Merge branch 'feature/template-updates' into develop

EC2 Default User · EC2 Default User · commit bb0c86bff510 · 2025-08-27T21:08:27.000Z
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -27,6 +27,37 @@ The web interface allows real-time configuration updates without stack redeploym
 
 Configuration changes are validated and applied immediately, with rollback capability if issues arise. See [web-ui.md](web-ui.md) for details on using the administration interface.
 
+## Custom Configuration Path
+
+The solution now supports specifying a custom configuration file location via the `CustomConfigPath` CloudFormation parameter. This allows you to use your own configuration files stored in S3 instead of the default configuration library.
+
+### Usage
+
+When deploying the stack, you can specify a custom configuration file:
+
+```yaml
+CustomConfigPath: "s3://my-bucket/custom-config/config.yaml"
+```
+
+**Key Features:**
+- **Override Default Configuration**: When specified, your custom configuration completely replaces the default pattern configuration
+- **S3 URI Format**: Accepts standard S3 URI format (e.g., `s3://my-bucket/custom-config/config.yaml`)
+- **Least-Privilege Security**: IAM permissions are conditionally granted only to the specific S3 bucket and object you specify
+- **All Patterns Supported**: Works with Pattern 1 (BDA), Pattern 2 (Textract + Bedrock), and Pattern 3 (Textract + UDOP + Bedrock)
+
+**Security Benefits:**
+- Eliminates wildcard S3 permissions (`arn:aws:s3:::*/*`)
+- Conditional IAM access only when CustomConfigPath is specified
+- Proper S3 URI to ARN conversion for least-privilege compliance
+- Passes security scans with minimal required permissions
+
+**Configuration File Requirements:**
+- Must be valid YAML format
+- Should include all required sections for your chosen pattern (ocr, classes, classification, extraction, etc.)
+- Follow the same structure as the default configuration files in the `config_library` directory
+
+Leave the `CustomConfigPath` parameter empty (default) to use the standard configuration library included with the solution.
+
 ## Summarization Configuration
 
 ### Enable/Disable Summarization
@@ -100,6 +131,7 @@ Key parameters that can be configured during CloudFormation deployment:
 - `WAFAllowedIPv4Ranges`: IP restrictions for web UI access (default: allow all)
 - `CloudFrontPriceClass`: Set CloudFront price class for UI distribution
 - `CloudFrontAllowedGeos`: Optional geographic restrictions for UI access
+- `CustomConfigPath`: Optional S3 URI to a custom configuration file that overrides pattern presets. Leave blank to use selected pattern configuration. Example: s3://my-bucket/custom-config/config.yaml
 
 ### Pattern Selection
 - `IDPPattern`: Select processing pattern:
diff --git a/template.yaml b/template.yaml
@@ -86,6 +86,17 @@ Parameters:
     Description: >-
       Built-in IDP workflow patterns - see README for pattern descriptions.
 
+  # Custom Configuration Path
+  
+  CustomConfigPath:
+    Type: String
+    Default: ""
+    Description: >-
+      S3 URI pointing to your custom configuration YAML file. When provided, this configuration overrides the selected pattern preset and applies to all processing patterns. 
+      Leave blank to use the selected pattern configuration preset. For example s3://my-bucket/custom-config/config.yaml
+    AllowedPattern: '^(|s3://[a-zA-Z0-9.\\-_]+(/.*)?)$'
+    ConstraintDescription: Must be empty or a valid S3 URI (e.g., s3://my-bucket/custom-config/config.yaml)
+
   # Pattern 1 Parameters
 
   Pattern1BDAProjectArn:
@@ -100,8 +111,9 @@ Parameters:
     AllowedValues:
       - "lending-package-sample"
       - "default"
-    Description: Select the configuration preset for Pattern 1. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md.
-
+    Description: >-
+     Select the configuration preset for Pattern 1. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md. Note: This selected configuration will be replaced by the Custom Configuration Path if specified.
+    
   # Pattern 2 Parameters
 
   Pattern2Configuration:
@@ -113,7 +125,8 @@ Parameters:
       - "rvl-cdip-package-sample-with-few-shot-examples"
       - "bank-statement-sample"
       - "default"
-    Description: Select the configuration preset for Pattern 2. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md.
+    Description: >-
+     Select the configuration preset for Pattern 2. Each configuration contains pre-tuned settings for specific document processing scenarios see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md. Note: Custom configuration overrides the selected pattern configuration when provided.
 
   Pattern2CustomClassificationModelARN:
     Type: String
@@ -139,8 +152,20 @@ Parameters:
     AllowedValues:
       - "rvl-cdip-package-sample"
       - "default"
-    Description: Select the configuration preset for Pattern 3. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md.
-
+    Description: >-
+     Select the configuration preset for Pattern 3. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md. Note: Custom configuration overrides the selected pattern configuration when provided.
+  
+  # Custom Configuration Path
+  
+  CustomConfigPath:
+    Type: String
+    Default: ""
+    Description: >-
+      S3 URI pointing to your custom configuration YAML file. When provided, this configuration overrides the selected pattern preset and applies to all processing patterns. 
+      Leave blank to use the selected pattern configuration preset. For example s3://my-bucket/custom-config/config.yaml
+    AllowedPattern: '^(|s3://[a-zA-Z0-9.\\-_]+(/.*)?)$'
+    ConstraintDescription: Must be empty or a valid S3 URI (e.g., s3://my-bucket/custom-config/config.yaml)
+  
   # HITL (A2I) Configuration
 
   EnableHITL:
@@ -442,6 +467,7 @@ Conditions:
   ShouldUseDocumentKnowledgeBase: !Condition ShouldCreateDocumentKnowledgeBase
   DocumentSectionsCrawlerScheduleEnabled: !Not [!Equals [!Ref DocumentSectionsCrawlerFrequency, "Manual"]]
   HasPermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundaryArn, ""]]
+  HasCustomConfigPath: !Not [!Equals [!Ref CustomConfigPath, ""]]
 
 
 Metadata:
@@ -472,6 +498,10 @@ Metadata:
         Parameters:
           - Pattern3Configuration
           - Pattern3UDOPModelArtifactPath
+      - Label:
+          default: "Custom Configuration"
+        Parameters:
+          - CustomConfigPath
       - Label:
           default: "HITL (A2I) Configuration"
         Parameters:
@@ -543,6 +573,8 @@ Metadata:
         default: "Existing Private Workforce ARN"
       Pattern2Configuration:
         default: "Pattern2 - Configuration Preset"
+      CustomConfigPath:
+        default: "Custom Configuration Path"
       Pattern3UDOPModelArtifactPath:
         default: "Pattern3 - UDOP Model Artifact Path"
       Pattern3Configuration:
@@ -846,9 +878,12 @@ Resources:
         AppSyncApiUrl: !GetAtt GraphQLApi.GraphQLUrl
         AppSyncApiArn: !GetAtt GraphQLApi.Arn
         EnableHITL: !Ref EnableHITL
-        ConfigurationDefaultS3Uri: !Sub 
-          - "s3://${ConfigurationBucket}/config_library/pattern-1/${ConfigPath}/config.yaml"
-          - ConfigPath: !FindInMap [Pattern1ConfigurationMap, !Ref Pattern1Configuration, ConfigPath]
+        ConfigurationDefaultS3Uri: !If
+          - HasCustomConfigPath
+          - !Ref CustomConfigPath
+          - !Sub 
+            - "s3://${ConfigurationBucket}/config_library/pattern-1/${ConfigPath}/config.yaml"
+            - ConfigPath: !FindInMap [Pattern1ConfigurationMap, !Ref Pattern1Configuration, ConfigPath]
         ConfigLibraryHash: "<CONFIG_LIBRARY_HASH_TOKEN>"
         PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
         SageMakerA2IReviewPortalURL: !If
@@ -884,9 +919,12 @@ Resources:
         AppSyncApiUrl: !GetAtt GraphQLApi.GraphQLUrl
         AppSyncApiArn: !GetAtt GraphQLApi.Arn
         ConfigurationTable: !Ref ConfigurationTable
-        ConfigurationDefaultS3Uri: !Sub 
-          - "s3://${ConfigurationBucket}/config_library/pattern-2/${ConfigPath}/config.yaml"
-          - ConfigPath: !FindInMap [Pattern2ConfigurationMap, !Ref Pattern2Configuration, ConfigPath]
+        ConfigurationDefaultS3Uri: !If
+          - HasCustomConfigPath
+          - !Ref CustomConfigPath
+          - !Sub 
+            - "s3://${ConfigurationBucket}/config_library/pattern-2/${ConfigPath}/config.yaml"
+            - ConfigPath: !FindInMap [Pattern2ConfigurationMap, !Ref Pattern2Configuration, ConfigPath]
         ConfigLibraryHash: "<CONFIG_LIBRARY_HASH_TOKEN>"
         EnableHITL: !Ref EnableHITL
         SageMakerA2IReviewPortalURL: !If
@@ -922,9 +960,12 @@ Resources:
         AppSyncApiUrl: !GetAtt GraphQLApi.GraphQLUrl
         AppSyncApiArn: !GetAtt GraphQLApi.Arn
         ConfigurationTable: !Ref ConfigurationTable
-        ConfigurationDefaultS3Uri: !Sub 
-          - "s3://${ConfigurationBucket}/config_library/pattern-3/${ConfigPath}/config.yaml"
-          - ConfigPath: !FindInMap [Pattern3ConfigurationMap, !Ref Pattern3Configuration, ConfigPath]
+        ConfigurationDefaultS3Uri: !If
+          - HasCustomConfigPath
+          - !Ref CustomConfigPath
+          - !Sub 
+            - "s3://${ConfigurationBucket}/config_library/pattern-3/${ConfigPath}/config.yaml"
+            - ConfigPath: !FindInMap [Pattern3ConfigurationMap, !Ref Pattern3Configuration, ConfigPath]
         ConfigLibraryHash: "<CONFIG_LIBRARY_HASH_TOKEN>"
         EnableHITL: !Ref EnableHITL
         SageMakerA2IReviewPortalURL: !If
@@ -2011,6 +2052,26 @@ Resources:
               - !Sub "arn:aws:s3:::<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>/*"
               - !Sub "arn:aws:s3:::${ConfigurationBucket}"
               - !Sub "arn:aws:s3:::${ConfigurationBucket}/*"
+          # Allow reading user-supplied config file only if CustomConfigPath is specified
+          - !If
+            - HasCustomConfigPath
+            - Effect: Allow
+              Action:
+                - "s3:GetObject"
+              Resource: !Sub
+                - "arn:aws:s3:::${Path}"
+                - Path: !Select [1, !Split ["s3://", !Ref CustomConfigPath]]
+            - !Ref AWS::NoValue
+          # Allow listing the specific bucket containing the custom config file
+          - !If
+            - HasCustomConfigPath
+            - Effect: Allow
+              Action:
+                - "s3:ListBucket"
+              Resource: !Sub
+                - "arn:aws:s3:::${BucketName}"
+                - BucketName: !Select [0, !Split ["/", !Select [1, !Split ["s3://", !Ref CustomConfigPath]]]]
+            - !Ref AWS::NoValue
 
   UpdateConfigurationFunctionLogGroup:
     Type: AWS::Logs::LogGroup
