--- Transform: AWS::Serverless-2016-10-31 Resources: RagAppApi: Type: AWS::Serverless::Api Properties: StageName: prod RagAppFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./rag_app Handler: rag_app.lambda_handler Runtime: python3.10 PackageType: Zip Timeout: 60 Environment: Variables: REGION: !Ref "AWS::Region" KENDRA_INDEX_ID: "***KENDRA_INDEX_ID***" SM_ENDPOINT_NAME: "***SAGEMAKER_ENDPOINT_NAME***" Role: !GetAtt LambdaExecutionRole.Arn Events: ApiEvent: Type: Api Properties: Path: /ragapp Method: POST RestApiId: Ref: RagAppApi LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyName: SageMakerAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sagemaker:InvokeEndpoint Resource: '*' - PolicyName: LambdaLogsAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: arn:aws:logs:*:*:* - PolicyName: DynamoDbAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:Scan - dynamodb:Query - dynamodb:GetItem - dynamodb:PutItem - dynamodb:UpdateItem - dynamodb:DeleteItem Resource: "*" - PolicyName: KendraSearchPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - kendra:Query - kendra:BatchGetDocumentStatus - kendra:Retrieve Resource: "*" # VPC VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 12.0.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Subnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 12.0.0.0/24 AvailabilityZone: !Join - '' - - !Ref "AWS::Region" - 'a' Subnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 12.0.1.0/24 AvailabilityZone: !Join - '' - - !Ref "AWS::Region" - 'b' InternetGateway: Type: AWS::EC2::InternetGateway ElasticIp: Type: AWS::EC2::EIP Properties: Domain: vpc VPCGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC PublicRoute: Type: AWS::EC2::Route DependsOn: VPCGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnetRouteTableAssociationSn1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref Subnet1 RouteTableId: !Ref PublicRouteTable PublicSubnetRouteTableAssociationSn2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref Subnet2 RouteTableId: !Ref PublicRouteTable # ECS ECSService: Type: AWS::ECS::Service DependsOn: - LoadBalancerListener - SecurityGroupEcs Properties: Cluster: !Ref ECSCluster DesiredCount: 1 LaunchType: FARGATE TaskDefinition: !Ref ECSTaskDefinition LoadBalancers: - TargetGroupArn: !Ref TargetGroup ContainerPort: 80 ContainerName: rag-app NetworkConfiguration: AwsvpcConfiguration: Subnets: - !Ref Subnet1 - !Ref Subnet2 AssignPublicIp: ENABLED SecurityGroups: - !Ref SecurityGroupEcs # ECS ECSTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: RequiresCompatibilities: - FARGATE NetworkMode: awsvpc Cpu: 1024 Memory: 2048 ExecutionRoleArn: !GetAtt EcsTaskExecutionRole.Arn TaskRoleArn: !GetAtt EcsTaskExecutionRole.Arn ContainerDefinitions: - Name: rag-app Image: !Join - '' - - !Ref "AWS::AccountId" - ".dkr.ecr." - !Ref "AWS::Region" - ".amazonaws.com/rag-app:latest" LogConfiguration: LogDriver: awslogs Options: awslogs-region: !Ref 'AWS::Region' awslogs-group: !Ref MyLogGroup awslogs-stream-prefix: my-container Environment: - Name: BASE_URL Value: !Sub "https://${RagAppApi}.execute-api.${AWS::Region}.amazonaws.com/Stage" PortMappings: - ContainerPort: 80 HostPort: 80 Protocol: 'tcp' ECSCluster: Type: AWS::ECS::Cluster SecurityGroupEcs: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow SSH and HTTP access VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup MyLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: rag-app-log-group RetentionInDays: 7 EcsTaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyName: ecs-task-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - ecr:GetAuthorizationToken Resource: "*" - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "arn:aws:logs:*:*:*" - Effect: Allow Action: - lambda:InvokeFunction Resource: - "*" # Load Balancing LoadBalancerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: LoadBalancerSecurityGroup GroupDescription: Security group for load balancer VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: rag-load-balancer Subnets: - !Ref Subnet1 - !Ref Subnet2 SecurityGroups: - !GetAtt LoadBalancerSecurityGroup.GroupId LoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref LoadBalancer Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref TargetGroup TargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: TargetType: ip Name: rag-lb-target-group Port: 80 Protocol: HTTP VpcId: !Ref VPC MemoryTable: Type: AWS::DynamoDB::Table Properties: TableName: MemoryTable AttributeDefinitions: - AttributeName: SessionId AttributeType: S KeySchema: - AttributeName: SessionId KeyType: HASH BillingMode: PAY_PER_REQUEST