Skip to content

Commit

Permalink
Merge branch 'develop' v0.2.1
Browse files Browse the repository at this point in the history
  • Loading branch information
rstrahan committed Sep 27, 2024
2 parents f489d3d + 9af1725 commit ab22c75
Show file tree
Hide file tree
Showing 18 changed files with 88 additions and 45 deletions.
8 changes: 7 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [0.2.1] - 2024-09-27
### Added
Add support for cross-region IAM Identity Center (IDC) where the IDC instance is in a different region from the Amazon Q Business application. The IDC region can now be specified when deploying the gateway.

## [0.2.0] - 2024-05-28
### Added
Add support for Q Business Apps integrated with IdC
Expand Down Expand Up @@ -48,7 +52,9 @@ Initial release
- Process up to 5 attached files for document question answering, summaries, etc.
- Reset and start new conversation in DM channel by using `/new_conversation`

[Unreleased]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/compare/v0.1.3...develop
[Unreleased]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/compare/main...develop
[0.2.1]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.2.1
[0.2.0]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.2.0
[0.1.3]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.3
[0.1.2]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.2
[0.1.1]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.1
Expand Down
13 changes: 9 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,19 +57,22 @@ Follow the instructions below to deploy the project to your own AWS account and

Create the client as a ['Web app'](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm). You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like ```https://example.com```, for the redirect URI, as you will update this later (in step 3).

Also verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. This is done in Okta under Settings > Account in the "Embedded widget sign-in support" panel. If "Interaction Code" is not enabled, select "Edit" and enable the option. Then browse to Security > API in Okta and verify that an authorization server is configured and that it has an Access Policy active with a Rule that has the "Interaction Code" grant type checked.

#### 1.2 Create Trusted token issuer in IAM Identity Center

Create trusted token issuer to trust tokens your Okta tenant using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html.
Or you can run the below script.

For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'.
For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement.

The script will output trusted token issuer ARN (TTI_ARN) which you will use in the next step.

```
export AWS_DEFAULT_REGION=<>
OIDC_ISSUER_URL=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL
AWS_IDC_REGION=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION
```

#### 1.3 Create Customer managed application in IAM Identity Center
Expand All @@ -84,7 +87,8 @@ The script will output the gateway IdC application ARN (GATEWAY_IDC_ARN) which y
export AWS_DEFAULT_REGION=<>
OIDC_CLIENT_ID=<>
TTI_ARN=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN
AWS_IDC_REGION=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION
```

### 2. Deploy the stack
Expand All @@ -103,6 +107,7 @@ If you are a developer, and you want to build, deploy and/or publish the solutio
5. `OIDCClientId`: The client ID of OIDC client you created in step 1.1.
6. `OIDCIssuerURL`: The issuer URL of the OIDC client you created in step 1.1.
7. `GatewayIdCAppARN`: The application arn of IdC customer managed application you created in step 1.3.
7. `AWSIAMIdCRegion`: The AWS region where the AWS IAM IdC instance is deployed.
8. `ContextDaysToLive`: Just leave this as the default (90 days)

Region | Easy Deploy Button | Template URL - use to upgrade existing stack to a new release
Expand All @@ -115,7 +120,7 @@ When your CloudFormation stack status is CREATE_COMPLETE, choose the **Outputs**

### 3. Update OIDC Client Redirect URL.

Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in Cloudformation stack for `OIDCCallbackEndpointExportedName`.
Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for `OIDCCallbackEndpointExportedName`.

### 4. Configure your Slack application

Expand Down
21 changes: 12 additions & 9 deletions README_DEVELOPERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ Copy the GitHub repo to your computer. Either:

3. You need to configure SAML and SCIM with Okta and IAM Identity Center. If you haven't configured, see [Configuring SAML and SCIM with Okta and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-okta.html)

4. You also need to have an existing, working Amazon Q business application integrated with IdC. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html)
4. You also need to have an existing, working Amazon Q Business application integrated with IdC. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html)

5. You need to have users subscribed to your Amazon Q business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see [Subscribing users to an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/adding-users-groups.html)
5. You need to have users subscribed to your Amazon Q Business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see [Subscribing users to an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/adding-users-groups.html)


## Deploy the solution
Expand All @@ -43,19 +43,22 @@ Copy the GitHub repo to your computer. Either:

Create the client as a ['Web app'](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm). You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like ```https://example.com```, for the redirect URI, as you will update this later (in step 3).

Also verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. This is done in Okta under Settings > Account in the "Embedded widget sign-in support" panel. If "Interaction Code" is not enabled, select "Edit" and enable the option. Then browse to Security > API in Okta and verify that an authorization server is configured and that it has an Access Policy active with a Rule that has the "Interaction Code" grant type checked.

#### 1.2 Create Trusted token issuer in IAM Identity Center

Create trusted token issuer to trust tokens from OIDC issuer URL using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html.
Or you can run the below script.

For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'.
For the script, you need to have the OIDC issuer URL and the AWS region in which you have your AWS IAM Identity Center instance deployed. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement.

The script will output trusted token issuer ARN which you will use in the next step.

```
export AWS_DEFAULT_REGION=<>
OIDC_ISSUER_URL=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL
AWS_IDC_REGION=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION
```

#### 1.3 Create Customer managed application in IAM Identity Center
Expand All @@ -70,10 +73,11 @@ The script will output the IdC application ARN which you will use in the next st
export AWS_DEFAULT_REGION=<>
OIDC_CLIENT_ID=<>
TTI_ARN=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN
AWS_IDC_REGION=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION
```

Before starting, you need to have an existing, working Amazon Q application. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html)
Before starting, you need to have an existing, working Amazon Q Business application. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html)

### 2. Initialize and deploy the stack

Expand All @@ -84,7 +88,7 @@ Navigate into the project root directory and, in a bash shell, run:

### 3. Update OIDC Client Redirect URL.

Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in Cloudformation stack for `OIDCCallbackEndpointExportedName`.
Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for `OIDCCallbackEndpointExportedName`.

### 4. Configure your Slack application

Expand Down Expand Up @@ -169,11 +173,10 @@ OUTPUTS
Template URL: https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json
CF Launch URL: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json&stackName=AMAZON-Q-SLACK-GATEWAY
Done
``````
```

Follow the deployment directions in the main [README](./README.md), but use your own CF Launch URL instead of our pre-built templates (Launch Stack buttons).

## Contributing, and reporting issues

We welcome your contributions to our project. Whether it's a bug report, new feature, correction, or additional
Expand Down
8 changes: 8 additions & 0 deletions bin/convert-cfn-template.js
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,11 @@ function parameterizeTemplate(template, lambdas) {
Type: 'String',
AllowedPattern: '^arn:aws[a-zA-Z-]*:[a-zA-Z0-9-]*:[a-z0-9-]*:[0-9]{12}:[a-zA-Z0-9:/._-]+$',
Description: 'Q Business Slack Gateway IdC App Arn'
},
AWSIAMIdCRegion: {
Type: 'String',
Default: defaultQRegion,
Description: 'AWS IAM Identity Center (IdC) Region'
}
};
for (let lambda of lambdas) {
Expand All @@ -242,6 +247,9 @@ function parameterizeTemplate(template, lambdas) {
lambdaResource.Properties.Environment.Variables.GATEWAY_IDC_APP_ARN = {
Ref: 'GatewayIdCAppARN'
};
lambdaResource.Properties.Environment.Variables.AWS_IAM_IDC_REGION = {
Ref: 'AWSIAMIdCRegion'
};
}
}

Expand Down
23 changes: 12 additions & 11 deletions bin/create-idc-application.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@

# Ensure required arguments are passed
if [ $# -lt 2 ]; then
echo "Usage: $0 <oidc_client_id> <trusted-token-issuer-arn> [application_name]"
echo "Usage: $0 <oidc_client_id> <trusted-token-issuer-arn> <iam_idc_region> [application_name]"
exit 1
else
OIDC_CLIENT_ID="$1"
TTI_ARN="$2"
if [ -n "$3" ]; then
APPLICATION_NAME="$3"
IDC_REGION="$3"
if [ -n "$4" ]; then
APPLICATION_NAME="$4"
else
APPLICATION_NAME="AmazonQSlackGateway"
fi
Expand All @@ -22,7 +23,7 @@ if [ $? -ne 0 ]; then
fi

# Retrieve the IdC instance ARN.
IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' | tr -d '""')
IDC_INSTANCE_ARN=$(aws sso-admin list-instances --region $IDC_REGION --query 'Instances[0].InstanceArn' | tr -d '""')
if [ $? -ne 0 ] || [ -z "$IDC_INSTANCE_ARN" ]; then
echo "Error: IDC_INSTANCE_ARN is empty or failed to retrieve. Please check your AWS SSO configuration."
exit 1
Expand All @@ -32,9 +33,9 @@ fi
echo "Checking if the $APPLICATION_NAME exists..."
APPLICATION_EXISTS=0
GATEWAY_IDC_ARN=""
RESPONSE=$(aws sso-admin list-applications --instance-arn $IDC_INSTANCE_ARN --query 'Applications[*].ApplicationArn' | tr -d '[",]')
RESPONSE=$(aws sso-admin list-applications --instance-arn $IDC_INSTANCE_ARN --region $IDC_REGION --query 'Applications[*].ApplicationArn' | tr -d '[",]')
for ARN in $RESPONSE; do
CURRENT_NAME=$(aws sso-admin describe-application --application-arn $ARN --query 'Name' | tr -d '"')
CURRENT_NAME=$(aws sso-admin describe-application --application-arn $ARN --region $IDC_REGION --query 'Name' | tr -d '"')
if [ "$CURRENT_NAME" == "$APPLICATION_NAME" ]; then
GATEWAY_IDC_ARN=$ARN
APPLICATION_EXISTS=1
Expand All @@ -47,7 +48,7 @@ done
CUSTOM_APPLICATION_PROVIDER_ARN="arn:aws:sso::aws:applicationProvider/custom"
if [ $APPLICATION_EXISTS -eq 0 ]; then
echo "Creating $APPLICATION_NAME..."
GATEWAY_IDC_ARN=$(aws sso-admin create-application --application-provider-arn $CUSTOM_APPLICATION_PROVIDER_ARN --instance-arn $IDC_INSTANCE_ARN --name "$APPLICATION_NAME" --query 'ApplicationArn' | tr -d '"')
GATEWAY_IDC_ARN=$(aws sso-admin create-application --application-provider-arn $CUSTOM_APPLICATION_PROVIDER_ARN --instance-arn $IDC_INSTANCE_ARN --name "$APPLICATION_NAME" --region $IDC_REGION --query 'ApplicationArn' | tr -d '"')
if [ $? -ne 0 ] || [ -z "$GATEWAY_IDC_ARN" ]; then
echo "Error: GATEWAY_IDC_ARN could not be created. Please check your inputs and AWS permissions."
exit 1
Expand All @@ -56,7 +57,7 @@ if [ $APPLICATION_EXISTS -eq 0 ]; then
fi

# Disable assignment
aws sso-admin put-application-assignment-configuration --application-arn $GATEWAY_IDC_ARN --no-assignment-required
aws sso-admin put-application-assignment-configuration --application-arn $GATEWAY_IDC_ARN --region $IDC_REGION --no-assignment-required
if [ $? -ne 0 ]; then
echo "Failed to disable assignment for the application."
exit 1
Expand All @@ -79,7 +80,7 @@ json_input='{
},
"GrantType": "urn:ietf:params:oauth:grant-type:jwt-bearer"
}'
aws sso-admin put-application-grant --cli-input-json "$json_input"
aws sso-admin put-application-grant --region $IDC_REGION --cli-input-json "$json_input"
if [ $? -ne 0 ]; then
echo "Failed to put application grant."
exit 1
Expand Down Expand Up @@ -107,14 +108,14 @@ json_input='{
},
"AuthenticationMethodType": "IAM"
}'
aws sso-admin put-application-authentication-method --cli-input-json "$json_input"
aws sso-admin put-application-authentication-method --region $IDC_REGION --cli-input-json "$json_input"
if [ $? -ne 0 ]; then
echo "Failed to set authentication method."
exit 1
fi

# Put application access scopes
if ! aws sso-admin put-application-access-scope --application-arn $GATEWAY_IDC_ARN --scope "qbusiness:conversations:access"; then
if ! aws sso-admin put-application-access-scope --application-arn $GATEWAY_IDC_ARN --scope "qbusiness:conversations:access" --region $IDC_REGION; then
echo "Failed to set access scope for conversations."
exit 1
fi
Expand Down
11 changes: 6 additions & 5 deletions bin/create-trusted-token-issuer.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,20 @@

# Ensure required arguments are passed
if [ $# -lt 1 ]; then
echo "Usage: $0 <oidc_issuer_url>"
echo "Usage: $0 <oidc_issuer_url> <iam_idc_region>"
exit 1
fi

OIDC_ISSUER_URL="$1"
IDC_REGION="$2"

# Retrieve the IdC instance ARN.
IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' | tr -d '"')
IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' --region $IDC_REGION | tr -d '"')

# Check if there is TTI_ARN for the issuer url.
for arn in $(aws sso-admin list-trusted-token-issuers --instance-arn "$IDC_INSTANCE_ARN" --query 'TrustedTokenIssuers[].TrustedTokenIssuerArn[]' | tr -d '[",]')
for arn in $(aws sso-admin list-trusted-token-issuers --instance-arn "$IDC_INSTANCE_ARN" --region $IDC_REGION --query 'TrustedTokenIssuers[].TrustedTokenIssuerArn[]' | tr -d '[",]')
do
current_issuer_url=$(aws sso-admin describe-trusted-token-issuer --trusted-token-issuer-arn $arn --query 'TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IssuerUrl' --output text)
current_issuer_url=$(aws sso-admin describe-trusted-token-issuer --trusted-token-issuer-arn $arn --region $IDC_REGION --query 'TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IssuerUrl' --output text)
if [[ "$current_issuer_url" == "$OIDC_ISSUER_URL" ]]
then
echo "Trusted token issuer already exists for $OIDC_ISSUER_URL, ARN: $arn"
Expand All @@ -35,6 +36,6 @@ TTI_ARN=$(aws sso-admin create-trusted-token-issuer --cli-input-json '{
}
},
"TrustedTokenIssuerType": "OIDC_JWT"
}' --query 'TrustedTokenIssuerArn' | tr -d '"')
}' --region $IDC_REGION --query 'TrustedTokenIssuerArn' | tr -d '"')

echo "TTI_ARN=$TTI_ARN"
5 changes: 4 additions & 1 deletion bin/environment.sh
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ oidc_idp_name=$(prompt_for_value "OIDCIdPName" "Name of Identity Provider (Okta,
oidc_client_id=$(prompt_for_value "OIDCClientId" "OIDC Client ID" "none" "^[a-zA-Z0-9_-]{1,255}$")
oidc_issuer_url=$(prompt_for_value "OIDCIssuerURL" "OIDC Issuer URL" "none" "^https://[a-zA-Z0-9.-]+(:[0-9]+)?(/.*)?$")
gateway_idc_app_arn=$(prompt_for_value "GatewayIdCAppARN" "Q Gateway IdC App Arn" "none" "^arn:aws[a-zA-Z-]*:[a-zA-Z0-9-]*:[a-z0-9-]*:[0-9]{12}:[a-zA-Z0-9:/._-]+$")
aws_iam_idc_region=$(prompt_for_value "AWSIAMIdCRegion" "AWS IAM Identity Center Region" $(aws configure get region) "^[a-z]{2}-[a-z]+-[0-9]+$")

# Create or update the JSON file
cp $json_file $json_file.bak 2> /dev/null
Expand All @@ -74,6 +75,7 @@ jq -n \
--arg oidc_client_id "$oidc_client_id" \
--arg oidc_issuer_url "$oidc_issuer_url" \
--arg gateway_idc_app_arn "$gateway_idc_app_arn" \
--arg aws_iam_idc_region "$aws_iam_idc_region" \
'{
StackName: $stack_name,
AmazonQAppId: $app_id,
Expand All @@ -82,7 +84,8 @@ jq -n \
OIDCIdPName: $oidc_idp_name,
OIDCClientId: $oidc_client_id,
OIDCIssuerURL: $oidc_issuer_url,
GatewayIdCAppARN: $gateway_idc_app_arn
GatewayIdCAppARN: $gateway_idc_app_arn,
AWSIAMIdCRegion: $aws_iam_idc_region
}' > "$json_file"

echo "Configuration saved to $json_file"
4 changes: 4 additions & 0 deletions bin/my-amazon-q-slack-bot.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ export interface StackEnvironment {
OIDCClientId: string;
OIDCIssuerURL: string;
GatewayIdCAppARN: string;
AWSIAMIdCRegion: string;
}

const app = new cdk.App();
Expand Down Expand Up @@ -46,6 +47,9 @@ if (environment.OIDCIssuerURL === undefined) {
if (environment.GatewayIdCAppARN === undefined) {
throw new Error('GatewayIdCAppARN is required');
}
if (environment.AWSIAMIdCRegion === undefined) {
throw new Error('AWSIAMIdCRegion is required');
}

new MyAmazonQSlackBotStack(
app,
Expand Down
6 changes: 4 additions & 2 deletions lib/my-amazon-q-slack-bot-stack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -288,7 +288,8 @@ export class MyAmazonQSlackBotStack extends cdk.Stack {
OIDC_ISSUER_URL: env.OIDCIssuerURL,
KEY_ARN: kmsKey.keyArn,
Q_USER_API_ROLE_ARN: qUserAPIRole.roleArn,
GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN
GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN,
AWS_IAM_IDC_REGION: env.AWSIAMIdCRegion
},
role: oidcCallbackLambdaExecutionRole,
vpc
Expand Down Expand Up @@ -345,7 +346,8 @@ export class MyAmazonQSlackBotStack extends cdk.Stack {
OIDC_REDIRECT_URL: oidcCallbackApi.url,
KEY_ARN: kmsKey.keyArn,
Q_USER_API_ROLE_ARN: qUserAPIRole.roleArn,
GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN
GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN,
AWS_IAM_IDC_REGION: env.AWSIAMIdCRegion
},
role: slackLambdaExecutionRole,
vpc
Expand Down
Loading

0 comments on commit ab22c75

Please sign in to comment.