround. For example, it was possible to create multiple parallel queues to process data in parallel. Since this was not a standard feature, each configuration had to be implemented multiple times. It worked, but it was not perfect.</p> <h2> How my first AWS training made an impact </h2> <p>When I took my first AWS trainings (AWS Cloud Practitioner and AWS Developer Associate), I was really impressed with the capabilities that AWS offers. One of them was the strong scalability capabilities - the feature that caused problems in some past projects. Since <a href="https://aws.amazon.com/sqs/" rel="noopener noreferrer">AWS SQS</a> is a managed message queue, I thought it would be a good fit for my use case.</p> <h2> Implementation of a similar project with AWS </h2> <p>In one of my next projects, I had the opportunity to implement a similar project using AWS tools. A consumer sends messages to an SQS queue. An AWS Lambda function processes the data and posts it to an ERP system. </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon7rh2y8ranm2vkkt6ub.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon7rh2y8ranm2vkkt6ub.png" alt="Message processing with SQS and Lambda" width="800" height="160"></a></p> <p>From a developer's perspective, this is not complex. However, it worked very well without the scalability issues. Multiple messages are processed in parallel. It scales very quickly when there are message spikes. If the target system isn't available, messages can be retried later. Basically, it is exactly the use case that SQS was built for - and it is high performance and resilient.</p> <h2> How to address complex requirements </h2> <p>For some use cases, special requirements had to be implemented.</p> <p>First, for some scenarios, messages should be processed in order. <a href="https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-fifo-queues.html" rel="noopener noreferrer">SQS FIFO queues</a> support this feature. By specifying the same <a href="https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-key-terms.html" rel="noopener noreferrer">message group ID</a>, it is possible to process messages of that message group ID in sequence. In Smart Manufacturing applications this can be a production plant, a shop order or something similar.</p> <p>Second, there was a need to limit the number of messages sent to the target system in parallel. AWS scales quickly, but some target systems have limited capacity. This is also possible in AWS. There is an attribute called <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources-readme.html#sqs" rel="noopener noreferrer">maxConcurrency</a> that limits the number of concurrent Lambda invocations when processing an SQS queue. When using CDK, this attribute can be specified when subscribing the Lambda function to the SQS queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">lambdaFunction</span><span class="p">.</span><span class="nf">addEventSource</span><span class="p">(</span><span class="k">new</span> <span class="nx">sources</span><span class="p">.</span><span class="nc">SqsEventSource</span><span class="p">(</span><span class="nx">queue</span><span class="p">,</span> <span class="p">{</span> <span class="na">maxConcurrency</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="p">}));</span> </code></pre> </div> <h2> Summary </h2> <p>In comparison to trends like GenAI, integration applications are nothing really impressive. On the other hand, this example shows that basic services like SQS can be the foundation for IT applications and IT landscapes. IT applications can be cloud applications - or on-premises applications enhanced by cloud integration services.</p> aws sqs queues integration Deploy Amazon Q Business with AWS CDK - example and best practices Julian Michel Sun, 11 Aug 2024 20:52:26 +0000 https://dev.to/aws-builders/deploy-amazon-q-business-with-aws-cdk-example-and-best-practices-4ff8 https://dev.to/aws-builders/deploy-amazon-q-business-with-aws-cdk-example-and-best-practices-4ff8 <p>Amazon Q Business, like almost all other AWS services, can be configured using the AWS Console. To deploy it in production environments, you probably want to use Infrastructure as Code to avoid manual configuration tasks. This blog post shows how to deploy Amazon Q Business using AWS CDK, including a Confluence integration as a data source. For some basic understanding, take a look at the <a href="https://dev.to/aws-builders/how-to-build-an-enterprise-chatbot-with-amazon-q-business-to-integrate-confluence-data-228j">previous blog post</a> where I configured everything manually and also described the prerequisites such as AWS IAM Identity Center.</p> <p>Currently, only L1 constructs based on CloudFormation resource types are supported. Using the L1 construct is more complicated. However, I implemented the CDK code based on my previous manual configuration, which was very helpful.</p> <p>You can also find the full source code in my <a href="https://github.com/jumic/cdk-q-business-confluence" rel="noopener noreferrer">GitHub repo</a>.</p> <h2> Q Business CloudFormation resource types overview </h2> <p>CloudFormation provides six <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_QBusiness.html" rel="noopener noreferrer">resource types</a> for deploying Q Business:</p> <ul> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-application.html" rel="noopener noreferrer">AWS::QBusiness::Application</a> - The main application</li> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-index.html" rel="noopener noreferrer">AWS::QBusiness::Index</a> - The index that contains the knowledge imported from the data sources</li> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-retriever.html" rel="noopener noreferrer">AWS::QBusiness::Retriever</a> - The retriever that reads data from the index for Q Business conversations</li> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-webexperience.html" rel="noopener noreferrer">AWS::QBusiness::WebExperience</a> - The frontend application</li> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html" rel="noopener noreferrer">AWS::QBusiness::DataSource</a> - Configuration of data sources</li> <li> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-plugin.html" rel="noopener noreferrer">AWS::QBusiness::Plugin</a> - Q Business plugins (e.g. Jira write access) - not used in this example</li> </ul> <p>Most resources require IAM roles. In this blog post, we will first create the IAM role for each resource and then create the Q-Business resource.</p> <h2> Getting started with the AWS CDK project </h2> <p>This project is based on a new AWS CDK TypeScript project. In my sample project, I have added configuration variables for the AWS IAM Identity Center ARN (<code>identityCenterInstanceArn</code>) and the URL of the Confluence data source (<code>confluenceHostUrl</code>). Feel free to add more/other configuration variables - this is sufficient for my sample project.</p> <p>File <code>bin/cdk-q-business-confluence.ts</code> contains values for these configuration options.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">new</span> <span class="nc">CdkQBusinessConfluenceStack</span><span class="p">(</span> <span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CdkQBusinessConfluenceStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">identityCenterInstanceArn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">arn:aws:sso:::instance/ssoins-123467890abc</span><span class="dl">'</span><span class="p">,</span> <span class="na">confluenceHostUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://my-domain.atlassian.net/</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>These values are passed to the CDK Stack that is deployed (see filename <code>lib/cdk-q-business-confluence-stack.ts</code>).</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kr">interface</span> <span class="nx">QBusinessStackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">identityCenterInstanceArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">confluenceHostUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CdkQBusinessConfluenceStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">QBusinessStackProps</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> </code></pre> </div> <h2> Confluence authentication credentials </h2> <p>Q Business reads data from Confluence to add it to the index. The credentials are stored in a Secret Manager Secret, which is created first. The encryption key is only used for the secret - feel free to use it to encrypt data in Q Business itself (my cluster is currently unencrypted as it only contains test data generated for this purpose).</p> <p>The source code doesn't contain the actual secrets - they have to be maintained manually in the Secrets Manager in the AWS console. If you also want to deploy your secrets/passwords with AWS CDK, use the <a href="https://github.com/dbsystel/cdk-sops-secrets" rel="noopener noreferrer">cdk-sops-secrets</a> library, which supports this in a secure way.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">encryptionKey</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">kms</span><span class="p">.</span><span class="nc">Key</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">QBusinessKey</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">alias</span><span class="p">:</span> <span class="dl">'</span><span class="s1">QBusinessKey</span><span class="dl">'</span><span class="p">,</span> <span class="na">pendingWindow</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">7</span><span class="p">),</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="c1">// for testing only</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">secretsmanager</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Secret</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretObjectValue</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">SecretValue</span><span class="p">.</span><span class="nf">unsafePlainText</span><span class="p">(</span> <span class="dl">'</span><span class="s1">dummy value - please chanage manually after deployment</span><span class="dl">'</span><span class="p">,</span> <span class="p">),</span> <span class="na">hostUrl</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">SecretValue</span><span class="p">.</span><span class="nf">unsafePlainText</span><span class="p">(</span> <span class="dl">'</span><span class="s1">dummy value - please chanage manually after deployment</span><span class="dl">'</span><span class="p">,</span> <span class="p">),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">SecretValue</span><span class="p">.</span><span class="nf">unsafePlainText</span><span class="p">(</span> <span class="dl">'</span><span class="s1">dummy value - please chanage manually after deployment</span><span class="dl">'</span><span class="p">,</span> <span class="p">),</span> <span class="p">},</span> <span class="nx">encryptionKey</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <h2> IAM policy and role for the Q Business application </h2> <p>The Q Business application mainly requires some CloudWatch Logs permissions.</p> <p>How do I determine which permissions are required? I first configured Q Business manually. It provides options to automatically generate all required IAM roles. Then I transferred the permissions to the AWS CDK code. I recommend doing this for all IAM roles used in Q Business as long as no L2 Construct is available in AWS CDK.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">applicationPolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ManagedPolicy</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ApplicationPolicy</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AmazonQApplicationPutMetricDataPermission</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">cloudwatch:PutMetricData</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">cloudwatch:namespace</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AWS/QBusiness</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AmazonQApplicationDescribeLogGroupsPermission</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">logs:DescribeLogGroups</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AmazonQApplicationCreateLogGroupPermission</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">logs:CreateLogGroup</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:logs:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:log-group:/aws/qbusiness/*`</span><span class="p">,</span> <span class="p">],</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AmazonQApplicationLogStreamPermission</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">logs:DescribeLogStreams</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:CreateLogStream</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">logs:PutLogEvents</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:logs:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:log-group:/aws/qbusiness/*:log-stream:*`</span><span class="p">,</span> <span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">applicationRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ApplicationRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span> <span class="dl">'</span><span class="s1">qbusiness.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceAccount</span><span class="dl">'</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="na">ArnLike</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceArn</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`arn:aws:qbusiness:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:application/*`</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span><span class="nx">applicationPolicy</span><span class="p">],</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <h2> Q Business application </h2> <p>The Q Business application itself has only a few parameters. Always check which additional parameters are supported, e.g. you need to specify an encryption key if you want to encrypt data in Q Business.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">application</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnApplication</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Application</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CDK_QBusiness</span><span class="dl">'</span><span class="p">,</span> <span class="na">identityCenterInstanceArn</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">identityCenterInstanceArn</span><span class="p">,</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">applicationRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <h2> Q Business index </h2> <p>The Q Business index stores the knowledge from the data sources. In the example, a starter index type is configured with one capacity unit.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">index</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnIndex</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Index</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STARTER</span><span class="dl">'</span><span class="p">,</span> <span class="na">capacityConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">units</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Index</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Q Business retriever </h2> <p>The Q Business retriever is used to read the data from the index when users interact with the Q Business. You must specify the index type (in this example <code>NATIVE_INDEX</code> instead of using <a href="https://aws.amazon.com/kendra/" rel="noopener noreferrer">Amazon Kendra</a>) and a reference to the index itself.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnRetriever</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Retriever</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NATIVE_INDEX</span><span class="dl">'</span><span class="p">,</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Retriever</span><span class="dl">'</span><span class="p">,</span> <span class="na">configuration</span><span class="p">:</span> <span class="p">{</span> <span class="na">nativeIndexConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">indexId</span><span class="p">:</span> <span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexId</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> IAM policy and role for the Q Business web experience </h2> <p>The Q Business web experience is the frontend for Q Business. It requires permissions to interact with Q Business and to use and create Q Business apps.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">principal</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span> <span class="dl">'</span><span class="s1">application.qbusiness.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceAccount</span><span class="dl">'</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="na">ArnEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceArn</span><span class="dl">'</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">webExperiencePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ManagedPolicy</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebExperiencePolicy</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">QBusinessConversationPermission</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">qbusiness:Chat</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:ChatSync</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:ListMessages</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:ListConversations</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:DeleteConversation</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:PutFeedback</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:GetWebExperience</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:GetApplication</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:ListPlugins</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:GetChatControlsConfiguration</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationArn</span><span class="p">],</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">QBusinessQAppsPermissions</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">qapps:CreateQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:PredictProblemStatementFromConversation</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:PredictQAppFromProblemStatement</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:CopyQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:GetQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:ListQApps</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:UpdateQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:DeleteQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:AssociateQAppWithUser</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:DisassociateQAppFromUser</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:ImportDocumentToQApp</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:ImportDocumentToQAppSession</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:CreateLibraryItem</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:GetLibraryItem</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:UpdateLibraryItem</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:CreateLibraryItemReview</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:ListLibraryItems</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:CreateSubscriptionToken</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:StartQAppSession</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qapps:StopQAppSession</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationArn</span><span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">webExperienceRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebExperienceRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="nx">principal</span><span class="p">,</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span><span class="nx">webExperiencePolicy</span><span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="nx">webExperienceRole</span><span class="p">.</span><span class="nx">assumeRolePolicy</span><span class="p">?.</span><span class="nf">addStatements</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sts:SetContext</span><span class="dl">'</span><span class="p">],</span> <span class="na">principals</span><span class="p">:</span> <span class="p">[</span><span class="nx">principal</span><span class="p">],</span> <span class="p">}),</span> <span class="p">);</span> </code></pre> </div> <h2> Q Business web experience </h2> <p>In the web experience, specify the IAM role. No additional configuration is required if you use the defaults.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnWebExperience</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebExperience</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">webExperienceRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> IAM policy and role for the Q Business Confluence Data Source </h2> <p>The data source configurations specify which source systems will be integrated with Q Business. For example, it requires permissions to create and delete documents in order to ingest the necessary data into Q Business.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">confluenceDataSourcePolicy</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ManagedPolicy</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ConfluenceDataSourcePolicy</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AllowsAmazonQToGetS3Objects</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">s3:GetObject</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">arn:aws:s3:::bucket/*</span><span class="dl">'</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:ResourceAccount</span><span class="dl">'</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AllowsAmazonQToGetSecret</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">secretsmanager:GetSecretValue</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">secret</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">],</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AllowsAmazonQToDecryptSecret</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">kms:Decrypt</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">encryptionKey</span><span class="p">.</span><span class="nx">keyArn</span><span class="p">],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringLike</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">kms:ViaService</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">secretsmanager.*.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AllowsAmazonQToIngestDocuments</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">qbusiness:BatchPutDocument</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:BatchDeleteDocument</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexArn</span><span class="p">],</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">sid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AllowsAmazonQToIngestPrincipalMapping</span><span class="dl">'</span><span class="p">,</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">qbusiness:PutGroup</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:CreateUser</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:DeleteGroup</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:UpdateUser</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">qbusiness:ListGroups</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationArn</span><span class="p">,</span> <span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexArn</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexArn</span><span class="p">}</span><span class="s2">/data-source/*`</span><span class="p">,</span> <span class="p">],</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">confluenceDataSourceRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ConfluenceDataSourceRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span> <span class="dl">'</span><span class="s1">qbusiness.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceAccount</span><span class="dl">'</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">,</span> <span class="p">},</span> <span class="na">ArnEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">aws:SourceArn</span><span class="dl">'</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span><span class="nx">confluenceDataSourcePolicy</span><span class="p">],</span> <span class="p">},</span> </code></pre> </div> <h2> Q Business Confluence Data Source </h2> <p>The data source configuration must be repeated for each data source. It contains a display name, the role created earlier and a configuration (which is still empty).</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnDataSource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ConfluenceDataSource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ConfluenceDataSource</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexId</span><span class="p">:</span> <span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexId</span><span class="p">,</span> <span class="na">configuration</span><span class="p">:</span> <span class="p">{},</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">confluenceDataSourceRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>In my opinion, the <code>configuration</code> attribute is the most complex part of the documentation. It contains the configuration options that are specific to each data source. This means that each data source has its own set of attributes. The attributes are described in a JSON Schema (see <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-configuration" rel="noopener noreferrer">CloudFormation documentation</a>).</p> <p>To get the specific JSON Schema, go to the <a href="https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connectors-list.html" rel="noopener noreferrer">list of available connectors</a> and select the source system. In chapter "Using the API" you will find the specific JSON Schema, such as the <a href="https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/confluence-cloud-api.html" rel="noopener noreferrer">Confluence JSON Schema</a>.</p> <p>I started writing the configuration with the help of the <a href="https://www.jsonschemavalidator.net/" rel="noopener noreferrer">JSON Schema Validator</a> to be sure that I will match the schema. For the basic fields I managed to specify all the information. When I got to the more complex <code>repositoryConfigurations</code> section with the field mappings, I was looking for a simpler solution.</p> <p>I decided to use the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html" rel="noopener noreferrer">CloudFormation IaC (infrastructure as code generator) generator</a> for the first time. It can generate CloudFormation code based on manually created resources. I assumed that it would output the entire configuration including the field mappings. Unfortunately, the scan didn't show any Q Business resources because Q Business is <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-supported-resources.html" rel="noopener noreferrer">not yet supported</a> in the IaC generator.</p> <p>Since the IaC generator doesn't work for this scenario, I tested the AWS CLI. First, go to the AWS console and open the data source you want to use as a template. The URL will contain three GUIDs that need to be specified in the CLI command: <br> <a href="https://us-east-1.console.aws.amazon.com/amazonq/business/applications/60935d06-f061-4b67-a7ef-6a3e748ed97b/indices/cab1f65f-1666-431c-836a-2e9f8d993c35/datasources/81675834-6e45-4698-aa46-f788b9809e92/details" rel="noopener noreferrer">https://us-east-1.console.aws.amazon.com/amazonq/business/applications/60935d06-f061-4b67-a7ef-6a3e748ed97b/indices/cab1f65f-1666-431c-836a-2e9f8d993c35/datasources/81675834-6e45-4698-aa46-f788b9809e92/details</a></p> <p>Paste the GUIDs into the <code>get-data-source</code> command and run the command.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws qbusiness get-data-source <span class="se">\</span> <span class="nt">--application-id</span> 60935d06-f061-4b67-a7ef-6a3e748ed97b <span class="se">\</span> <span class="nt">--index</span> cab1f65f-1666-431c-836a-2e9f8d993c35 <span class="se">\</span> <span class="nt">--data-source-id</span> 81675834-6e45-4698-aa46-f788b9809e92 </code></pre> </div> <p>As a result, you get the full JSON configuration needed for the configuration (the screenshot only shows the first few lines).<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjthyf218hsfh4s2q1hs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjthyf218hsfh4s2q1hs.png" alt="CLI command output"></a></p> <p>Now I copied this configuration into the <code>configuration</code> attribute. I changed some of the values, such as a dynamic reference to the secret and the host URL. It looks complex, but it contains everything needed to deploy the data source.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">new</span> <span class="nx">q</span><span class="p">.</span><span class="nc">CfnDataSource</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ConfluenceDataSource</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">applicationId</span><span class="p">:</span> <span class="nx">application</span><span class="p">.</span><span class="nx">attrApplicationId</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ConfluenceDataSource</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexId</span><span class="p">:</span> <span class="nx">index</span><span class="p">.</span><span class="nx">attrIndexId</span><span class="p">,</span> <span class="na">configuration</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretArn</span><span class="p">:</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">syncMode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORCED_FULL_CRAWL</span><span class="dl">'</span><span class="p">,</span> <span class="na">enableIdentityCrawler</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">connectionConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">repositoryEndpointMetadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SAAS</span><span class="dl">'</span><span class="p">,</span> <span class="na">hostUrl</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">confluenceHostUrl</span><span class="p">,</span> <span class="na">authType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Basic</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">repositoryConfigurations</span><span class="p">:</span> <span class="p">{</span> <span class="na">space</span><span class="p">:</span> <span class="p">{</span> <span class="na">fieldMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">itemType</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_category</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STRING</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_source_uri</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STRING</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">page</span><span class="p">:</span> <span class="p">{</span> <span class="na">fieldMappings</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">itemType</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_category</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STRING</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_source_uri</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STRING</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">author</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_authors</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">STRING_LIST</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">createdDate</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_created_at</span><span class="dl">'</span><span class="p">,</span> <span class="na">dateFieldFormat</span><span class="p">:</span> <span class="dl">"</span><span class="s2">yyyy-MM-dd'T'HH:mm:ss'Z'</span><span class="dl">"</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DATE</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">dataSourceFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">modifiedDate</span><span class="dl">'</span><span class="p">,</span> <span class="na">indexFieldName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">_last_updated_at</span><span class="dl">'</span><span class="p">,</span> <span class="na">dateFieldFormat</span><span class="p">:</span> <span class="dl">"</span><span class="s2">yyyy-MM-dd'T'HH:mm:ss'Z'</span><span class="dl">"</span><span class="p">,</span> <span class="na">indexFieldType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DATE</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CONFLUENCEV2</span><span class="dl">'</span><span class="p">,</span> <span class="na">additionalProperties</span><span class="p">:</span> <span class="p">{</span> <span class="na">isCrawlPageComment</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">exclusionUrlPatterns</span><span class="p">:</span> <span class="p">[],</span> <span class="na">inclusionFileTypePatterns</span><span class="p">:</span> <span class="p">[],</span> <span class="na">isCrawlBlog</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">blogTitleRegEX</span><span class="p">:</span> <span class="p">[],</span> <span class="na">proxyPort</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">inclusionUrlPatterns</span><span class="p">:</span> <span class="p">[],</span> <span class="na">attachmentTitleRegEX</span><span class="p">:</span> <span class="p">[],</span> <span class="na">includeSupportedFileType</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">isCrawlPage</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">fieldForUserId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">,</span> <span class="na">commentTitleRegEX</span><span class="p">:</span> <span class="p">[],</span> <span class="na">exclusionSpaceKeyFilter</span><span class="p">:</span> <span class="p">[],</span> <span class="na">isCrawlBlogAttachment</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">isCrawlPersonalSpace</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">exclusionFileTypePatterns</span><span class="p">:</span> <span class="p">[],</span> <span class="na">isCrawlPageAttachment</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">inclusionSpaceKeyFilter</span><span class="p">:</span> <span class="p">[],</span> <span class="na">maxFileSizeInMegaBytes</span><span class="p">:</span> <span class="dl">'</span><span class="s1">50</span><span class="dl">'</span><span class="p">,</span> <span class="na">proxyHost</span><span class="p">:</span> <span class="dl">''</span><span class="p">,</span> <span class="na">isCrawlArchivedSpace</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">isCrawlArchivedPage</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">isCrawlAcl</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">pageTitleRegEX</span><span class="p">:</span> <span class="p">[],</span> <span class="na">isCrawlBlogComment</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="na">roleArn</span><span class="p">:</span> <span class="nx">confluenceDataSourceRole</span><span class="p">.</span><span class="nx">roleArn</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>At first, I only used the attributes where I specified a value. After getting this error in the AWS console, I specified all attributes, including empty values or false boolean values.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> <p>We couldn't sync the following data source: 'ConfluenceDataSource',<br> at start time Aug 10, 2024, 5:05 PM GMT+2. Confluence Connector error<br> code: CNF-5133 Error message: The isCrawlPersonalSpace value is<br> invalid. Reason: isCrawlPersonalSpace should be a boolean value<br> true or false.</p> </code></pre> </div> <h2> <br> <br> <br> The deployment<br> </h2> <p>The CloudFormation stack deployed successfully - the CloudFormation deployment took 21 minutes (destroying it again took 25 minutes).</p> <p>I had to start synchronizing the data source manually because I didn't configure periodic synchronization. It is also necessary to assign users manually, as there is no CloudFormation resource for this.</p> <h2> Summary </h2> <p>After understanding the entire configuration, I was able to successfully deploy Q Business using AWS CDK. As a best practice, I can recommend to do the configuration manually for the first time and then use the IAM roles and the data source configuration created in the AWS console as a template. Especially the data source configuration, which is described in a JSON schema, is much easier if you can copy the values from the AWS CLI command. There are some reasonable default values there, such as mapping the source fields, which are hard to define on your own.</p> awscdk amazonqbusiness infrastructureascode automation Can I use GenAI services to predict football results? - My experience during European Football Championship 2024 Julian Michel Mon, 05 Aug 2024 19:42:15 +0000 https://dev.to/aws-builders/can-i-use-genai-services-to-predict-football-results-my-experience-during-european-football-championship-2024-312p https://dev.to/aws-builders/can-i-use-genai-services-to-predict-football-results-my-experience-during-european-football-championship-2024-312p <p>During the European Football Championship 2024, we had a football betting game in my company. Since GenAI is useful for many use cases, I decided to predict the results using GenAI technologies. This blog post shows my experience and which AWS services are suitable for this use case.</p> <h2> Getting started with Amazon PartyRock </h2> <p><a href="https://partyrock.aws/" rel="noopener noreferrer">Amazon PartyRock</a> is an <a href="https://aws.amazon.com/bedrock/" rel="noopener noreferrer">Amazon Bedrock</a> playground that's easy to use and free. So I decided to build a PartyRock app to predict football results. </p> <p>GenAI models also have some basic knowledge of football. As I wanted to increase the accuracy of the predictions, I created a csv-file with all the results of the qualification round. I extracted the results from the <a href="https://de.wikipedia.org/wiki/Fu%C3%9Fball-Europameisterschaft_2024/Qualifikation" rel="noopener noreferrer">German Wikipedia</a> as it was in a tabular format that I could easily convert to a csv-file. The <a href="https://en.wikipedia.org/wiki/UEFA_Euro_2024_qualifying_Group_A" rel="noopener noreferrer">English Wikipedia</a> page has more information. Since I only wanted to have the results, I decided to continue with the German Wikipedia page. </p> <p>I ended up with a simple <a href="https://partyrock.aws/u/jumic/cXf1la08f/European-Football-Championship-results" rel="noopener noreferrer">PartyRock application</a>. It contains an upload field for the csv-file and two text fields to enter the teams playing in the next game:<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyxpocv6u7d7cr4zcsne.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyxpocv6u7d7cr4zcsne.png" alt="PartyRock application" width="800" height="653"></a></p> <p>In the prompt I told the model to predict the results. At first it didn't predict any results because the csv-file with the previous results didn't contain enough information. After changing the prompt again and telling the model to use it's own knowledge, I got real results. The last part of that sentence was important: "Use the data from [Previous results] and <strong>also your knowledge</strong>."</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3a3r5gp5mrolls53c444.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3a3r5gp5mrolls53c444.png" alt="PartyRock prompt" width="800" height="732"></a></p> <p>No more settings were needed - PartyRock started predicting the results.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyax0tmiz0kxx34gmq3y4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyax0tmiz0kxx34gmq3y4.png" alt="PartyRock prediction" width="800" height="566"></a></p> <h2> Choosing the the best GenAI model </h2> <p>It's easy to compare the results of different GenAI models in PartyRock. You can simply add two text generation widgets with the same prompts and choose different models. I chose <a href="https://www.anthropic.com/news/claude-3-5-sonnet" rel="noopener noreferrer">Claude 3 Sonnet</a> and <a href="https://docs.ai21.com/docs/jurassic-2-models" rel="noopener noreferrer">Jurassic-2 Ultra</a>. PartyRock recognized that the Jurassic-2 model wasn't suitable for the complex task, so it chose <a href="https://www.anthropic.com/news/claude-3-haiku" rel="noopener noreferrer">Claude 3 Haiku</a> instead, which is also displayed in the PartyRock app.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2k3tmco0kbzk126t8fq0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2k3tmco0kbzk126t8fq0.png" alt="GenAI models" width="800" height="569"></a></p> <p>Predicting football results is a game of chance, so there's no model that's always right. The fact that PartyRock chose to use a different model instead of Jurassic-2 Ultra shows that they have different advantages, so it is always a good idea to test different models.</p> <h2> Bedrock </h2> <p>PartyRock is based on Bedrock, so it should be possible to get the same results directly in Bedrock. I entered a similar prompt in the Bedrock Playground available in the AWS console. Instead of uploading the csv-file to PartyRock, I copied the content into the prompt for Bedrock. As expected, Bedrock is able to predict football results.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp5ar4wrigdmka6whdao.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp5ar4wrigdmka6whdao.png" alt="Bedrock" width="800" height="566"></a></p> <p>If you want to implement a custom application for this use case, Bedrock can be the technical foundation as it provides the required functionality.</p> <h2> Bedrock Knowledge Bases </h2> <p><a href="https://aws.amazon.com/bedrock/knowledge-bases/" rel="noopener noreferrer">Knowledge Bases</a> allow you to add custom documents to Bedrock. Instead of copying the previous result csv-file into the prompt, you can upload it to an S3 bucket. The content of the S3 bucket is then used to answer questions.</p> <p>As a recommended option, Bedrock suggests creating a vector store based on Amazon OpenSearch Serverless. In my opinion, OpenSearch is very expensive, so I wanted to choose a cheaper option. First, I tested <a href="https://www.mongodb.com/products/platform/atlas-database" rel="noopener noreferrer">MongoDB Atlas</a>, which has a free tier. However, the free tier <a href="https://www.reddit.com/r/aws/comments/1czbje2/connecting_amazon_bedrock_knowledge_base_to/" rel="noopener noreferrer">doesn't include the features</a> needed to use it as a vector store in Bedrock. Since <a href="https://www.pinecone.io/" rel="noopener noreferrer">Pinecone</a> offers a free tier that can be used as a Bedrock vector store, I used it for this test.</p> <p>Did Bedrock also predict football results with Knowlege Bases? No, unfortunately not. It tried to find information about matches between the two teams. However, it was unable to predict results because it didn't find enough specific information in the source files. I think Bedrock Knowledge Bases is very useful for retrieving information about documents - but it's not suitable for this use case.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F553d36lmlkmb0vix0xpa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F553d36lmlkmb0vix0xpa.png" alt="Bedrock Knowledge Bases prompt" width="800" height="864"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckf7gthtqy2qkacz73pc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckf7gthtqy2qkacz73pc.png" alt="Bedrock Knowledge Bases result" width="788" height="1238"></a></p> <h2> Amazon Q Business </h2> <p>Amazon Q Business offers similar functionality. I uploaded the qualification results to a Confluence page with is configured as a data source in Q Business. The result was the same as with Bedrock Knowledge Bases. Q Business was very content centric. Since there was no information about the specific match, it didn't predict any results.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuvwmpeath8prnynqm4io.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuvwmpeath8prnynqm4io.png" alt="Amazon Q Business" width="800" height="480"></a></p> <h2> Prompt engineering in Amazon PartyRock </h2> <p>Prompt engineering was a task I had to pay attention to all the time. I had to change the prompt several times. After the first round I had to take into account the results of the previous round.</p> <p>In the final rounds I had to tell the model that she also had to take into account additional time and the penalty shoot-out. This made the prompt more complex than before.</p> <h2> Evaluation </h2> <p>For the first week, I was on position one of the betting game for the European Football Championship 2024. At the end, I ended up at position 5 - probably better then predicting the results on my own as I'm not an sports expert.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs13ohs6jxdknaf35f65.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjs13ohs6jxdknaf35f65.png" alt="Results" width="800" height="234"></a></p> <p>The GenAI models often predict results such as 1:2 or 2:1 which is a common result - I also could use this strategy without GenAI on my own.</p> <p>Different models resulted in different results. As I used two models, I had to decided which result I used in the game. So I always chose the result that made more sense to me.</p> <p>As I was on the first position of the prediction game during the first days, I assume that it's easier to predict results when a better team plays against the weaker team. In the final rounds, both teams had similar skills, wo it was harder to predict the results. </p> <p>Sometimes the model wasn't sure which result would be better, so it answered with two ideas. Also, I think some results after penalties are not realistic, like in this screenshot. </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy51xqir94kphn4lt2cqd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy51xqir94kphn4lt2cqd.png" alt="Specific result in PartyRock" width="800" height="257"></a></p> <h2> Summary </h2> <p>Predicting the football results for Euro 2024 was fun. Of course, if you are a sports expert, you will probably have better predictions. However, I don't think it was a bad idea to use GenAI as I got better results than other participants. I think this is not the primary use case for GenAI - but I was able to use it for predictions as well.</p> <p>The important part for me: I learned a lot about GenAI in general and in AWS, and how to use prompt engineering for specific use cases.</p> aws genai partyrock football How to build an enterprise chatbot with Amazon Q Business to integrate Confluence data Julian Michel Tue, 09 Jul 2024 20:31:06 +0000 https://dev.to/aws-builders/how-to-build-an-enterprise-chatbot-with-amazon-q-business-to-integrate-confluence-data-228j https://dev.to/aws-builders/how-to-build-an-enterprise-chatbot-with-amazon-q-business-to-integrate-confluence-data-228j <p>GenAI tools like ChatGPT are now widely used - for private purposes. In an enterprise context, the requirements for building a GenAI chatbot are more complex. Source data must be securely integrated into the chatbot. The data must not be shared with other companies using the same GenAI platform of for training the model. User permissions must be supported so that restricted data is not shared with employees who should not have access to it.</p> <p><a href="https://aws.amazon.com/q/business/" rel="noopener noreferrer">Amazon Q Business</a> is an AWS service that meets these requirements and enables businesses to easily build chatbots and GenAI assistants. <a href="https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connectors-list.html" rel="noopener noreferrer">Connectors</a> are available to integrate various enterprise applications with Amazon Q Business. Confluence integration is one of the connectors available out of the box. It can import Confluence data into Q Business while respecting user-specific permissions.</p> <p>This blog post shows how to integrate Confluence with Amazon Q Business and demonstrates that Q Business really respects permissions - it doesn't leak data to unauthorized users or employees.</p> <h2> Prerequisites </h2> <p>Amazon Q Business requires AWS IAM Identity Center for managed users. Therefore, set up IAM Identity Center first. The Identity Center instance must be set up in the same region as Q Business. Since Q Business is only available in the us-east-1 and us-west-2 regions, you must create AWS IAM Identity Center in one of these regions. If you have already configured IAM Identity Center in a different region, you must <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#region-data" rel="noopener noreferrer">delete</a> it and recreate it in one of the matching regions.</p> <p>In addition, Q and the Confluence must use the same user data, otherwise the permissions won't work. Confluence can also be integrated with AWS IAM Identity Center, so you can use single sign-on for Q and Confluence. To do this, first <a href="https://dev.to/aws-builders/setting-up-aws-iam-identity-center-as-an-identity-provider-for-confluence-2l8">set up AWS IAM Identity Center as the identity provider</a> for Confluence.</p> <h2> Getting started: Create a Confluence API key </h2> <p>To integrate Confluence with Amazon Q Business, create an API key for one of your Admin users. They will have access to all content necessary to crawl the entire Confluence instance. For production use, you would use a technical user.</p> <p>If you are using Confluence SaaS, go to the following URL to create a new API key: <a href="https://id.atlassian.com/manage-profile/security/api-tokens" rel="noopener noreferrer">https://id.atlassian.com/manage-profile/security/api-tokens</a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx41jq9f3buxjyfsv8nae.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx41jq9f3buxjyfsv8nae.png" alt="Confluence: Create API key"></a></p> <p>Next, copy the API key.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftywo9xsnipc73ah3i3i7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftywo9xsnipc73ah3i3i7.png" alt="Confluence: Copy API key"></a></p> <h2> Copy the API key to Secrets Manager </h2> <p>Q can use API keys that are stored in Secrets Manager. So create a new secret, select "other type of secret". Add the following attributes:</p> <ul> <li>username: email of your confluence user</li> <li>password: API key</li> <li>hostUrl: Confluence URL</li> </ul> <p>Enter a secret name that begins with <code>QBusiness-</code>. Only secrets that start with this name can be used in Q.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthzgw8ukiks1fd28wd6g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthzgw8ukiks1fd28wd6g.png" alt="New Secrets Manager Secret for Q Business"></a></p> <h2> Create your Amazon Q Business application </h2> <p>Open Q Business in your AWS console and create a new application.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnly3jaqphvfds8b8vmo1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnly3jaqphvfds8b8vmo1.png" alt="Create a new Q Business application"></a></p> <p>Enter the name of your application, such as <code>AmazonQ</code>, and then press "Next".</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqdfn60qgm46jl17cx4bf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqdfn60qgm46jl17cx4bf.png" alt="Application properties"></a></p> <p>Configure the retrievers that will fetch data from the data source. If this is a proof of concept, select "Starter" and choose "1" unit.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6wzcdf5q8de8lycptkd.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6wzcdf5q8de8lycptkd.png" alt="Q Retrievers"></a></p> <h2> Add the Confluence data source </h2> <p>Select the Confluence data source from the list of data sources.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F606iiz6jmhhmzenkg0rn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F606iiz6jmhhmzenkg0rn.png" alt="Confluence data source"></a></p> <p>Enter a name for the data source and specify the source type (cloud or on-premises) and URL.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr3os8pitbu7c0kj8csla.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr3os8pitbu7c0kj8csla.png" alt="Confluence data source properites"></a></p> <p>Select "Basic authentication" and choose the secret you created earlier.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F33za6w4msz1g2bn15k06.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F33za6w4msz1g2bn15k06.png" alt="Confluence authentication"></a></p> <p>Let's create a new service role, which is a recommended option.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuka7kbma1cxwmain25r.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnuka7kbma1cxwmain25r.png" alt="IAM service role"></a></p> <p>Select the sync scope - select "Pages" as the minimum option to transfer Confluence pages to Q.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxezbjynanwuhnlq2pzlz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxezbjynanwuhnlq2pzlz.png" alt="Crawler scope"></a></p> <p>Next, choose how often you want Q to sync your Confluence data. In the case of a proof of connect, "Run on demand" is sufficient to avoid costs.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iejkoktd85eca22cany.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3iejkoktd85eca22cany.png" alt="Sync interval"></a></p> <h2> User configuration </h2> <p>Select some AWS IAM Identity Center users who should have access to Q Business and select the subscription. Since there is a monthly fee after the free trial, check the <a href="https://aws.amazon.com/q/business/pricing/" rel="noopener noreferrer">pricing</a> when selecting the subscription.</p> <p>Now you are ready to use Amazon Q Business.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxov1bxxevsczs7v7mtl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faxov1bxxevsczs7v7mtl.png" alt="User configuration"></a></p> <h2> Prepare Confluence test data </h2> <p>To test the permissions feature in Amazon Q, create a Confluence page with restricted access. Only users who have access to the page in Confluence will be able to use the information in Q Business. In this example, only "User One" has access to the page.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5tv4yje13t3mnelo9sq3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5tv4yje13t3mnelo9sq3.png" alt="Confluence demo page - permissions"></a></p> <p>Create a sample content for the new page.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldauk3oem17etmkhe7u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldauk3oem17etmkhe7u.png" alt="Confluence demo page - content"></a></p> <h2> Sync data source </h2> <p>Open the Q Business application, select the data source, and choose "Sync Now" to synchronize the data. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8b16lhfmkpo2mknhq88.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8b16lhfmkpo2mknhq88.png" alt="Sync status"></a></p> <p>This will take a few minutes - Q Business will show the sync status in the meantime.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjqk1e6za175eerylv3sb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjqk1e6za175eerylv3sb.png" alt="Detailed sync status"></a></p> <h2> Debugging Amazon Q Business </h2> <p>In the "Sync run history" there is a link to view the sync log in CloudWatch Logs. Again, it takes a few minutes for the log to be available.</p> <p>The log information is useful in case Q Business doesn't work as expected. In my first test, Q Business only worked for the first user (with API key). I was able to analyze the behavior in the Cloudwatch logs.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg0nxw19sawky11rwswen.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg0nxw19sawky11rwswen.png" alt="Sync status - CloudWatch logs integration"></a></p> <p>Q Business uses API calls like this: <a href="https://jumic-q.atlassian.net/wiki/rest/api/content/1310724/restriction/byOperation/read?&amp;limit=200&amp;start=0" rel="noopener noreferrer">https://jumic-q.atlassian.net/wiki/rest/api/content/1310724/restriction/byOperation/read?&amp;limit=200&amp;start=0</a></p> <p>In my case, the email attribute was empty because my first user was set up manually. I claimed it in the Confluence organization, then it worked.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fleklth0e3rqkur0e5g8r.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fleklth0e3rqkur0e5g8r.png" alt="Confluence API"></a></p> <h2> Final test - Does Q Business handle permissions correctly? </h2> <p>First, let's test with "User Two". This user doesn't have access to the sample car information page.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpgnc5lwdk3oxcpvxo3ik.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpgnc5lwdk3oxcpvxo3ik.png" alt="Restricted confluence page"></a></p> <p>Is it possible to leak the information in Q Business? No - Amazon Q responds that it can't find any relevant information.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jzq52jy9cibgoj5k3sp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jzq52jy9cibgoj5k3sp.png" alt="Q Business shows no result"></a></p> <p>Positive test - Can User One ask questions about the company car policy? Yes, it works because he is authorized in Confluence. Q Business works as expected.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftd08yqtym9dlo685epnh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftd08yqtym9dlo685epnh.png" alt="Q Business shows results"></a></p> <h2> Summary </h2> <p>Amazon Q Business with Confluence works really well. You can create a chatbot / AI assistant without programming - really cool. The security features are also great. It's good to see that Q Business doesn't leak information to unauthorized users. It only shows information when users are authorized in Confluence. In addition, Q Business also the source pages in their answers. That's useful for double-checking each result to make sure the results are correct.</p> <p>Are there alternatives to Amazon Q Business? Atlassian has introduced its own GenAI functionality in Confluence. It's called <a href="https://support.atlassian.com/organization-administration/docs/atlassian-intelligence-features-in-confluence/" rel="noopener noreferrer">Atlassian Intelligence</a>. It can summarize pages or answer questions about the Confluence content. If you only need GenAI capabilities for Confluence, this feature might be sufficient.</p> <p>Why still use Amazon Q Business? Q Business can connect to <a href="https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connectors-list.html" rel="noopener noreferrer">many other business applications</a> such as MS SharePoint, MS Teams, Slack, databases or even S3 buckets. Users don't need to know in which source system the information is stored in. They can just ask Q Business, which uses information from all these source systems - which is more powerful.</p> amazonq chatbot genai confluence Setting up AWS IAM Identity Center as an identity provider for Confluence Julian Michel Mon, 01 Jul 2024 05:05:41 +0000 https://dev.to/aws-builders/setting-up-aws-iam-identity-center-as-an-identity-provider-for-confluence-2l8 https://dev.to/aws-builders/setting-up-aws-iam-identity-center-as-an-identity-provider-for-confluence-2l8 <p><a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">AWS IAM Identity Center</a> is a great tool for managing access to multiple AWS accounts in one centralized location. Users can assume roles in the AWS accounts they have access to and work in the AWS console or CLI. </p> <p>It also supports single sign-on (SSO) capabilities to log in to some AWS services or third-party applications. One example of these applications is Confluence, which is widely used in enterprises. This blog post shows how to set up SSO in Confluence using AWS IAM Identity Center.</p> <p>In what situations would you find this blog post useful?</p> <ol> <li>You want to use Identity Center's SSO capabilities in Confluence.</li> <li>You want to configure a source application for Amazon Q to test Q's security features (Q only uses information when a specific user has access to it)</li> <li>You want to learn more about SSO and SAML.</li> </ol> <p>In my case, I want to set up the Confluence integration to get familiar with Amazon Q. I chose the Confluence data sources because Confluence supports page-specific permissions, which should also be handled in Q. I'm using the trial version of Confluence for my tests and this blog post.</p> <h2> Getting started: AWS IAM Identity Center </h2> <p>I assume that AWS IAM Identity Center is already configured. To integrate Confluence as an application, open AWS IAM Identity Center in the AWS console and select "Applications" in the navigation. Then, add a new application.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmptvcmwmxb78krq7er78.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmptvcmwmxb78krq7er78.png" alt="AWS IAM Identity Center: Add a new application"></a></p> <p>AWS offers a catalog of out-of-the-box integrations for more than 300 applications. Confluence is one of them, so choose it.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi36uinec9r817tofetf3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi36uinec9r817tofetf3.png" alt="Select application from the catalog"></a></p> <p>Search for Confluence and select the result:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fclzrnba3mr4rg0j6m7y1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fclzrnba3mr4rg0j6m7y1.png" alt="Search for Confluence"></a></p> <p>The next page provides a button to open step-by-step instructions for additional configuration assistance. Select this button to view these instructions. There are also options to change the name or description used in Identity Center.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6wpdac9hkyhwt1agwjt3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6wpdac9hkyhwt1agwjt3.png" alt="Configure a new application in AWS IAM Identity Center"></a></p> <p>In the step-by-step instructions, you will find application-specific instructions to configure the integration. For example it shows which values have to be configured in Confluence and in Identity Center. Download the certificate and copy the URL (both URLs are the same). You will need this information later again when setting up the identity provider in Confluence.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88cy6z3783ta7f3svfi5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88cy6z3783ta7f3svfi5.png" alt="Step-by-step instructions"></a></p> <p>Now proceed with the necessary steps in Confluence. Later, we will need to perform some additional configurations in AWS IAM Identity Center.</p> <h2> Confluence: Adding a domain </h2> <p>Open the Atlassian Admin by navigating to the URL <a href="https://admin.atlassian.com/" rel="noopener noreferrer">https://admin.atlassian.com/</a>. In Atlassian Admin, you can manage the settings required for Identity Center integration.</p> <p>First, add the domain used by your users. Accounts in your domain can become managed accounts, which means you can use the SSO capabilities of Identity Center.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c3op468o4ja8i5s0dxt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c3op468o4ja8i5s0dxt.png" alt="Confluence: Verify your company domain"></a></p> <p>Enter the domain name.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqkx35irekecmer1sd3gh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqkx35irekecmer1sd3gh.png" alt="Enter the domain name"></a></p> <p>Before the domain can be associated, the ownership must be verified. I used DNS verification - feel free to use any of the other methods. For DNS validation, create the TXT record in the DNS management for your domain.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73ut8uuop1116fgpyr5f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73ut8uuop1116fgpyr5f.png" alt="Domain DNS verification"></a></p> <p>Ensure that the status is set to verified. If it is not verified, check the domain verification again. Next, select "Claim accounts" to automatically claim new accounts under this domain.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F031nre67rg8snvgs7jfj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F031nre67rg8snvgs7jfj.png" alt="Domains: Overview"></a></p> <p>Use the recommended "Automatically claim" option to claim new accounts from your domain.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwpv2cisb47f88do6r6n.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwpv2cisb47f88do6r6n.png" alt="Claim settings"></a></p> <p>Now "claim setting" is set to "Automatically".<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqldsgdiita0912l1q6lk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqldsgdiita0912l1q6lk.png" alt="Domain: claim setting automatically"></a></p> <h2> Confluence: Create a identity provider </h2> <p>In the next step, we will create a identity provider and link it to AWS IAM Identity Center. In the security settings, select "Identity providers" and use "Other provider" as there is no specific integration for Identity Center.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw13i2mrg3lh3wd8hxtd6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw13i2mrg3lh3wd8hxtd6.png" alt="Create identity provider type other identity provider"></a></p> <p>Confirm to start the free trial for Atlassian Guard to enable enterprise grade features.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hs9r37c5pokfyc3niv0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hs9r37c5pokfyc3niv0.png" alt="Subscribe to Atlassian Guard"></a></p> <p>Enter a name for the identity provider, e.g. "AWS IAM Identity Center".<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst59p1hhq6l17fjd9mj2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fst59p1hhq6l17fjd9mj2.png" alt="Identity provider name"></a></p> <p>Proceed with the SAML single sign-on integration.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzoaf6tvf8nlpgzje5yxl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzoaf6tvf8nlpgzje5yxl.png" alt="SAML single sign-on integration"></a></p> <p>Read the notes, then continue to the next step.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1kwnij5djyrmtzfez431.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1kwnij5djyrmtzfez431.png" alt="Notes"></a></p> <p>Now paste the certificate and URL you copied during the application configuration in AWS IAM Identity Center.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj6ayqrvsf4dmwhsw90b9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj6ayqrvsf4dmwhsw90b9.png" alt="Identity provider settings"></a></p> <p>In case you didn't copy the values, you can display them again.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mpai29wsh0gnzom9yem.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mpai29wsh0gnzom9yem.png" alt="AWS IAM Identity Center values"></a></p> <p>After you have configured the values in Confluence, the Confluence wizard will display two URLs that need to be copied to AWS IAM Identity Center.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8i2wua29hu52l4ldxtns.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8i2wua29hu52l4ldxtns.png" alt="Confluence identity provider URLS"></a></p> <p>In the Identity Center configuration, enter the URL of your Confluence instance and paste the two URLs you copied earlier.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4p7e1qhojkq9ps6ea19.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4p7e1qhojkq9ps6ea19.png" alt="Maintain configuration in AWS IAM Identity Center"></a></p> <p>Now continue in Confluence again. Select the previously created domain.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqs7d1mlv5tdtohymra3f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqs7d1mlv5tdtohymra3f.png" alt="Select the domain created before"></a></p> <p>Stop the configuration wizard and save the SAML settings.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbxr59yixqfdtqz73r8v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbxr59yixqfdtqz73r8v.png" alt="Save SAML settings"></a></p> <h2> Confluence: Update authentication policy </h2> <p>As the final configuration step in Confluence, open the authentication policies and edit the newly created configuration (in my case, it is named "AWS IAM Identity Center").<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbl8vfvdhob570xmgc3kj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbl8vfvdhob570xmgc3kj.png" alt="Update authentication policy"></a></p> <p>Select the option "Enforce single sign-on".<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff68ism0o27xfg3usuar6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff68ism0o27xfg3usuar6.png" alt="Enforce single sign-on"></a></p> <h2> AWS Identity Center: Assign users or groups </h2> <p>In Identity Center, add the users or groups that will be allowed to use the new application. I created a group and assigned all users to it.<a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9v99mvm362o6g7raqiq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9v99mvm362o6g7raqiq.png" alt="Identity Center: Users and groups"></a></p> <h2> Testing the integration </h2> <p>Log in to the AWS IAM Identity Center with one of the users. You should see the newly created Confluence application. Open the application.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhxcvgh8tvkr6y4501pck.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhxcvgh8tvkr6y4501pck.png" alt="Identity Center: Confluence application"></a></p> <p>Your browser will open a new window and you will be automatically signed in to Confluence.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvmvkmzhijey9piiibmkw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvmvkmzhijey9piiibmkw.png" alt="Confuence: Welcome"></a></p> <h2> Summary </h2> <p>If everything is set up correctly, the Confluence integration with AWS IAM Identity Center works well. The step-by-step instructions are useful, but read the documentation provided by Atlassian if you encounter any issues. Be careful when copying configuration values/URLs. Don't mix up the different URLs - this can cause errors and SSO won't work.</p> <p>The integration of Confluence with AWS IAM Identity Center is just one example - many other applications can be integrated as well. AWS IAM Identity Center can also be used if you need a free SAML or OAuth 2.0 identity provider for software development or any other use case.</p> aws iamidentitycenter saml confluence My personal AWS account setup - IAM Identity Center, temporary credentials and sandbox account Julian Michel Thu, 23 May 2024 21:26:29 +0000 https://dev.to/aws-builders/my-personal-aws-account-setup-iam-identity-center-temporary-credentials-and-sandbox-account-39mc https://dev.to/aws-builders/my-personal-aws-account-setup-iam-identity-center-temporary-credentials-and-sandbox-account-39mc <p>I work on AWS projects every day and have access to internal and customer AWS accounts. But I also manage some personal AWS accounts. They are useful for several reasons:</p> <ul> <li>I can run personal AWS applications, such as the smart home application I built.</li> <li>I can test new features, e.g. it was very helpful to learn about the CDK pipeline when it was introduced. I was able to create the accounts as suggested in the documentation. Later I was able to apply my knowledge to the customer project.</li> <li>If I have some permission issues, I can try to replicate the problem in my personal AWS accounts without any restrictions. I can try new services that are only available in organizational root accounts, such as AWS Identity Center.</li> </ul> <p>Of course, I want to run the AWS account in a secure and convenient way. So I decided to manage the accounts as described in this article.</p> <h2> Account structure and AWS Organizations </h2> <p>Like a business, I created an <a href="https://aws.amazon.com/organizations/" rel="noopener noreferrer">AWS organization</a> to manage my accounts. I'm using these accounts:</p> <ul> <li>Root account, which owns the organization</li> <li>Dev, Test, and Prod accounts to develop, test, and run my application</li> <li> <a href="https://docs.aws.amazon.com/cdk/v2/guide/best-practices.html#best-practices-organization" rel="noopener noreferrer">Pipeline account</a>, which contains an AWS CodePipeline to deploy to Dev, Int, Prod</li> <li>Sandbox account for testing new stuff (gets nuked after testing)</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0catbyig2e1w702581qq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0catbyig2e1w702581qq.png" alt="AWS Account structure with Root, Dev, Test, Prod, Pipeline and Sandbox account"></a></p> <h2> User management and authentication using AWS Identity Center </h2> <p>I'm sure AWS IAM user management was great when it first launched. Now, <a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">AWS IAM Identity Center</a> has more features and is easier to use. For example, it provides an easy-to-use interface to access all accounts and roles. Or it has improved <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-types.html#mfa-types-apps" rel="noopener noreferrer">MFA capabilities</a>, such as support for Apple's TouchID. That is why I chose AWS Identity Center. It is set up in the AWS Organizations root account and connects to all accounts in the organization.</p> <p>When you open AWS IAM Identity Center, you can see the accounts and roles you can assume:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytfkm5337k18xe72d29b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fytfkm5337k18xe72d29b.png" alt="AWS IAM Identity Center"></a></p> <h2> Temporary credentials and Leapp </h2> <p>AWS IAM Identity Center provides temporary credentials by default, which is a good security choice. It supports <a href="https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso" rel="noopener noreferrer">SSO integration</a> with AWS CLI or manual download of access key, secret access key, and session token.</p> <p>Personally, I prefer to use <a href="https://www.leapp.cloud/" rel="noopener noreferrer">Leapp</a>, a tool that supports secure cloud access in multi-account environments. Recently, the company behind Leapp announced the end of the commercial version. The <a href="https://github.com/Noovolari/leapp" rel="noopener noreferrer">open source version</a> still exists and can be used.</p> <p>Leapp displays all AWS accounts/roles that are configured in AWS Identity Center. If you select an account, the credentials can be used in the CLI. You can override the default profile so you don't have to pass a <code>--profile</code> parameter. Or, you can configure a name profile.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3najrg6a3s7gudo2qv9t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3najrg6a3s7gudo2qv9t.png" alt="Leapp"></a></p> <h2> Nuking the sandbox account </h2> <p>When I'm learning a new AWS service or testing a complex scenario, I'm not always using infrastructure as code. In this case, it takes a long time to manually clean up an AWS account and delete all (expensive) resources.</p> <p>To improve this process, I use <a href="https://github.com/rebuy-de/aws-nuke" rel="noopener noreferrer">aws-nuke</a>, which automatically deletes all AWS resources in an AWS account. <strong>Be careful with this tool</strong>. The first time I used it, it also deleted the configurations required for IAM Identity Center. So I couldn't login anymore.</p> <p>aws-nuke supports filters to exclude resources that should not deleted. I created filters to exclude the IAM Identity Center configuration and resources created during AWS CDK bootstrapping. I ended up with these filters:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">presets</span><span class="pi">:</span><br> <span class="na">common</span><span class="pi">:</span><br> <span class="na">filters</span><span class="pi">:</span><br> <span class="na">IAMRole</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s2">"</span><span class="s">OrganizationAccountAccessRole"</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cdk-hnb659fds-<em>"</em></span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWSReservedSSO_AdministratorAccess_"</span><br> <span class="na">IAMRolePolicyAttachment</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s2">"</span><span class="s">OrganizationAccountAccessRole</span><span class="nv"> </span><span class="s">-&gt;</span><span class="nv"> </span><span class="s">AdministratorAccess"</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWSReservedSSO_AdministratorAccess_<em></em></span><span class="nv"> </span><span class="s">-&gt;</span><span class="nv"> </span><span class="s">AdministratorAccess"</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cdk-hnb659fds-"</span><br> <span class="na">IAMRolePolicy</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cdk-hnb659fds-<em>"</em></span><br> <span class="na">IAMSAMLProvider</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam:::saml-provider/AWSSSO_<em>_DO_NOT_DELETE"</em></span><br> <span class="na">S3Bucket</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">s3://cdk-hnb659fds-assets"</span><br> <span class="na">SSMParameter</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s2">"</span><span class="s">/cdk-bootstrap/hnb659fds/version"</span><br> <span class="na">CloudFormationStack</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">CDKToolkit</span><br> <span class="na">ECRRepository</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">glob</span><br> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Repository:</span><span class="nv"> </span><span class="s">cdk-hnb659fds-container-assets-*"</span></p> </code></pre> </div> <h2> <br> <br> <br> Summary<br> </h2> <p>This setup works very well for me. AWS IAM Identity Center is great for managing users and logging into AWS accounts. Leapp is very helpful when using CLI credentials. However, it's not the only option as AWS IAM Identity Center offers other options as well. I regularly use the sandbox account when testing or learning about AWS services. By deleting everything with aws-nuke, I can easily start with an empty AWS account - and of course, I don't have to pay for unused resources.</p> aws security AppSync Merged API – Our real project experience as part of our hackathon Julian Michel Thu, 29 Jun 2023 12:09:57 +0000 https://dev.to/aws-builders/appsync-merged-api-our-real-project-experience-as-part-of-our-hackathon-2m96 https://dev.to/aws-builders/appsync-merged-api-our-real-project-experience-as-part-of-our-hackathon-2m96 <p>AWS released a new feature for GraphQL APIs in May: Multiple AppSync APIs can be merged into one overall API. <a href="https://dev.to/aws-builders/presenting-aws-speakers-directory-an-ai-hackathon-project-19je">Our AI Hackathon</a> gave us the opportunity to test the new <a href="https://aws.amazon.com/blogs/mobile/introducing-merged-apis-on-aws-appsync/" rel="noopener noreferrer">Merged API feature</a> in a real-world project.</p> <h2> Why are Merged APIs such a useful feature? </h2> <p>When designing complex software, it is common to break the application into components or microservices. Each component has its own API so that it can be developed and deployed independently. However, when APIs are published or used in front ends, it makes sense to provide an aggregated API with services of all components. This is possible with the new Merged API feature.</p> <h2> How to create a Merged API using AWS CDK? </h2> <p>We first looked at the AppSync documentation in the AWS CDK to see how to create Merged APIs. Unfortunately, the documentation doesn’t include a section on Merged APIs. We checked the feature requests and pull requests on the AWS CDK GitHub project. However, since we did not find any information, we determined that Merged APIs are not currently supported by CDK L2 constructs. To get support for this feature in AWS CDK, we’ve created a <a href="https://github.com/aws/aws-cdk/issues/25960" rel="noopener noreferrer">feature request</a> in the AWS CDK project.</p> <h2> So how did we create the Merged APIs? </h2> <p>CloudFormation already includes support for Merged APIs. The <a href="https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html" rel="noopener noreferrer">documentation</a> describes the attributes and resources which are required. Using CDK L1 constructs, we could use these CloudFormation resources to create the Merged API.</p> <p>First, we created the necessary IAM roles. Currently they don’t follow the principle of least privilege. When Merged APIs are supported in the CDK, this should also be considered.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const role = new Role(this, `merged-api-role-${props.namespace}`, { assumedBy: new ServicePrincipal('appsync.amazonaws.com'), roleName: `merged-api-role-${props.namespace}`, }); role.addToPolicy(new PolicyStatement({ resources: ['*'], actions: ['appsync:*'], })); const cwRole = new Role(this, 'MergedAPICWRole', { assumedBy: new ServicePrincipal('appsync.amazonaws.com'), }); cwRole.addToPolicy(new PolicyStatement({ actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], resources: [`arn:aws:logs:${cdk.Stack.of(this).region}:${cdk.Stack.of(this).account}:*`], })); </code></pre> </div> <p>In the GraphQL API, the attributes <code>apiType</code> and <code>mergedApiExecutionRoleArn</code> are specific to Merged APIs. In addition, logging had to be explicitly configured, which requires more effort than L2 constructs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>const api = new CfnGraphQLApi(this, `merged-api-${props.namespace}`, { authenticationType: 'API_KEY', additionalAuthenticationProviders: [ { authenticationType: 'AMAZON_COGNITO_USER_POOLS', userPoolConfig: { userPoolId: props.userPool.userPoolId, awsRegion: cdk.Stack.of(this).region, }, }, ], apiType: 'MERGED', name: cdk.Names.uniqueId(this), mergedApiExecutionRoleArn: role.roleArn, xrayEnabled: true, logConfig: { cloudWatchLogsRoleArn: cwRole.roleArn, fieldLogLevel: 'ALL', }, }); </code></pre> </div> <p>Each source API is assigned to the Merged API using a <code>SourceApiAssociation</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>new CfnSourceApiAssociation(this, name, { sourceApiIdentifier: graphqlApi.apiId, mergedApiIdentifier: mergedApi.attrApiId, sourceApiAssociationConfig: { mergeType: 'AUTO_MERGE', }, }); </code></pre> </div> <p>The first deployment failed. After specifying <code>mergeType: 'AUTO_MERGE',</code> we were able to create the Merged API.</p> <h2> How did we structure our project? </h2> <p>Each component is developed as separate CDK stack. An additional stack called <code>MergedApiStack</code> includes the Merged API. The source APIs are passed to the Merged API Stack using CDK Stack Props.</p> <p>This allows us to publish a central AppSync API that includes API methods of all components.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboc3q4r7xt6c59y4njpg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboc3q4r7xt6c59y4njpg.png" alt="Image description" width="800" height="649"></a></p> <h2> Summary </h2> <p>Because of the missing CDK L2 constructs, it was difficult to create the Merged API. Otherwise, our experience with the Merged API has been very good. The Merged API is updated directly and allows us to have one central API for our application.</p> <p>What’s next? We will likely implement an L2 construct to add support for Merged APIs in the AWS CDK. Then our hackathon and community work will also contribute to AWS CDK.</p> <p>Who to reach out to?<br> <a href="https://www.linkedin.com/in/deeheber/" rel="noopener noreferrer">Danielle</a>, <a href="https://www.linkedin.com/in/matt-morgan-0344a51" rel="noopener noreferrer">Matt</a>, <a href="//ttps://www.linkedin.com/in/johannes-koch-353b2158/">Johannes</a> or <a href="https://www.linkedin.com/in/julianmichel2/" rel="noopener noreferrer">myself</a>.</p> aws api appsync Quickly recover from failures using automated SQS DLQ redrive Julian Michel Sat, 10 Jun 2023 10:04:04 +0000 https://dev.to/aws-builders/quickly-recover-from-failures-using-automated-sqs-dlq-redrive-8md https://dev.to/aws-builders/quickly-recover-from-failures-using-automated-sqs-dlq-redrive-8md <p>Two years ago at re:Invent, <a href="https://aws.amazon.com/blogs/compute/introducing-amazon-simple-queue-service-dead-letter-queue-redrive-to-source-queues/">AWS announced DLQ redrive</a> to move messages from a dead letter queue (DLQ) to the original queue. Previously, this feature was only available using the AWS console. Now, DLQ redrive is available <a href="https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-sqs-dead-letter-queue-redrive-aws-sdk-cli/">using AWS SDK and CLI</a>.</p> <p>The new feature provides the ability to automatically handle invalid messages in DLQs and increase the reliability in asynchronous applications.</p> <p>This sample architecture includes a Lambda function that sends messages to a third party API. If the third party API becomes unavailable, the processing fails and the messages are sent to the DLQ. Previously, operation teams had to manually run the DLQ redrive in the AWS console. Lambda functions using AWS SDK can help to automate this process.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DNuhYASB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://julianmichel.dev/wp-content/uploads/2023/06/sqs-redrive.drawio.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DNuhYASB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://julianmichel.dev/wp-content/uploads/2023/06/sqs-redrive.drawio.png" width="641" height="362"></a></p> <p>How can you automate this process? Implement the logic from the diagram:</p> <ol> <li>The SQS queue sends failed messages to the DLQ</li> <li>A time-based EventBridge event triggers a lambda function periodically (e.g. every 5 minutes)</li> <li>The lambda function checks whether the DLQ contains failed messages. If there are failed messages, it calls a health check of the third party backend.</li> <li>If the health check is successful, the lambda function starts the DLQ redrive using the AWS SDK method <a href="https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_StartMessageMoveTask.html">StartMessageMoveTask</a>.</li> </ol> <p>If the third party backend still fails, the process is repeated after five minutes until the DLQ is empty again.</p> <p>For more details on the new API calls, read the official <a href="https://aws.amazon.com/blogs/compute/introducing-amazon-simple-queue-service-dead-letter-queue-redrive-to-source-queues/">AWS blog post.</a></p> aws awssdk awssqs