-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate.yaml
More file actions
185 lines (162 loc) · 5.54 KB
/
template.yaml
File metadata and controls
185 lines (162 loc) · 5.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Amazon Bedrock AgentCore Lambda Functions - Collection of Lambda functions for Bedrock workflows
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- qa
- prod
Description: Environment name
AgentRuntimeArn:
Type: String
Default: ""
Description: ARN of the Bedrock AgentCore runtime (optional, can be set per environment)
AgentRuntimePolicyResource:
Type: String
Default: ""
Description: IAM policy resource ARN for Bedrock AgentCore (supports wildcards, e.g., arn:aws:bedrock-agentcore:us-west-2:123456789012:runtime/*)
StorageBucketName:
Type: String
Default: ""
Description: S3 bucket for app storage (emails, prompts, etc.)
SQSQueueArn:
Type: String
Default: ""
Description: Existing SQS queue ARN for SES email notifications
BedrockReadTimeout:
Type: Number
Default: 300
MinValue: 1
MaxValue: 900
Description: Bedrock agent read timeout in seconds (default 300 = 5 minutes)
AttachmentsS3Bucket:
Type: String
Default: ""
Description: S3 bucket for storing email attachments (optional)
AttachmentsCloudFrontDomain:
Type: String
Default: ""
Description: CloudFront domain for attachment URLs (optional)
AttachmentMaxSizeMB:
Type: Number
Default: 20
MinValue: 1
MaxValue: 100
Description: Maximum attachment file size in MB (default 20)
Conditions:
HasAttachmentsBucket: !Not [!Equals [!Ref AttachmentsS3Bucket, ""]]
Globals:
Function:
Timeout: 300 # 5 minutes - adjust in template if needed
MemorySize: 256
Runtime: python3.13
Tracing: Active
Environment:
Variables:
ENVIRONMENT: !Ref Environment
AGENT_RUNTIME_ARN: !Ref AgentRuntimeArn
BEDROCK_READ_TIMEOUT: !Ref BedrockReadTimeout
PROMPT_BUCKET: !Ref StorageBucketName
PROMPT_KEY_PREFIX: "prompts/"
PROMPT_CACHE_TTL: "300" # Prompt cache TTL in seconds (5 minutes)
ATTACHMENTS_S3_BUCKET: !Ref AttachmentsS3Bucket
ATTACHMENTS_CLOUDFRONT_DOMAIN: !Ref AttachmentsCloudFrontDomain
ATTACHMENT_MAX_SIZE_MB: !Ref AttachmentMaxSizeMB
Resources:
# IAM Role for SQS Email Handler Lambda Function
SQSEmailHandlerFunctionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub sqs-email-handler-role-${Environment}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub sqs-email-handler-policy-${Environment}
PolicyDocument:
Version: '2012-10-17'
Statement:
# S3 - Read from storage bucket (emails, prompts)
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub arn:aws:s3:::${StorageBucketName}/*
# S3 - Write attachments to attachments bucket (if configured)
- !If
- HasAttachmentsBucket
- Effect: Allow
Action:
- s3:PutObject
Resource: !Sub arn:aws:s3:::${AttachmentsS3Bucket}/*
- !Ref AWS::NoValue
# SQS - Receive and process messages
- Effect: Allow
Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Resource: !Ref SQSQueueArn
# Bedrock - Invoke AgentCore agents
- Effect: Allow
Action:
- bedrock-agentcore:InvokeAgentRuntime
Resource: !Ref AgentRuntimePolicyResource
# CloudWatch Logs
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
# X-Ray Tracing
- Effect: Allow
Action:
- xray:PutTraceSegments
- xray:PutTelemetryRecords
Resource: '*'
# SQS Email Handler Lambda Function
SQSEmailHandlerFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub sqs-email-handler-${Environment}
CodeUri: src/
Handler: sqs_email_handler.lambda_handler
Description: Process emails from SES via SQS with Bedrock agent
Role: !GetAtt SQSEmailHandlerFunctionRole.Arn
# SQS Event Source
Events:
SQSEvent:
Type: SQS
Properties:
Queue: !Ref SQSQueueArn
BatchSize: 10
FunctionResponseTypes:
- ReportBatchItemFailures
Outputs:
SQSEmailHandlerFunctionName:
Description: SQS Email Handler Lambda Function Name
Value: !Ref SQSEmailHandlerFunction
Export:
Name: !Sub ${AWS::StackName}-FunctionName
SQSEmailHandlerFunctionArn:
Description: SQS Email Handler Lambda Function ARN
Value: !GetAtt SQSEmailHandlerFunction.Arn
Export:
Name: !Sub ${AWS::StackName}-FunctionArn
SQSQueueArn:
Description: SQS Queue ARN (existing queue for email processing)
Value: !Ref SQSQueueArn
Export:
Name: !Sub ${AWS::StackName}-SQSQueueArn
StorageBucketName:
Description: S3 Bucket name for app storage (emails, prompts, etc.)
Value: !Ref StorageBucketName
Export:
Name: !Sub ${AWS::StackName}-StorageBucketName