Merge pull request #26 from aws-samples/feat/document-explorer-release

* feat: v1.0.0 and amd64 as the default
* fix: bandit, semgrep, checkov from probe

---------

Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>

Author: scottschreckengaust

CHANGELOG.md

@@ -5,4 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [Unreleased]
+
+### Added
+
+- Bedrock Guardrails sample
+
+<!-- markdownlint-disable MD024 -->
+## [1.0.0]
+
+### Added
+
+- Document Explorer sample
+- Bedrock Agent sample

README.md

@@ -6,7 +6,7 @@ This repository showcases Terraform examples to review and test AWS generative A
 
 ## Getting started
 
-Explore each self-contained example in the samples directory to get started! 
+Explore each self-contained example in the samples directory to get started!
 
 ## Structure
 

samples/bedrock-agent/lambda/action-group.yaml

@@ -3,12 +3,14 @@ info:
   title: Literary API
   description: Actions that Bedrock Agents can take to retrieve book details.
   version: 1.0.0
+security:  #checkov:skip=CKV_OPENAPI_4:Sample has no global security field rules
 paths:
   /top_books:
     get:
       summary: Get metadata about the most popular books
       description: Get metadata about the most popular books in the library.
       operationId: getTopBooks
+      security:  #checkov:skip=CKV_OPENAPI_5:Demonstration security operations empty
       responses:
         '200':
           description: Successful operation
@@ -22,6 +24,7 @@ paths:
                     description: The number of books in the library.
                   books:
                     type: array
+                    maxItems: 100
                     items:
                       $ref: '#/components/schemas/Book'
         '400':
@@ -53,26 +56,31 @@ components:
           description: The title of the book.
         subjects:
           type: array
+          maxItems: 1000
           description: The subjects of the book.
           items:
             type: string
         authors:
           type: array
+          maxItems: 100
           description: The author of the book.
           items:
             $ref: '#/components/schemas/Person'
         translators:
           type: array
+          maxItems: 100
           description: The translator of the book.
           items:
             $ref: '#/components/schemas/Person'
         bookshelves:
           type: array
+          maxItems: 1000
           description: The bookshelves the book is in.
           items:
             type: string
         languages:
           type: array
+          maxItems: 1000
           description: The languages the book is in.
           items:
             type: string
@@ -84,6 +92,7 @@ components:
           description: The media type of the book.
         formats:
           type: array
+          maxItems: 100
           description: The download formats of the book.
           items:
             $ref: '#/components/schemas/Format'

samples/bedrock-agent/lambda/action-group/gutendex.py

@@ -16,6 +16,7 @@
 def get_books_from_gutendex(n: int) -> dict:
     """Return the count and first n books from the /books API."""
     api_url = "https://gutendex.com"
-    response = requests.get(api_url + "/books")
+    response = requests.get(api_url + "/books", timeout=14) # keep a little less than the Lambda timeout
+    response.raise_for_status()
     books = response.json()
     return {"count": books["count"], "books": books["results"][:n]}

samples/bedrock-agent/scripts/load-kb.sh

@@ -13,29 +13,29 @@ if [ $# -ne 3 ]; then
     exit 1
 fi
 
-S3_URI=$1
-KB_ID=$2
-DS_ID=$3
+S3_URI="$1"
+KB_ID="$2"
+DS_ID="$3"
 
 BOOKS_LIST=("https://www.gutenberg.org/ebooks/84.txt.utf-8"
   "https://www.gutenberg.org/ebooks/1342.txt.utf-8"
   "https://www.gutenberg.org/ebooks/2701.txt.utf-8"
   "https://www.gutenberg.org/ebooks/1513.txt.utf-8")
 
 # make a temporary directory to download the books
-BOOKS_DIR=`mktemp -d -t books.$$`
+BOOKS_DIR=$(mktemp -d -t "books.$$")
 
-pushd $BOOKS_DIR
+pushd "$BOOKS_DIR"
 
 # download the books
 for book in "${BOOKS_LIST[@]}"
 do
-  curl -L -o "$(basename $book).txt" $book
+  curl -L -o "$(basename $book).txt" "$book"
 done
 
-aws s3 sync . $S3_URI
+aws s3 sync . "$S3_URI"
 popd
-rm -rf $BOOKS_DIR
+rm -rf "$BOOKS_DIR"
 
 # sync kb
-aws bedrock-agent start-ingestion-job --knowledge-base-id $KB_ID --data-source-id $DS_ID
+aws bedrock-agent start-ingestion-job --knowledge-base-id "$KB_ID" --data-source-id "$DS_ID"

samples/document-explorer/client_app/Dockerfile

@@ -1,12 +1,11 @@
 #syntax=docker/dockerfile:1.4
-#checkov:skip=CKV_DOCKER_3: No need for a user
-FROM public.ecr.aws/docker/library/python:3.13.0-slim
+FROM public.ecr.aws/docker/library/python@sha256:4efa69bf17cfbd83a9942e60e2642335c3b397448e00410063a0421f9727c4c4
 
-RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y install procps
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get -y install procps && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 COPY requirements.txt ./requirements.txt
-RUN pip3 install -r requirements.txt
+RUN pip3 install --no-cache-dir -r requirements.txt
 
 # Set most of the environment variables from Terraform backend deployment outputs
 ENV COGNITO_DOMAIN='<COGNITO_DOMAIN>'
@@ -30,4 +29,5 @@ RUN chmod a+x /app/healthcheck.sh
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "/app/healthcheck.sh" ]
 
+USER nobody
 ENTRYPOINT ["streamlit", "run", "Home.py", "--server.port=8501"]

samples/document-explorer/client_app/common/cognito_helper.py

@@ -24,6 +24,7 @@
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.backends import default_backend
 
+REQUESTS_TIMEOUT=30
 class CognitoHelper:
     """Handles user authentication with AWS Cognito."""
 
@@ -70,7 +71,9 @@ def jwt_to_pem(self, n, e):
     # https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
     def get_cognito_jwk(self, kid):
         url = f"https://cognito-idp.{self.region}.amazonaws.com/{self.user_pool_id}/.well-known/jwks.json"
-        jwks = requests.get(url).json()
+        response = requests.get(url, timeout=REQUESTS_TIMEOUT)
+        response.raise_for_status()
+        jwks = response.json()
         # Extract the specific key from jwks for verification
         for jwk in jwks["keys"]:
             if jwk["kid"] == kid:
@@ -82,7 +85,7 @@ def decode_id_token(self, id_token = None):
         if id_token is None:
             id_token = st.session_state.get("id_token", "")
 
-        if id_token != "":
+        if id_token != "":  # nosec B105
             jwt_headers = jwt.get_unverified_header(id_token)
             jwk = self.get_cognito_jwk(jwt_headers["kid"])
             public_key = self.jwt_to_pem(jwk["n"], jwk["e"])
@@ -93,15 +96,15 @@ def decode_id_token(self, id_token = None):
     def get_user_tokens(self, auth_code = None):
         """Gets user access and ID tokens using auth code."""
 
-        access_token = ""
-        id_token = ""
+        access_token = ""  # nosec B105
+        id_token = ""  # nosec B105
 
         # if auth_code is not provided, try to get credentianls from the session state.
         if not auth_code:
             access_token = st.session_state.get("access_token", "")
             id_token = st.session_state.get("id_token", "")
 
-            if access_token != "" and id_token != "":
+            if access_token != "" and id_token != "":  # nosec B105
                 return access_token, id_token
 
         try:
@@ -118,13 +121,14 @@ def get_user_tokens(self, auth_code = None):
                 "redirect_uri": self.app_uri,
             }
 
-            token_response = requests.post(self.token_url, headers=headers, data=body)
+            token_response = requests.post(self.token_url, headers=headers, data=body, timeout=REQUESTS_TIMEOUT)
+            token_response.raise_for_status()
             access_token = token_response.json()["access_token"]
             id_token = token_response.json()["id_token"]
 
         except (KeyError, TypeError):
-            access_token = ""
-            id_token = ""
+            access_token = "" # nosec B105
+            id_token = ""  # nosec B105
 
         return access_token, id_token
 
@@ -175,11 +179,11 @@ def set_session_state(self):
             auth_code = auth_query_params["code"]
             access_token, id_token = self.get_user_tokens(auth_code)
 
-            if access_token != "":
+            if access_token != "":  # nosec B105
                 st.session_state["auth_code"] = auth_code
                 st.session_state["access_token"] = access_token
 
-            if id_token != "":
+            if id_token != "":  # nosec B105
                 st.session_state["id_token"] = id_token
                 credentials = self.get_user_temporary_credentials(id_token)
                 st.session_state["access_key_id"] = credentials["AccessKeyId"]
@@ -198,7 +202,7 @@ def is_authenticated(self):
         session_token = st.session_state.get("session_token", "")
         expiration = st.session_state.get("expiration")
 
-        is_valid_session = (access_key_id != "" and secret_access_key != "" and session_token != "")
+        is_valid_session = (access_key_id != "" and secret_access_key != "" and session_token != "")  # nosec B105
         # +5 seconds to consider a expiry buffer. If the session is about to expire, we need to renew it.
         has_not_expired = (expiration.timestamp() > (time.time() + 5)) if expiration else True
 

samples/document-explorer/client_app/graphql/graphql_mutation_client.py

@@ -54,7 +54,7 @@ def execute(self, query, operation_name, variables=None):
         }
         print(f' query :: {query}')  
         try:
-            response = requests.post(self.graphql_endpoint, json=data, headers=self.headers)
+            response = requests.post(self.graphql_endpoint, json=data, headers=self.headers, timeout=30)
             response.raise_for_status()
 
         except requests.exceptions.RequestException as error:

samples/document-explorer/terraform-config-backend/main.tf

@@ -1,11 +1,8 @@
 module "genai_doc_ingestion" {
   #checkov:skip=CKV_TF_1:Terraform registry has no ability to use a commit hash
-  ## TODO: Update to a Terraform registry version once PR is complete
-  #source             = "aws-ia/genai-document-ingestion-rag/aws"
-  #version            = "0.0.4"
-  #source             = "github.com/aws-ia/terraform-aws-genai-document-ingestion-rag//?ref=fix%2Fdocker_build"
-  source             = "github.com/aws-ia/terraform-aws-genai-document-ingestion-rag//?ref=11eb2bac799fd495e46d17f11156eefe5e6d9d71"
+  source             = "aws-ia/genai-document-ingestion-rag/aws"
+  version            = "1.0.0"
   solution_prefix    = "doc-explorer"
-  container_platform = "linux/arm64"
+  container_platform = "linux/amd64"
   force_destroy      = true
 }