This is a Slack-based AI assistant that helps people query and understand documents relating to onboarding to the FHIR NHS EPS API (used for prescriptions and dispensing). The assistant uses Amazon Bedrock Knowledge Base with OpenSearch Serverless to provide intelligent responses to user queries through Slack slash commands.
The solution consists of:
- Slack Bot Function: AWS Lambda function that handles Slack slash commands and integrates with Amazon Bedrock Knowledge Base
- Create Index Function: AWS Lambda function that creates and manages OpenSearch vector indices for the knowledge base
- Sync Knowledge Base Function: AWS Lambda function that automatically triggers knowledge base ingestion when documents are uploaded to S3
- OpenSearch Serverless: Vector database for storing and searching document embeddings
- Amazon Bedrock Knowledge Base: RAG (Retrieval-Augmented Generation) service with guardrails
- S3 Storage: Document storage for the knowledge base with automatic sync triggers
- AWS CDK: Infrastructure as Code for deployment
This is a monorepo with the following structure:
packages/
├── cdk/ # AWS CDK infrastructure code
│ ├── bin/ # CDK app entry point
│ │ └── utils/ # CDK utility functions
│ ├── constructs/ # Reusable CDK constructs
│ │ └── RestApiGateway/ # API Gateway specific constructs
│ ├── resources/ # AWS resource definitions
│ └── stacks/ # CDK stack definitions
├── sample_docs/ # Contains sample docs for testing purposes. These should not be used for real usage
├── slackBotFunction/ # Lambda function for Slack bot integration
│ ├── app/ # Application code
│ │ ├── config/ # Configuration and environment variables
│ │ ├── services/ # Business logic services
│ │ ├── slack/ # Slack-specific logic
│ │ └── handler.py # Lambda handler
│ └── tests/ # Unit tests
└── syncKnowledgeBaseFunction/ # Lambda function for automatic knowledge base sync
├── app/ # Application code
│ ├── config/ # Configuration and environment variables
│ └── handler.py # Lambda handler
└── tests/ # Unit tests
Contributions to this project are welcome from anyone, providing that they conform to the guidelines for contribution and the community code of conduct.
This code is dual licensed under the MIT license and the OGL (Open Government License). Any new work added to this repository must conform to the conditions of these licenses. In particular this means that this project may not depend on GPL-licensed or AGPL-licensed libraries, as these would violate the terms of those libraries' licenses.
The contents of this repository are protected by Crown Copyright (C).
It is recommended that you use visual studio code and a devcontainer as this will install all necessary components and correct versions of tools and languages.
See https://code.visualstudio.com/docs/devcontainers/containers for details on how to set this up on your host machine.
There is also a workspace file in .vscode that should be opened once you have started the devcontainer. The workspace file can also be opened outside of a devcontainer if you wish.
All commits must be made using signed commits
Once the steps at the link above have been completed. Add to your ~/.gnupg/gpg.conf as below:
use-agent
pinentry-mode loopback
and to your ~/.gnupg/gpg-agent.conf as below:
allow-loopback-pinentry
As described here: https://stackoverflow.com/a/59170001
You will need to create the files, if they do not already exist. This will ensure that your VSCode bash terminal prompts you for your GPG key password.
You can cache the gpg key passphrase by following instructions at https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session
Ensure you have the following lines in the file .envrc
export AWS_DEFAULT_PROFILE=prescription-devOnce you have saved .envrc, start a new terminal in vscode and run this command to authenticate against AWS
make aws-configurePut the following values in:
SSO session name (Recommended): sso-session
SSO start URL [None]: <USE VALUE OF SSO START URL FROM AWS LOGIN COMMAND LINE ACCESS INSTRUCTIONS ACCESSED FROM https://myapps.microsoft.com>
SSO region [None]: eu-west-2
SSO registration scopes [sso:account:access]:
This will then open a browser window and you should authenticate with your hscic credentials You should then select the development account and set default region to be eu-west-2.
You will now be able to use AWS and SAM CLI commands to access the dev account. You can also use the AWS extension to view resources.
When the token expires, you may need to reauthorise using make aws-login
For deployment, the following environment variables are required:
ACCOUNT_ID: AWS Account IDSTACK_NAME: Name of the CloudFormation stackVERSION_NUMBER: Version number for the deploymentCOMMIT_ID: Git commit IDLOG_RETENTION_IN_DAYS: CloudWatch log retention periodSLACK_BOT_TOKEN: Slack bot OAuth tokenSLACK_SIGNING_SECRET: Slack app signing secret
The GitHub Actions require a secret to exist on the repo called "SONAR_TOKEN". This can be obtained from SonarCloud as described here. You will need the "Execute Analysis" permission for the project (NHSDigital_eps-assist-me) in order for the token to work.
Some pre-commit hooks are installed as part of the install above, to run basic lint checks and ensure you can't accidentally commit invalid changes. The pre-commit hook uses python package pre-commit and is configured in the file .pre-commit-config.yaml. A combination of these checks are also run in CI.
There are make commands that are run as part of the CI pipeline and help alias some functionality during development.
install-nodeInstalls node dependencies.install-pythonInstalls python dependencies.install-hooksInstalls git pre commit hooks.installRuns all install targets.
These are used to do common commands related to cdk
cdk-deployBuilds and deploys the code to AWS. RequiresSTACK_NAMEenvironment variable.cdk-synthConverts the CDK code to cloudformation templates.cdk-diffRuns cdk diff, comparing the deployed stack with the local CDK code to identify differences.cdk-watchSyncs the code and CDK templates to AWS. This keeps running and automatically uploads changes to AWS. RequiresSTACK_NAMEenvironment variable.
cleanClears up any files that have been generated by building or testing locally.deep-cleanRuns clean target and also removes any node_modules and python libraries installed locally.
lintRuns all linting checkslint-blackRuns black formatter on Python code.lint-flake8Runs flake8 linter on Python code.lint-githubactionsLints the repository's GitHub Actions workflows.lint-githubaction-scriptsLints all shell scripts in.github/scriptsusing ShellCheck.cfn-guardRuns cfn-guard against CDK resources.git-secrets-docker-setupSets up git-secrets Docker container.pre-commitRuns pre-commit hooks on all files.testRuns unit tests for Lambda functions.sync-docsRuns a script to sync sample docs to s3 bucket for a pull request. Useful for setting up a stack for testing
compile-nodeRuns TypeScript compiler (tsc) for the project.
check-licensesChecks licenses for all packages. This command calls both check-licenses-node and check-licenses-python.check-licenses-nodeChecks licenses for all node code.check-licenses-pythonChecks licenses for all python code.
aws-configureConfigures a connection to AWS.aws-loginReconnects to AWS using a previously configured connection.
This .github folder contains workflows and templates related to GitHub, along with actions and scripts pertaining to Jira.
dependabot.ymlDependabot definition file.pull_request_template.mdTemplate for pull requests.
Actions are in the .github/actions folder:
mark_jira_releasedAction to mark Jira issues as released.update_confluence_jiraAction to update Confluence with Jira issues.
Scripts are in the .github/scripts folder:
call_mark_jira_released.shCalls a Lambda function to mark Jira issues as released.check-sbom-issues-against-ignores.shValidates SBOM scan against ignore list and reports unignored critical issues.create_env_release_notes.shGenerates release notes for a specific environment using a Lambda function.create_int_rc_release_notes.shCreates release candidate notes for integration environment using a Lambda function.delete_stacks.shChecks and deletes active CloudFormation stacks associated with closed pull requests.fix_cdk_json.shUpdates context values incdk.jsonusing environment variables before deployment.get_current_dev_tag.shRetrieves the current development tag and sets it as an environment variable.get_target_deployed_tag.shRetrieves the currently deployed tag and sets it as an environment variable.
Workflows are in the .github/workflows folder:
combine-dependabot-prs.ymlWorkflow for combining dependabot pull requests. Runs on demand.create_release_notes.ymlGenerates release notes for deployments and environment updates.delete_old_cloudformation_stacks.ymlWorkflow for deleting old cloud formation stacks. Runs daily.dependabot_auto_approve_and_merge.ymlWorkflow to auto merge dependabot updates.pr_title_check.ymlChecks PR titles for required prefix and ticket or dependabot reference.pr-link.ymlThis workflow template links Pull Requests to Jira tickets and runs when a pull request is opened.pull_request.ymlCalled when pull request is opened or updated. Packages and deploys the code to dev AWS account for testing.release_all_stacks.ymlReusable workflow for deploying to any environment with environment-specific approvals and configurations.release.ymlRuns on demand to create a release and deploy to INT and PROD environments with manual approval.cdk_package_code.ymlPackages code into a docker image and uploads to a github artifact for later deployment.ci.ymlMerge to main workflow that automatically deploys to DEV and QA environments after quality checks.