diff --git a/CHANGELOG.md b/CHANGELOG.md index d2f1ebc..f6e9f1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.2.1] - 2024-09-27 +### Added +Add support for cross-region IAM Identity Center (IDC) where the IDC instance is in a different region from the Amazon Q Business application. The IDC region can now be specified when deploying the gateway. + ## [0.2.0] - 2024-05-28 ### Added Add support for Q Business Apps integrated with IdC @@ -48,7 +52,9 @@ Initial release - Process up to 5 attached files for document question answering, summaries, etc. - Reset and start new conversation in DM channel by using `/new_conversation` -[Unreleased]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/compare/v0.1.3...develop +[Unreleased]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/compare/main...develop +[0.2.1]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.2.1 +[0.2.0]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.2.0 [0.1.3]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.3 [0.1.2]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.2 [0.1.1]: https://github.com/aws-samples/qnabot-on-aws-plugin-samples/releases/tag/v0.1.1 diff --git a/README.md b/README.md index 54ce467..22a903c 100644 --- a/README.md +++ b/README.md @@ -57,19 +57,22 @@ Follow the instructions below to deploy the project to your own AWS account and Create the client as a ['Web app'](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm). You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like ```https://example.com```, for the redirect URI, as you will update this later (in step 3). +Also verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. This is done in Okta under Settings > Account in the "Embedded widget sign-in support" panel. If "Interaction Code" is not enabled, select "Edit" and enable the option. Then browse to Security > API in Okta and verify that an authorization server is configured and that it has an Access Policy active with a Rule that has the "Interaction Code" grant type checked. + #### 1.2 Create Trusted token issuer in IAM Identity Center Create trusted token issuer to trust tokens your Okta tenant using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html. Or you can run the below script. -For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. +For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement. The script will output trusted token issuer ARN (TTI_ARN) which you will use in the next step. ``` export AWS_DEFAULT_REGION=<> OIDC_ISSUER_URL=<> - bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL + AWS_IDC_REGION=<> + bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION ``` #### 1.3 Create Customer managed application in IAM Identity Center @@ -84,7 +87,8 @@ The script will output the gateway IdC application ARN (GATEWAY_IDC_ARN) which y export AWS_DEFAULT_REGION=<> OIDC_CLIENT_ID=<> TTI_ARN=<> - bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN + AWS_IDC_REGION=<> + bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION ``` ### 2. Deploy the stack @@ -103,6 +107,7 @@ If you are a developer, and you want to build, deploy and/or publish the solutio 5. `OIDCClientId`: The client ID of OIDC client you created in step 1.1. 6. `OIDCIssuerURL`: The issuer URL of the OIDC client you created in step 1.1. 7. `GatewayIdCAppARN`: The application arn of IdC customer managed application you created in step 1.3. + 7. `AWSIAMIdCRegion`: The AWS region where the AWS IAM IdC instance is deployed. 8. `ContextDaysToLive`: Just leave this as the default (90 days) Region | Easy Deploy Button | Template URL - use to upgrade existing stack to a new release @@ -115,7 +120,7 @@ When your CloudFormation stack status is CREATE_COMPLETE, choose the **Outputs** ### 3. Update OIDC Client Redirect URL. -Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in Cloudformation stack for `OIDCCallbackEndpointExportedName`. +Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for `OIDCCallbackEndpointExportedName`. ### 4. Configure your Slack application diff --git a/README_DEVELOPERS.md b/README_DEVELOPERS.md index ddc932f..081faea 100644 --- a/README_DEVELOPERS.md +++ b/README_DEVELOPERS.md @@ -30,9 +30,9 @@ Copy the GitHub repo to your computer. Either: 3. You need to configure SAML and SCIM with Okta and IAM Identity Center. If you haven't configured, see [Configuring SAML and SCIM with Okta and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-okta.html) -4. You also need to have an existing, working Amazon Q business application integrated with IdC. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html) +4. You also need to have an existing, working Amazon Q Business application integrated with IdC. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html) -5. You need to have users subscribed to your Amazon Q business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see [Subscribing users to an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/adding-users-groups.html) +5. You need to have users subscribed to your Amazon Q Business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see [Subscribing users to an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/adding-users-groups.html) ## Deploy the solution @@ -43,19 +43,22 @@ Copy the GitHub repo to your computer. Either: Create the client as a ['Web app'](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm). You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like ```https://example.com```, for the redirect URI, as you will update this later (in step 3). +Also verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. This is done in Okta under Settings > Account in the "Embedded widget sign-in support" panel. If "Interaction Code" is not enabled, select "Edit" and enable the option. Then browse to Security > API in Okta and verify that an authorization server is configured and that it has an Access Policy active with a Rule that has the "Interaction Code" grant type checked. + #### 1.2 Create Trusted token issuer in IAM Identity Center Create trusted token issuer to trust tokens from OIDC issuer URL using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html. Or you can run the below script. -For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. +For the script, you need to have the OIDC issuer URL and the AWS region in which you have your AWS IAM Identity Center instance deployed. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement. The script will output trusted token issuer ARN which you will use in the next step. ``` export AWS_DEFAULT_REGION=<> OIDC_ISSUER_URL=<> - bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL + AWS_IDC_REGION=<> + bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION ``` #### 1.3 Create Customer managed application in IAM Identity Center @@ -70,10 +73,11 @@ The script will output the IdC application ARN which you will use in the next st export AWS_DEFAULT_REGION=<> OIDC_CLIENT_ID=<> TTI_ARN=<> - bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN + AWS_IDC_REGION=<> + bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION ``` -Before starting, you need to have an existing, working Amazon Q application. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html) +Before starting, you need to have an existing, working Amazon Q Business application. If you haven't set one up yet, see [Creating an Amazon Q application](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-app.html) ### 2. Initialize and deploy the stack @@ -84,7 +88,7 @@ Navigate into the project root directory and, in a bash shell, run: ### 3. Update OIDC Client Redirect URL. -Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in Cloudformation stack for `OIDCCallbackEndpointExportedName`. +Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for `OIDCCallbackEndpointExportedName`. ### 4. Configure your Slack application @@ -169,11 +173,10 @@ OUTPUTS Template URL: https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json CF Launch URL: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.us-east-1.amazonaws.com/yourbucketbasename-us-east-1/qslack-test/AmazonQSlackGateway.json&stackName=AMAZON-Q-SLACK-GATEWAY Done -`````` +``` Follow the deployment directions in the main [README](./README.md), but use your own CF Launch URL instead of our pre-built templates (Launch Stack buttons). - ## Contributing, and reporting issues We welcome your contributions to our project. Whether it's a bug report, new feature, correction, or additional diff --git a/bin/convert-cfn-template.js b/bin/convert-cfn-template.js index ecb9cfe..6f9c183 100644 --- a/bin/convert-cfn-template.js +++ b/bin/convert-cfn-template.js @@ -226,6 +226,11 @@ function parameterizeTemplate(template, lambdas) { Type: 'String', AllowedPattern: '^arn:aws[a-zA-Z-]*:[a-zA-Z0-9-]*:[a-z0-9-]*:[0-9]{12}:[a-zA-Z0-9:/._-]+$', Description: 'Q Business Slack Gateway IdC App Arn' + }, + AWSIAMIdCRegion: { + Type: 'String', + Default: defaultQRegion, + Description: 'AWS IAM Identity Center (IdC) Region' } }; for (let lambda of lambdas) { @@ -242,6 +247,9 @@ function parameterizeTemplate(template, lambdas) { lambdaResource.Properties.Environment.Variables.GATEWAY_IDC_APP_ARN = { Ref: 'GatewayIdCAppARN' }; + lambdaResource.Properties.Environment.Variables.AWS_IAM_IDC_REGION = { + Ref: 'AWSIAMIdCRegion' + }; } } diff --git a/bin/create-idc-application.sh b/bin/create-idc-application.sh index f9cc1d9..9197816 100755 --- a/bin/create-idc-application.sh +++ b/bin/create-idc-application.sh @@ -2,13 +2,14 @@ # Ensure required arguments are passed if [ $# -lt 2 ]; then - echo "Usage: $0 [application_name]" + echo "Usage: $0 [application_name]" exit 1 else OIDC_CLIENT_ID="$1" TTI_ARN="$2" - if [ -n "$3" ]; then - APPLICATION_NAME="$3" + IDC_REGION="$3" + if [ -n "$4" ]; then + APPLICATION_NAME="$4" else APPLICATION_NAME="AmazonQSlackGateway" fi @@ -22,7 +23,7 @@ if [ $? -ne 0 ]; then fi # Retrieve the IdC instance ARN. -IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' | tr -d '""') +IDC_INSTANCE_ARN=$(aws sso-admin list-instances --region $IDC_REGION --query 'Instances[0].InstanceArn' | tr -d '""') if [ $? -ne 0 ] || [ -z "$IDC_INSTANCE_ARN" ]; then echo "Error: IDC_INSTANCE_ARN is empty or failed to retrieve. Please check your AWS SSO configuration." exit 1 @@ -32,9 +33,9 @@ fi echo "Checking if the $APPLICATION_NAME exists..." APPLICATION_EXISTS=0 GATEWAY_IDC_ARN="" -RESPONSE=$(aws sso-admin list-applications --instance-arn $IDC_INSTANCE_ARN --query 'Applications[*].ApplicationArn' | tr -d '[",]') +RESPONSE=$(aws sso-admin list-applications --instance-arn $IDC_INSTANCE_ARN --region $IDC_REGION --query 'Applications[*].ApplicationArn' | tr -d '[",]') for ARN in $RESPONSE; do - CURRENT_NAME=$(aws sso-admin describe-application --application-arn $ARN --query 'Name' | tr -d '"') + CURRENT_NAME=$(aws sso-admin describe-application --application-arn $ARN --region $IDC_REGION --query 'Name' | tr -d '"') if [ "$CURRENT_NAME" == "$APPLICATION_NAME" ]; then GATEWAY_IDC_ARN=$ARN APPLICATION_EXISTS=1 @@ -47,7 +48,7 @@ done CUSTOM_APPLICATION_PROVIDER_ARN="arn:aws:sso::aws:applicationProvider/custom" if [ $APPLICATION_EXISTS -eq 0 ]; then echo "Creating $APPLICATION_NAME..." - GATEWAY_IDC_ARN=$(aws sso-admin create-application --application-provider-arn $CUSTOM_APPLICATION_PROVIDER_ARN --instance-arn $IDC_INSTANCE_ARN --name "$APPLICATION_NAME" --query 'ApplicationArn' | tr -d '"') + GATEWAY_IDC_ARN=$(aws sso-admin create-application --application-provider-arn $CUSTOM_APPLICATION_PROVIDER_ARN --instance-arn $IDC_INSTANCE_ARN --name "$APPLICATION_NAME" --region $IDC_REGION --query 'ApplicationArn' | tr -d '"') if [ $? -ne 0 ] || [ -z "$GATEWAY_IDC_ARN" ]; then echo "Error: GATEWAY_IDC_ARN could not be created. Please check your inputs and AWS permissions." exit 1 @@ -56,7 +57,7 @@ if [ $APPLICATION_EXISTS -eq 0 ]; then fi # Disable assignment -aws sso-admin put-application-assignment-configuration --application-arn $GATEWAY_IDC_ARN --no-assignment-required +aws sso-admin put-application-assignment-configuration --application-arn $GATEWAY_IDC_ARN --region $IDC_REGION --no-assignment-required if [ $? -ne 0 ]; then echo "Failed to disable assignment for the application." exit 1 @@ -79,7 +80,7 @@ json_input='{ }, "GrantType": "urn:ietf:params:oauth:grant-type:jwt-bearer" }' -aws sso-admin put-application-grant --cli-input-json "$json_input" +aws sso-admin put-application-grant --region $IDC_REGION --cli-input-json "$json_input" if [ $? -ne 0 ]; then echo "Failed to put application grant." exit 1 @@ -107,14 +108,14 @@ json_input='{ }, "AuthenticationMethodType": "IAM" }' -aws sso-admin put-application-authentication-method --cli-input-json "$json_input" +aws sso-admin put-application-authentication-method --region $IDC_REGION --cli-input-json "$json_input" if [ $? -ne 0 ]; then echo "Failed to set authentication method." exit 1 fi # Put application access scopes -if ! aws sso-admin put-application-access-scope --application-arn $GATEWAY_IDC_ARN --scope "qbusiness:conversations:access"; then +if ! aws sso-admin put-application-access-scope --application-arn $GATEWAY_IDC_ARN --scope "qbusiness:conversations:access" --region $IDC_REGION; then echo "Failed to set access scope for conversations." exit 1 fi diff --git a/bin/create-trusted-token-issuer.sh b/bin/create-trusted-token-issuer.sh index 880d3f8..e4fed96 100755 --- a/bin/create-trusted-token-issuer.sh +++ b/bin/create-trusted-token-issuer.sh @@ -2,19 +2,20 @@ # Ensure required arguments are passed if [ $# -lt 1 ]; then - echo "Usage: $0 " + echo "Usage: $0 " exit 1 fi OIDC_ISSUER_URL="$1" +IDC_REGION="$2" # Retrieve the IdC instance ARN. -IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' | tr -d '"') +IDC_INSTANCE_ARN=$(aws sso-admin list-instances --query 'Instances[0].InstanceArn' --region $IDC_REGION | tr -d '"') # Check if there is TTI_ARN for the issuer url. -for arn in $(aws sso-admin list-trusted-token-issuers --instance-arn "$IDC_INSTANCE_ARN" --query 'TrustedTokenIssuers[].TrustedTokenIssuerArn[]' | tr -d '[",]') +for arn in $(aws sso-admin list-trusted-token-issuers --instance-arn "$IDC_INSTANCE_ARN" --region $IDC_REGION --query 'TrustedTokenIssuers[].TrustedTokenIssuerArn[]' | tr -d '[",]') do - current_issuer_url=$(aws sso-admin describe-trusted-token-issuer --trusted-token-issuer-arn $arn --query 'TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IssuerUrl' --output text) + current_issuer_url=$(aws sso-admin describe-trusted-token-issuer --trusted-token-issuer-arn $arn --region $IDC_REGION --query 'TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IssuerUrl' --output text) if [[ "$current_issuer_url" == "$OIDC_ISSUER_URL" ]] then echo "Trusted token issuer already exists for $OIDC_ISSUER_URL, ARN: $arn" @@ -35,6 +36,6 @@ TTI_ARN=$(aws sso-admin create-trusted-token-issuer --cli-input-json '{ } }, "TrustedTokenIssuerType": "OIDC_JWT" -}' --query 'TrustedTokenIssuerArn' | tr -d '"') +}' --region $IDC_REGION --query 'TrustedTokenIssuerArn' | tr -d '"') echo "TTI_ARN=$TTI_ARN" diff --git a/bin/environment.sh b/bin/environment.sh index acd900b..8a26c84 100755 --- a/bin/environment.sh +++ b/bin/environment.sh @@ -61,6 +61,7 @@ oidc_idp_name=$(prompt_for_value "OIDCIdPName" "Name of Identity Provider (Okta, oidc_client_id=$(prompt_for_value "OIDCClientId" "OIDC Client ID" "none" "^[a-zA-Z0-9_-]{1,255}$") oidc_issuer_url=$(prompt_for_value "OIDCIssuerURL" "OIDC Issuer URL" "none" "^https://[a-zA-Z0-9.-]+(:[0-9]+)?(/.*)?$") gateway_idc_app_arn=$(prompt_for_value "GatewayIdCAppARN" "Q Gateway IdC App Arn" "none" "^arn:aws[a-zA-Z-]*:[a-zA-Z0-9-]*:[a-z0-9-]*:[0-9]{12}:[a-zA-Z0-9:/._-]+$") +aws_iam_idc_region=$(prompt_for_value "AWSIAMIdCRegion" "AWS IAM Identity Center Region" $(aws configure get region) "^[a-z]{2}-[a-z]+-[0-9]+$") # Create or update the JSON file cp $json_file $json_file.bak 2> /dev/null @@ -74,6 +75,7 @@ jq -n \ --arg oidc_client_id "$oidc_client_id" \ --arg oidc_issuer_url "$oidc_issuer_url" \ --arg gateway_idc_app_arn "$gateway_idc_app_arn" \ + --arg aws_iam_idc_region "$aws_iam_idc_region" \ '{ StackName: $stack_name, AmazonQAppId: $app_id, @@ -82,7 +84,8 @@ jq -n \ OIDCIdPName: $oidc_idp_name, OIDCClientId: $oidc_client_id, OIDCIssuerURL: $oidc_issuer_url, - GatewayIdCAppARN: $gateway_idc_app_arn + GatewayIdCAppARN: $gateway_idc_app_arn, + AWSIAMIdCRegion: $aws_iam_idc_region }' > "$json_file" echo "Configuration saved to $json_file" diff --git a/bin/my-amazon-q-slack-bot.ts b/bin/my-amazon-q-slack-bot.ts index 7c93bb5..3f38dfa 100644 --- a/bin/my-amazon-q-slack-bot.ts +++ b/bin/my-amazon-q-slack-bot.ts @@ -13,6 +13,7 @@ export interface StackEnvironment { OIDCClientId: string; OIDCIssuerURL: string; GatewayIdCAppARN: string; + AWSIAMIdCRegion: string; } const app = new cdk.App(); @@ -46,6 +47,9 @@ if (environment.OIDCIssuerURL === undefined) { if (environment.GatewayIdCAppARN === undefined) { throw new Error('GatewayIdCAppARN is required'); } +if (environment.AWSIAMIdCRegion === undefined) { + throw new Error('AWSIAMIdCRegion is required'); +} new MyAmazonQSlackBotStack( app, diff --git a/lib/my-amazon-q-slack-bot-stack.ts b/lib/my-amazon-q-slack-bot-stack.ts index 57a87ce..e475a8c 100644 --- a/lib/my-amazon-q-slack-bot-stack.ts +++ b/lib/my-amazon-q-slack-bot-stack.ts @@ -288,7 +288,8 @@ export class MyAmazonQSlackBotStack extends cdk.Stack { OIDC_ISSUER_URL: env.OIDCIssuerURL, KEY_ARN: kmsKey.keyArn, Q_USER_API_ROLE_ARN: qUserAPIRole.roleArn, - GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN + GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN, + AWS_IAM_IDC_REGION: env.AWSIAMIdCRegion }, role: oidcCallbackLambdaExecutionRole, vpc @@ -345,7 +346,8 @@ export class MyAmazonQSlackBotStack extends cdk.Stack { OIDC_REDIRECT_URL: oidcCallbackApi.url, KEY_ARN: kmsKey.keyArn, Q_USER_API_ROLE_ARN: qUserAPIRole.roleArn, - GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN + GATEWAY_IDC_APP_ARN: env.GatewayIdCAppARN, + AWS_IAM_IDC_REGION: env.AWSIAMIdCRegion }, role: slackLambdaExecutionRole, vpc diff --git a/package-lock.json b/package-lock.json index 1358766..1f2b4d1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "my_amazon_q_slack_bot", - "version": "0.2.0", + "version": "0.2.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "my_amazon_q_slack_bot", - "version": "0.2.0", + "version": "0.2.1", "dependencies": { "@aws-crypto/client-node": "^4.0.0", "@aws-sdk/client-cloudformation": "^3.465.0", diff --git a/package.json b/package.json index 7770b58..17cb0d2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "my_amazon_q_slack_bot", - "version": "0.2.0", + "version": "0.2.1", "bin": { "my_enterprise_q_slack_bot": "bin/my_amazon_q_slack_bot.js" }, diff --git a/publish.sh b/publish.sh index 648ef44..67f9807 100755 --- a/publish.sh +++ b/publish.sh @@ -64,7 +64,8 @@ cat > /tmp/environment.json << _EOF "OIDCIdPName": "QOIDCIDPNAME", "OIDCClientId": "QOIDCCLIENTID", "OIDCIssuerURL": "QOIDCISSUERURL", - "GatewayIdCAppARN": "QGATEWAYIDCAPPARN" + "GatewayIdCAppARN": "QGATEWAYIDCAPPARN", + "AWSIAMIdCRegion": "AWSIAMIDCREGION" } _EOF diff --git a/src/functions/oidc-callback-handler.ts b/src/functions/oidc-callback-handler.ts index be83ff7..ddbc7ff 100644 --- a/src/functions/oidc-callback-handler.ts +++ b/src/functions/oidc-callback-handler.ts @@ -18,7 +18,8 @@ const processOIDCCallbackEventEnv = (env: NodeJS.ProcessEnv) => ({ OIDC_CLIENT_SECRET_NAME: getOrThrowIfEmpty(env.OIDC_CLIENT_SECRET_NAME), KMS_KEY_ARN: getOrThrowIfEmpty(env.KEY_ARN), Q_USER_API_ROLE_ARN: getOrThrowIfEmpty(env.Q_USER_API_ROLE_ARN), - GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN) + GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN), + AWS_IAM_IDC_REGION: getOrThrowIfEmpty(env.AWS_IAM_IDC_REGION) }); export const handler = async ( @@ -51,6 +52,7 @@ export const handler = async ( region: oidcCallbackEventEnv.AMAZON_Q_REGION, qUserAPIRoleArn: oidcCallbackEventEnv.Q_USER_API_ROLE_ARN, gatewayIdCAppArn: oidcCallbackEventEnv.GATEWAY_IDC_APP_ARN, + awsIAMIdCRegion: oidcCallbackEventEnv.AWS_IAM_IDC_REGION, oidcRedirectUrl: oidcRedirectURL }; diff --git a/src/functions/slack-command-handler.ts b/src/functions/slack-command-handler.ts index 407f76a..d2b9660 100644 --- a/src/functions/slack-command-handler.ts +++ b/src/functions/slack-command-handler.ts @@ -23,7 +23,8 @@ const processSlackEventsEnv = (env: NodeJS.ProcessEnv) => ({ OIDC_REDIRECT_URL: getOrThrowIfEmpty(env.OIDC_REDIRECT_URL), KMS_KEY_ARN: getOrThrowIfEmpty(env.KEY_ARN), Q_USER_API_ROLE_ARN: getOrThrowIfEmpty(env.Q_USER_API_ROLE_ARN), - GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN) + GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN), + AWS_IAM_IDC_REGION: getOrThrowIfEmpty(env.AWS_IAM_IDC_REGION) }); export type SlackEventsEnv = ReturnType; diff --git a/src/functions/slack-event-handler.ts b/src/functions/slack-event-handler.ts index f44375b..2f13294 100644 --- a/src/functions/slack-event-handler.ts +++ b/src/functions/slack-event-handler.ts @@ -35,7 +35,8 @@ const processSlackEventsEnv = (env: NodeJS.ProcessEnv) => ({ OIDC_REDIRECT_URL: getOrThrowIfEmpty(env.OIDC_REDIRECT_URL), KMS_KEY_ARN: getOrThrowIfEmpty(env.KEY_ARN), Q_USER_API_ROLE_ARN: getOrThrowIfEmpty(env.Q_USER_API_ROLE_ARN), - GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN) + GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN), + AWS_IAM_IDC_REGION: getOrThrowIfEmpty(env.AWS_IAM_IDC_REGION) }); export type SlackEventsEnv = ReturnType; @@ -183,7 +184,8 @@ export const handler = async ( kmsKeyArn: slackEventsEnv.KMS_KEY_ARN, region: slackEventsEnv.AMAZON_Q_REGION, qUserAPIRoleArn: slackEventsEnv.Q_USER_API_ROLE_ARN, - gatewayIdCAppArn: slackEventsEnv.GATEWAY_IDC_APP_ARN + gatewayIdCAppArn: slackEventsEnv.GATEWAY_IDC_APP_ARN, + awsIAMIdCRegion: slackEventsEnv.AWS_IAM_IDC_REGION }; try { diff --git a/src/functions/slack-interaction-handler.ts b/src/functions/slack-interaction-handler.ts index 553e966..117d8d5 100644 --- a/src/functions/slack-interaction-handler.ts +++ b/src/functions/slack-interaction-handler.ts @@ -33,7 +33,8 @@ const processSlackInteractionsEnv = (env: NodeJS.ProcessEnv) => ({ OIDC_REDIRECT_URL: getOrThrowIfEmpty(env.OIDC_REDIRECT_URL), KMS_KEY_ARN: getOrThrowIfEmpty(env.KEY_ARN), Q_USER_API_ROLE_ARN: getOrThrowIfEmpty(env.Q_USER_API_ROLE_ARN), - GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN) + GATEWAY_IDC_APP_ARN: getOrThrowIfEmpty(env.GATEWAY_IDC_APP_ARN), + AWS_IAM_IDC_REGION: getOrThrowIfEmpty(env.AWS_IAM_IDC_REGION) }); export type SlackInteractionsEnv = ReturnType; @@ -159,7 +160,8 @@ export const handler = async ( kmsKeyArn: slackInteractionsEnv.KMS_KEY_ARN, region: slackInteractionsEnv.AMAZON_Q_REGION, qUserAPIRoleArn: slackInteractionsEnv.Q_USER_API_ROLE_ARN, - gatewayIdCAppArn: slackInteractionsEnv.GATEWAY_IDC_APP_ARN + gatewayIdCAppArn: slackInteractionsEnv.GATEWAY_IDC_APP_ARN, + awsIAMIdCRegion: slackInteractionsEnv.AWS_IAM_IDC_REGION }; try { diff --git a/src/helpers/idc/session-helpers.ts b/src/helpers/idc/session-helpers.ts index f737f1e..b0002f6 100644 --- a/src/helpers/idc/session-helpers.ts +++ b/src/helpers/idc/session-helpers.ts @@ -24,6 +24,7 @@ export type SessionManagerEnv = { region: string; qUserAPIRoleArn: string; gatewayIdCAppArn: string; + awsIAMIdCRegion: string; }; type Session = { @@ -271,7 +272,7 @@ const exchangeIdPTokenForIAMSessionCreds = async ( assertion: idToken }; - const idcResponse = await getSSOOIDCClient(env.region).createTokenWithIAM( + const idcResponse = await getSSOOIDCClient(env.awsIAMIdCRegion).createTokenWithIAM( createTokenWithIAMRequest ); diff --git a/tst/mocks/mocks.ts b/tst/mocks/mocks.ts index f0a4293..5ffe651 100644 --- a/tst/mocks/mocks.ts +++ b/tst/mocks/mocks.ts @@ -22,7 +22,8 @@ export const MOCK_ENV = { KMS_KEY_ARN: 'KMS_KEY_ARN', OIDC_CLIENT_SECRET_NAME: 'OIDC_CLIENT_SECRET_NAME', Q_USER_API_ROLE_ARN: 'Q_USER_API_ROLE_ARN', - GATEWAY_IDC_APP_ARN: 'GATEWAY_IDC_APP_ARN' + GATEWAY_IDC_APP_ARN: 'GATEWAY_IDC_APP_ARN', + AWS_IAM_IDC_REGION: 'AWS_IAM_IDC_REGION' }; /* eslint @typescript-eslint/no-explicit-any: "off" */