CDK Deployment and DB Read-Only User (#179)

* Cognito Authentication Added

* Cognito Authentication Added

* Cognito Authentication Added

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* AgentCore Enhanced Deployment Option

* CDK Deployment and DB Read-Only User

* CDK Deployment and DB Read-Only User

---------

Co-authored-by: Uriel Ramirez <beralfon@amazon.com>

Author: aurbac

examples/agents_ux/video_games_sales_assistant_with_amazon_bedrock_agents/README.md

@@ -8,7 +8,7 @@
 > [!IMPORTANT]
 > **🚀 Ready-to-Deploy Agent Web Application**: Use this reference solution to build other agent-powered web applications across different industries. Extend the agent capabilities by adding custom tools for specific industry workflows and adapt it to various business domains.
 
-This solution provides a Generative AI application reference that allows users to interact with data through a natural language interface. The solution connects **[Amazon Bedrock Agents](https://aws.amazon.com/bedrock/agents/)** to a PostgreSQL database, providing data analysis capabilities through a Web Application interface.
+This solution provides a Generative AI application reference that allows users to interact with data through a natural language interface. The solution uses **[Amazon Bedrock Agents](https://aws.amazon.com/bedrock/agents/)** connected to a PostgreSQL database for data analysis capabilities, deployed with **[AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/home.html)** for back-end infrastructure and **[AWS Amplify](https://docs.amplify.aws/)** for the front-end web application.
 
 <div align="center">
 <img src="./images/data-analyst-assistant-amazon-bedrock-agents.gif" alt="Conversational Data Analyst Assistant Solution with Amazon Bedrock Agents">
@@ -39,24 +39,28 @@ The following architecture diagram illustrates a reference solution for a genera
 
 > [!IMPORTANT]
 > This sample application is meant for demo purposes and is not production ready. Please make sure to validate the code with your organizations security best practices.
-> 
-> Cost Alert: This solution will cost approximately $180 USD per month, mainly for Aurora Serverless and RDS Proxy, plus the usage of on-demand services like Amazon Bedrock and Lambda functions. Please ensure you understand these costs before deployment.
 
-The solution deploys the following AWS services:
+### CDK Infrastructure Deployment
+
+The AWS CDK stack deploys and configures the following managed services:
 
-- **Amazon Bedrock Agent**: Powers the ***Data Analyst Assistant*** that answers questions by generating SQL queries using Claude 3.5 Haiku
+- **Amazon Bedrock Agent**: Powers the ***Data Analyst Assistant*** that answers questions by generating SQL queries using Claude Haiku 4.5
 - **AWS Lambda**: Processes agent requests through various tools including:
-    - /runSQLQuery: Executes queries against the database
+    - /runSQLQuery: Executes queries against the database via the RDS Data API
     - /getCurrentDate: Retrieves the current date
     - /getTablesInformation: Provides database tables information for agent context
-- **Aurora Serverless PostgreSQL**: Stores the video game sales data
+- **Amazon Aurora Serverless v2 PostgreSQL**: Stores the video game sales data with RDS Data API integration
 - **Amazon DynamoDB**: Tracks questions and query results
-- **AWS Secrets Manager**: Securely stores database credentials
-- **Amazon VPC**: Provides network isolation for the database
+- **AWS Secrets Manager**: Securely stores database credentials (admin and read-only user)
+- **Amazon VPC**: Provides network isolation for the database with public and private subnets
+- **Amazon S3**: Import bucket for loading data into Aurora PostgreSQL
+
+### Amplify Deployment for the Front-End Application
+
 - **React Web Application**: Delivers the user interface for the assistant
     - Uses Amazon Cognito for user authentication and permissions management
     - The application invokes the Amazon Bedrock Agent for interacting with the assistant
-    - For chart generation, the application directly invokes the Claude 3.7 Sonnet model
+    - For chart generation, the application directly invokes the Claude Haiku 4.5 model
 
 > [!NOTE]
 > The React Web Application uses Amazon Cognito for user authentication and permissions management, providing secure access to Amazon Bedrock and Amazon DynamoDB services through authenticated user roles.
@@ -70,17 +74,17 @@ The solution deploys the following AWS services:
 The **user interaction workflow** operates as follows:
 
 - The web application sends user business questions to the Amazon Bedrock Agent
-- The agent (powered by Claude 3.5 Haiku) processes natural language and determines when to execute database queries
-- Lambda functions execute SQL queries against the Aurora PostgreSQL database and send the results back to the agent, which formulates an answer to the question
+- The agent (powered by Claude Haiku 4.5) processes natural language and determines when to execute database queries
+- Lambda functions execute SQL queries against the Aurora PostgreSQL database via the RDS Data API and send the results back to the agent, which formulates an answer to the question
 - After the agent's response is received by the web application, the raw data query results are retrieved from the DynamoDB table to display both the answer and the corresponding records
-- For chart generation, the application invokes a model (powered by Claude 3.7 Sonnet) to analyze the agent's answer and raw data query results to generate the necessary data to render an appropriate chart visualization
+- For chart generation, the application invokes a model (powered by Claude Haiku 4.5) to analyze the agent's answer and raw data query results to generate the necessary data to render an appropriate chart visualization
 
 ## Deployment Instructions
 
 The deployment consists of two main steps:
 
-1. **Generative AI Application** - [Data Source and Amazon Bedrock Agent Deployment with AWS SAM](./sam-bedrock-video-games-sales-assistant/)
-2. **Front-End Implementation** - [Integrating Amazon Bedrock Agent with a Ready-to-Use Data Analyst Assistant Application](./amplify-video-games-sales-assistant-bedrock-agent/)
+1. **Generative AI Application** - [Data Source and Amazon Bedrock Agent Deployment with AWS CDK](./cdk-video-games-sales-assistant-bedrock-agent/)
+2. **Front-End Implementation** - [Deploying a Conversational Data Analyst Assistant Solution with Amazon Bedrock Agents](./amplify-video-games-sales-assistant-bedrock-agent/)
 
 > [!NOTE]
 > *It is recommended to use the Oregon (us-west-2) or N. Virginia (us-east-1) regions to deploy the application.*
@@ -118,4 +122,4 @@ The following images showcase a conversational experience analysis that includes
 
 ## License
 
-This project is licensed under the Apache-2.0 License.
+This project is licensed under the Apache-2.0 License.

examples/agents_ux/video_games_sales_assistant_with_amazon_bedrock_agents/amplify-video-games-sales-assistant-bedrock-agent/README.md

@@ -1,18 +1,21 @@
 # Front-End Implementation - Integrating Amazon Bedrock Agent with a Ready-to-Use Data Analyst Assistant Application
 
-This tutorial guides you through setting up a React Web application that integrates with your Amazon Bedrock Agent, creating a Data Analyst Assistant for Video Game Sales.
+This tutorial guides you through setting up a React Web application using **[AWS Amplify](https://docs.amplify.aws/)** that integrates with your **[Amazon Bedrock Agent](https://aws.amazon.com/bedrock/agents/)** deployment, creating a Data Analyst Assistant for Video Game Sales.
+
+> [!NOTE]
+> **Working Directory**: Make sure you are in the `amplify-video-games-sales-assistant-bedrock-agent/` folder before starting this tutorial. All commands in this guide should be executed from this directory.
 
 ## Overview
 
-By the end of this tutorial, you'll have a fully functional Generative AI web application that allows users to interact with a Data Analyst Assistant interface.
+By the end of this tutorial, you'll have a fully functional Generative AI web application that allows users to interact with a Data Analyst Assistant interface powered by Amazon Bedrock Agents.
 
 The application consists of two main components:
 
 - **React Web Application**: Provides the user interface and handles user interactions
 - **Amazon Bedrock Integration:**:
     - Uses your Bedrock Agent for data analysis and natural language processing
     - The application invokes the Amazon Bedrock Agent for interacting with the assistant
-    - Directly invokes Claude 3.7 Sonnet model for chart generation and visualization
+    - Directly invokes Claude Haiku 4.5 model for chart generation and visualization
 
 > [!IMPORTANT]
 > This sample application is for demonstration purposes only and is not production-ready. Please validate the code against your organization's security best practices.
@@ -22,10 +25,6 @@ The application consists of two main components:
 Before you begin, ensure you have:
 
 - [Node.js version 18+](https://nodejs.org/en/download/package-manager)
-- React Scripts installed:
-``` bash
-npm install react-scripts
-```
 
 ## Set Up the Front-End Application
 
@@ -39,7 +38,7 @@ npm install
 
 ### Install Amplify CLI
 
-Install the Amplify CLI globally:
+Install the **[AWS Amplify](https://docs.amplify.aws/)** CLI globally:
 
 ``` bash
 npm install -g @aws-amplify/cli
@@ -53,6 +52,9 @@ Initialize the Amplify project:
 amplify init
 ```
 
+- Do you want to continue with Amplify Gen 1? **`yes`**
+- Why would you like to use Amplify Gen 1? **`Prefer not to answer`**
+
 Use the following configuration:
 
 - ? Enter a name for the project: **`daabedrockagent`**
@@ -98,12 +100,51 @@ amplify push
 > [!NOTE]
 > This creates a Cognito User Pool and Identity Pool in your AWS account for user authentication. AWS credentials for the Front-End Application are automatically managed through Cognito.
 
+## Get CDK Output Values
+
+Get the required values from your CDK project outputs. These values are needed for configuring AuthRole permissions and environment variables:
+
+``` bash
+# Set the stack name environment variable
+export STACK_NAME=CdkVideoGamesSalesAssistantBedrockAgentStack
+
+# Get the values from CDK outputs
+export AGENT_ARN=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='AgentARN'].OutputValue" --output text)
+export AGENT_ID=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='AgentId'].OutputValue" --output text)
+export QUESTION_ANSWERS_TABLE_NAME=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='QuestionAnswersTableName'].OutputValue" --output text)
+export QUESTION_ANSWERS_TABLE_ARN=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='QuestionAnswersTableArn'].OutputValue" --output text)
+export ACCOUNT_ID=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='AccountId'].OutputValue" --output text)
+
+cat << EOF
+# Agent Resources
+AGENT_ARN: ${AGENT_ARN}
+AGENT_ID: ${AGENT_ID}
+ACCOUNT_ID: ${ACCOUNT_ID}
+
+# DynamoDB Resources
+QUESTION_ANSWERS_TABLE_NAME: ${QUESTION_ANSWERS_TABLE_NAME}
+QUESTION_ANSWERS_TABLE_ARN: ${QUESTION_ANSWERS_TABLE_ARN}
+EOF
+```
+
 ## Configure AuthRole Permissions
 
 After authentication deployment, you need to grant your authenticated users permission to access AWS services.
 
-1. **Find your AuthRole**: Go to AWS Console → IAM → Roles → Search for amplify-daabedrockagent-dev-*-authRole
-2. **Add this policy** (replace the placeholder values with your actual values from SAM outputs):
+1. **Find your AuthRole**: Go to AWS Console → IAM → Roles → Search for `amplify-daabedrockagent-dev-*-authRole`
+
+2. **Add an inline policy**: Click on the role → **Add permissions** → **Create inline policy** → Select **JSON** tab
+
+3. **Copy the policy below** and replace the following placeholders with your actual values:
+
+   | Placeholder | Replace With | Example |
+   |-------------|--------------|---------|
+   | `<account_id>` | Your AWS Account ID (12-digit number) | `123456789012` |
+   | `<agent_arn>` | `AGENT_ARN` from CDK outputs above | `arn:aws:bedrock:us-east-1:123456789012:agent/XXXXXXXXXX` |
+   | `<agent_id>` | `AGENT_ID` from CDK outputs above | `XXXXXXXXXX` |
+   | `<question_answers_table_arn>` | `QUESTION_ANSWERS_TABLE_ARN` from CDK outputs above | `arn:aws:dynamodb:us-east-1:123456789012:table/QuestionAnswers-xxx` |
+
+**Policy to copy (replace placeholders):**
 
 ``` json
 {
@@ -127,10 +168,12 @@ After authentication deployment, you need to grant your authenticated users perm
                 "bedrock:InvokeModel"
             ],
             "Resource": [
-                "arn:aws:bedrock:*:<account_id>:inference-profile/us.anthropic.claude-3-7-sonnet-20250219-v1:0",
-                "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0",
-                "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0",
-                "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0"
+                "arn:aws:bedrock:us-east-1:<account_id>:inference-profile/us.anthropic.claude-haiku-4-5-20251001-v1:0",
+                "arn:aws:bedrock:us-east-2:<account_id>:inference-profile/us.anthropic.claude-haiku-4-5-20251001-v1:0",
+                "arn:aws:bedrock:us-west-2:<account_id>:inference-profile/us.anthropic.claude-haiku-4-5-20251001-v1:0",
+                "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-haiku-4-5-20251001-v1:0",
+                "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-haiku-4-5-20251001-v1:0",
+                "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-haiku-4-5-20251001-v1:0"
             ]
         },
         {
@@ -145,6 +188,8 @@ After authentication deployment, you need to grant your authenticated users perm
 }
 ```
 
+4. **Save the policy** with a name like `DataAnalystAssistantPermissions`
+
 ## Configure Environment Variables
 
 Rename the file **src/sample.env.js** to **src/env.js**:
@@ -153,15 +198,17 @@ Rename the file **src/sample.env.js** to **src/env.js**:
 mv src/sample.env.js src/env.js
 ```
 
-In you **src/env.js** update the following environment variables
+In your **src/env.js** update the following environment variables using the CDK output values from above:
 
- - AWS Region:
-     - **AWS_REGION**
+- **AWS_REGION**: Your AWS region (e.g., `us-east-1`)
+- **AGENT_ID**: Your Bedrock Agent ID from CDK outputs
+- **AGENT_ALIAS_ID**: Your Bedrock Agent Alias ID (create an alias in the Bedrock console)
+- **QUESTION_ANSWERS_TABLE_NAME**: Use the value from the CDK outputs above
 
- - Agent and DynamoDB table name information that you can find in the CloudFormation Outputs from the SAM project:
-     - **AGENT_ID**
-     - **AGENT_ALIAS_ID**
-     - **QUESTION_ANSWERS_TABLE_NAME** 
+Also, you can update the general application description:
+- **APP_NAME**: "Data Analyst Assistant"
+- **APP_SUBJECT**: "Video Games Sales"
+- **WELCOME_MESSAGE**: Your custom welcome message
 
 ## Test Your Data Analyst Assistant
 
@@ -230,7 +277,7 @@ Give me a short summary and conclusion of our conversation.
 
 ## Deploy your Application with Amplify Hosting
 
-To deploy your application yu can use AWS Amplify Hosting:
+To deploy your application you can use AWS Amplify Hosting:
 
 ### Add Hosting
 
@@ -284,4 +331,4 @@ Congratulations! Your Data Analyst Assistant can provide you with the following
 
 ## License
 
-This project is licensed under the Apache-2.0 License.
+This project is licensed under the Apache-2.0 License.

examples/agents_ux/video_games_sales_assistant_with_amazon_bedrock_agents/amplify-video-games-sales-assistant-bedrock-agent/src/sample.env.js

@@ -18,7 +18,7 @@ const WELCOME_MESSAGE = "I'm your Video Games Sales Data Analyst, crunching data
 // ================================
 
 const MAX_LENGTH_INPUT_SEARCH = 140;
-const MODEL_ID_FOR_CHART = "us.anthropic.claude-3-7-sonnet-20250219-v1:0";
+const MODEL_ID_FOR_CHART = "us.anthropic.claude-haiku-4-5-20251001-v1:0";
 
 const CHART_PROMPT =
   '\n\

examples/agents_ux/video_games_sales_assistant_with_amazon_bedrock_agents/cdk-video-games-sales-assistant-bedrock-agent/.gitignore

@@ -0,0 +1,10 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+.DS_Store
+package-lock.json
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

examples/agents_ux/video_games_sales_assistant_with_amazon_bedrock_agents/cdk-video-games-sales-assistant-bedrock-agent/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out