New: [AEA-5547] - managing chat history (#21)

## Summary

- ✨ New Feature  
- 🤖 Infra / Ops Update  

### Details

this PR introduces conversation management for the Slack bot and breaks
down the old monolithic setup into cleaner, more modular components

**Conversation Management**
- updates DynamoDB table (`SlackBotStateTable`) to track sessions +
handle event deduping
- conversation memory via Bedrock session management → bot can keep
context across multiple messages
- works in both DMs and threaded channel convos  
- TTL cleanup: 30 days for sessions, 1 hour for dedupe entries (TODO:
discuss what we want to set these values as)

**Refactor**
- split up the single `app.py` into separate modules:  
  - `app/main.py` → Lambda entry + routing  
  - `app/core/config.py` → config + AWS service wiring  
  - `app/util/slack_events.py` → Bedrock query + convo logic  
  - `app/util/slack_handlers.py` → Slack handlers + dedupe  
 - split up the single test_app.py into separate modules: (WIP)
   - unit tests
   - integration test?  

**Infra**
- DynamoDB table with KMS encryption 
- IAM updated for DynamoDB + KMS permissions  
- new env vars for table access

---------

Co-authored-by: Kris Szlapa <[email protected]>

Author: bencegadanyi1-nhs

packages/cdk/constructs/DynamoDbTable.ts

@@ -1,10 +1,10 @@
 import {Construct} from "constructs"
 import {RemovalPolicy} from "aws-cdk-lib"
 import {
-  TableV2,
   AttributeType,
   Billing,
-  TableEncryptionV2
+  TableEncryptionV2,
+  TableV2
 } from "aws-cdk-lib/aws-dynamodb"
 import {Key} from "aws-cdk-lib/aws-kms"
 
@@ -14,6 +14,10 @@ export interface DynamoDbTableProps {
     name: string
     type: AttributeType
   }
+  readonly sortKey?: {
+    name: string
+    type: AttributeType
+  }
   readonly timeToLiveAttribute?: string
 }
 
@@ -29,14 +33,18 @@ export class DynamoDbTable extends Construct {
       description: `KMS key for ${props.tableName} DynamoDB table encryption`,
       removalPolicy: RemovalPolicy.DESTROY
     })
+
     this.kmsKey.addAlias(`alias/${props.tableName}-dynamodb-key`)
 
     this.table = new TableV2(this, props.tableName, {
       tableName: props.tableName,
       partitionKey: props.partitionKey,
+      sortKey: props.sortKey,
       billing: Billing.onDemand(),
       timeToLiveAttribute: props.timeToLiveAttribute,
-      pointInTimeRecovery: true,
+      pointInTimeRecoverySpecification: {
+        pointInTimeRecoveryEnabled: true
+      },
       removalPolicy: RemovalPolicy.DESTROY,
       encryption: TableEncryptionV2.customerManagedKey(this.kmsKey)
     })

packages/cdk/constructs/LambdaFunction.ts

@@ -23,7 +23,7 @@ export interface LambdaFunctionProps {
   readonly stackName: string
   readonly functionName: string
   readonly packageBasePath: string
-  readonly entryPoint: string
+  readonly handler: string
   readonly environmentVariables: {[key: string]: string}
   readonly additionalPolicies?: Array<IManagedPolicy>
   readonly role?: Role
@@ -132,7 +132,7 @@ export class LambdaFunction extends Construct {
       memorySize: 256,
       timeout: Duration.seconds(50),
       architecture: Architecture.X86_64,
-      handler: "app.handler.handler",
+      handler: props.handler,
       code: Code.fromAsset(props.packageBasePath),
       role,
       environment: {

packages/cdk/nagSuppressions.ts

@@ -1,21 +1,17 @@
-/* eslint-disable @typescript-eslint/no-unused-vars */
+
 import {Stack} from "aws-cdk-lib"
 import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
 export const nagSuppressions = (stack: Stack) => {
   const stackName = stack.node.tryGetContext("stackName") || "epsam"
-  const account = Stack.of(stack).account
   // Suppress granular wildcard on log stream for SlackBot Lambda
   safeAddNagSuppression(
     stack,
     "/EpsAssistMeStack/Functions/SlackBotLambda/LambdaPutLogsManagedPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Wildcard permissions for log stream access are required and scoped appropriately.",
-        appliesTo: [
-          "Resource::<FunctionsSlackBotLambdaLambdaLogGroup3597D783.Arn>:log-stream:*"
-        ]
+        reason: "Wildcard permissions for log stream access are required and scoped appropriately."
       }
     ]
   )
@@ -27,10 +23,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Wildcard permissions are required for log stream access under known paths.",
-        appliesTo: [
-          "Resource::<FunctionsCreateIndexFunctionLambdaLogGroupB45008DF.Arn>:log-stream:*"
-        ]
+        reason: "Wildcard permissions are required for log stream access under known paths."
       }
     ]
   )
@@ -121,11 +114,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes.",
-        appliesTo: [
-          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
-          `Resource::arn:aws:aoss:eu-west-2:${account}:index/*`
-        ]
+        reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes."
       }
     ]
   )
@@ -137,12 +126,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda needs wildcard access for Lambda functions (self-invocation) and KMS operations.",
-        appliesTo: [
-          `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
-          "Action::kms:GenerateDataKey*",
-          "Action::kms:ReEncrypt*"
-        ]
+        reason: "SlackBot Lambda needs wildcard permissions for guardrails, knowledge bases, and function invocation."
       }
     ]
   )
@@ -160,13 +144,16 @@ export const nagSuppressions = (stack: Stack) => {
   )
 
   // Suppress secrets without rotation
-  safeAddNagSuppression(
+  safeAddNagSuppressionGroup(
     stack,
-    "/EpsAssistMeStack/Secrets/SlackBotToken/Secret/Resource",
+    [
+      "/EpsAssistMeStack/Secrets/SlackBotToken/Secret/Resource",
+      "/EpsAssistMeStack/Secrets/SlackBotSigning/Secret/Resource"
+    ],
     [
       {
         id: "AwsSolutions-SMG4",
-        reason: "Slack bot token rotation is handled manually as part of the Slack app configuration process."
+        reason: "Slack secrets rotation is handled manually as part of the Slack app configuration process."
       }
     ]
   )

packages/cdk/resources/DatabaseTables.ts

@@ -15,7 +15,11 @@ export class DatabaseTables extends Construct {
     this.slackBotStateTable = new DynamoDbTable(this, "SlackBotStateTable", {
       tableName: `${props.stackName}-SlackBotState`,
       partitionKey: {
-        name: "eventId",
+        name: "pk",
+        type: AttributeType.STRING
+      },
+      sortKey: {
+        name: "sk",
         type: AttributeType.STRING
       },
       timeToLiveAttribute: "ttl"

packages/cdk/resources/Functions.ts

@@ -44,7 +44,7 @@ export class Functions extends Construct {
       stackName: props.stackName,
       functionName: `${props.stackName}-CreateIndexFunction`,
       packageBasePath: "packages/createIndexFunction",
-      entryPoint: "app.handler.py",
+      handler: "app.handler.handler",
       logRetentionInDays: props.logRetentionInDays,
       logLevel: props.logLevel,
       environmentVariables: {"INDEX_NAME": props.collectionId},
@@ -56,7 +56,7 @@ export class Functions extends Construct {
       stackName: props.stackName,
       functionName: `${props.stackName}-SlackBotFunction`,
       packageBasePath: "packages/slackBotFunction",
-      entryPoint: "app.handler.py",
+      handler: "app.handler.handler",
       logRetentionInDays: props.logRetentionInDays,
       logLevel: props.logLevel,
       additionalPolicies: [props.slackBotManagedPolicy],
@@ -82,7 +82,7 @@ export class Functions extends Construct {
       stackName: props.stackName,
       functionName: `${props.stackName}-SyncKnowledgeBaseFunction`,
       packageBasePath: "packages/syncKnowledgeBaseFunction",
-      entryPoint: "app.handler.py",
+      handler: "app.handler.handler",
       logRetentionInDays: props.logRetentionInDays,
       logLevel: props.logLevel,
       environmentVariables: {

packages/slackBotFunction/app/config/config.py

@@ -0,0 +1,67 @@
+"""
+Core configuration for the Slack bot.
+Sets up all the AWS and Slack connections we need.
+"""
+
+import os
+import json
+import boto3
+from slack_bolt import App
+from aws_lambda_powertools import Logger
+from aws_lambda_powertools.utilities.parameters import get_parameter
+
+
+# set up logging
+logger = Logger(service="slackBotFunction")
+
+# DynamoDB table for deduplication and session storage
+dynamodb = boto3.resource("dynamodb")
+table = dynamodb.Table(os.environ["SLACK_BOT_STATE_TABLE"])
+
+# get Slack credentials from Parameter Store
+bot_token_parameter = os.environ["SLACK_BOT_TOKEN_PARAMETER"]
+signing_secret_parameter = os.environ["SLACK_SIGNING_SECRET_PARAMETER"]
+
+try:
+    bot_token_raw = get_parameter(bot_token_parameter, decrypt=True)
+    signing_secret_raw = get_parameter(signing_secret_parameter, decrypt=True)
+
+    if not bot_token_raw or not signing_secret_raw:
+        raise ValueError("Missing required parameters from Parameter Store")
+
+    bot_token_data = json.loads(bot_token_raw)
+    signing_secret_data = json.loads(signing_secret_raw)
+
+    bot_token = bot_token_data.get("token")
+    signing_secret = signing_secret_data.get("secret")
+
+    if not bot_token or not signing_secret:
+        raise ValueError("Missing required parameters: token or secret in Parameter Store values")
+
+except json.JSONDecodeError as e:
+    raise ValueError(f"Invalid JSON in Parameter Store: {e}")
+except Exception as e:
+    logger.error(f"Configuration error: {e}")
+    raise
+
+# initialise the Slack app
+app = App(
+    process_before_response=True,
+    token=bot_token,
+    signing_secret=signing_secret,
+)
+
+# Bedrock configuration from environment
+KNOWLEDGEBASE_ID = os.environ["KNOWLEDGEBASE_ID"]
+RAG_MODEL_ID = os.environ["RAG_MODEL_ID"]
+AWS_REGION = os.environ["AWS_REGION"]
+GUARD_RAIL_ID = os.environ["GUARD_RAIL_ID"]
+GUARD_VERSION = os.environ["GUARD_RAIL_VERSION"]
+
+logger.info(f"Guardrail ID: {GUARD_RAIL_ID}, Version: {GUARD_VERSION}")
+
+# Bot response messages
+BOT_MESSAGES = {
+    "empty_query": "Hi there! Please ask me a question and I'll help you find information from our knowledge base.",
+    "error_response": "Sorry, an error occurred while processing your request. Please try again later.",
+}

…/slackBotFunction/app/config/__init__.py …es/slackBotFunction/app/core/__init__.pypackages/slackBotFunction/app/config/__init__.py renamed to packages/slackBotFunction/app/core/__init__.py packages/slackBotFunction/app/config/__init__.py renamed to packages/slackBotFunction/app/core/__init__.py

@@ -7,19 +7,16 @@
 """
 
 from slack_bolt.adapter.aws_lambda import SlackRequestHandler
-from aws_lambda_powertools import Logger
 from aws_lambda_powertools.utilities.typing import LambdaContext
-from app.config.config import app
+
+from app.core.config import app, logger
 from app.slack.slack_events import process_async_slack_event
 from app.slack.slack_handlers import setup_handlers
 
-# Register Slack event handlers (@mentions, DMs, etc.)
+# register event handlers with the app
 setup_handlers(app)
 
-logger = Logger(service="slackBotFunction")
-
 
-@logger.inject_lambda_context
 def handler(event: dict, context: LambdaContext) -> dict:
     """
     Main Lambda entry point - routes between Slack webhook and async processing
@@ -29,15 +26,18 @@ def handler(event: dict, context: LambdaContext) -> dict:
     2. Lambda acknowledges immediately and triggers async self-invocation
     3. Async invocation processes Bedrock query and responds to Slack
     """
-    logger.info("Lambda invoked for Slack bot", extra={"event": event})
+    logger.info("Lambda invoked", extra={"is_async": event.get("async_processing", False)})
 
-    # Route 2: Async processing path (self-invoked)
+    # handle async processing requests
     if event.get("async_processing"):
-        # Process the actual AI query without time constraints
-        process_async_slack_event(event["slack_event"])
+        slack_event_data = event.get("slack_event")
+        if not slack_event_data:
+            logger.error("Async processing requested but no slack_event provided")
+            return {"statusCode": 400}
+
+        process_async_slack_event(slack_event_data)
         return {"statusCode": 200}
 
-    # Route 1: Slack webhook path (via API Gateway)
-    # Handle initial Slack event, acknowledge quickly, trigger async processing
+    # handle Slack webhook requests
     slack_handler = SlackRequestHandler(app=app)
     return slack_handler.handle(event, context)