Update to version v3.0.1

### Security

- Upgraded urllib3 to `2.5.0`
- Upgraded requests to `2.32.4`
- Upgraded brace-expansion to `2.0.2`

### Added

- Support for Kendra GenAI Index backed Bedrock knowledge bases.

### Changed

- Deployment UI to show an error when a regular user attempts to log in.
- Custom Resource IAM Role to be scoped down to only necessary DynamoDB Tables.

### Fixed

- Bug where CloudFormation deployment would fail using existing Cognito resources due to user/group creation conflict. ([#193](#193)).
- Bug where history in prompt for SageMaker models was being replaced by LangChain BaseMessage objects instead of just the content of the messages.
- Bug where context in prompt was being replaced by LangChain Document objects instead of the content of the documents.
- Bug where Langchain layer poetry lock wasn't being respected.

Author: tabdunabi

CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.0.1] - 2025-06-26
+
+### Security
+
+- Upgraded urllib3 to `2.5.0`
+- Upgraded requests to `2.32.4`
+- Upgraded brace-expansion to `2.0.2`
+
+### Added
+
+- Support for Kendra GenAI Index backed Bedrock knowledge bases.
+
+### Changed
+
+- Deployment UI to show an error when a regular user attempts to log in.
+- Custom Resource IAM Role to be scoped down to only necessary DynamoDB Tables.
+
+### Fixed
+
+- Bug where CloudFormation deployment would fail using existing Cognito resources due to user/group creation conflict. ([#193](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/issues/193)).
+- Bug where history in prompt for SageMaker models was being replaced by LangChain BaseMessage objects instead of just the content of the messages.
+- Bug where context in prompt was being replaced by LangChain Document objects instead of the content of the documents.
+- Bug where Langchain layer poetry lock wasn't being respected.
+
 ## [3.0.0] - 2025-05-29
 
 ### Added

README.md

@@ -9,7 +9,7 @@ The [Generative AI Application Builder on AWS](https://aws.amazon.com/solutions/
 
 The Generative AI Application Builder is published under an Apache 2.0 license and is targeted for novice to experienced users who want to experiment and productionize different Gen AI use cases. The solution uses [LangChain](https://www.langchain.com/) open-source software (OSS) to configure connections to your choice of Large Language Models (LLMs) for different use cases. The first release of GAAB allows users to deploy chat use cases which allow the ability to query over users' enterprise data in a chatbot-style User Interface (UI), along with an API to support custom end-user implementations.
 
-Some of the features of GAAB are:
+Some of the features of GAAB are: 
 
 -   Rapid experimentation with ability to productionize at scale
 -   Extendable and modularized architecture using nested [Amazon CloudFormation](https://aws.amazon.com/cloudformation/) stacks

deployment/build-s3-dist.sh

@@ -30,7 +30,7 @@ set -e
 # Check to see if input has been provided:
 if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ]; then
     echo "Please provide all required parameters for the build script"
-    echo "For example: ./build-s3-dist.sh solutions trademarked-solution-name v3.0.0 template-bucket-name"
+    echo "For example: ./build-s3-dist.sh solutions trademarked-solution-name v3.0.1 template-bucket-name"
     exit 1
 fi
 

source/infrastructure/cdk.json

@@ -64,7 +64,7 @@
     "@custom-bundler/unit-test": false,
     "solution_id": "SO0276",
     "solution_name": "generative-ai-application-builder-on-aws",
-    "solution_version": "v3.0.0",
+    "solution_version": "v3.0.1",
     "app_registry_name": "GAAB",
     "application_type": "AWS-Solutions",
     "application_trademark_name": "Generative AI Application Builder on AWS",

source/infrastructure/lib/auth/cognito-setup.ts

@@ -411,15 +411,24 @@ export class CognitoSetup extends Construct {
     }
 
     protected createUserAndUserGroup(props: UserPoolProps) {
-        // cognito user is created only if user provides their own email address for notifications
-        const cognitoUserCondition = new cdk.CfnCondition(this, 'CognitoUserCondition', {
+
+        const cognitoGroupCondition = new cdk.CfnCondition(this, 'CognitoGroupCondition', {
             expression: cdk.Fn.conditionNot(
-                cdk.Fn.conditionOr(
-                    cdk.Fn.conditionEquals(props.defaultUserEmail, PLACEHOLDER_EMAIL),
-                    cdk.Fn.conditionEquals(props.defaultUserEmail, '')
-                )
+                cdk.Fn.conditionEquals(props.defaultUserEmail, '')
             )
         });
+
+        const cognitoUserCondition = new cdk.CfnCondition(this, 'CognitoUserCondition', {
+            expression: 
+                cdk.Fn.conditionAnd(
+                    cdk.Fn.conditionNot(
+                        cdk.Fn.conditionEquals(props.defaultUserEmail, PLACEHOLDER_EMAIL)
+                    ),
+                    cognitoGroupCondition
+                )
+
+        });
+
         const cognitoUser = new CfnUserPoolUser(this, 'DefaultUser', {
             desiredDeliveryMediums: ['EMAIL'],
             forceAliasCreation: false,
@@ -440,6 +449,7 @@ export class CognitoSetup extends Construct {
             groupName: props.userGroupName,
             precedence: 1
         });
+        this.userPoolGroup.cfnOptions.condition = cognitoGroupCondition;
 
         const userPoolUserToGroupAttachment = new cognito.CfnUserPoolUserToGroupAttachment(
             this,

source/infrastructure/lib/bedrock-agent-stack.ts

@@ -126,6 +126,18 @@ export class BedrockAgent extends UseCaseStack {
                 CONVERSATION_TABLE_NAME: this.chatStorageSetup.chatStorage.conversationTable.tableName
             }
         });
+        const updateLLMConfigTablePolicy = new iam.Policy(this, 'UpdateLLMConfigTablePolicy', {
+            statements: [
+                new iam.PolicyStatement({
+                    effect: iam.Effect.ALLOW,
+                    actions: ['dynamodb:UpdateItem'],
+                    resources: [
+                        `arn:${cdk.Aws.PARTITION}:dynamodb:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:table/${this.stackParameters.useCaseConfigTableName.valueAsString}`
+                    ]
+                })
+            ]
+        });
+        updateLLMConfigTablePolicy.attachToRole(this.applicationSetup.customResourceRole);
 
         const feedbackEnabledCondition = new cdk.CfnCondition(this, 'FeedbackEnabledCondition', {
             expression: cdk.Fn.conditionEquals(this.stackParameters.feedbackEnabled, 'Yes')

source/infrastructure/lib/deployment-platform-stack.ts

@@ -16,7 +16,7 @@ import { UseCaseManagementSetup } from './use-case-management/setup';
 import { generateSourceCodeMapping } from './utils/common-utils';
 import {
     INTERNAL_EMAIL_DOMAIN,
-    MANDATORY_EMAIL_REGEX_PATTERN,
+    OPTIONAL_EMAIL_REGEX_PATTERN,
     REST_API_NAME_ENV_VAR,
     UIAssetFolders,
     USE_CASE_UUID_ENV_VAR,
@@ -73,8 +73,8 @@ export class DeploymentPlatformStack extends BaseStack {
 
         const adminUserEmail = new cdk.CfnParameter(this, 'AdminUserEmail', {
             type: 'String',
-            description: 'Email required to create the default user for the admin platform',
-            allowedPattern: MANDATORY_EMAIL_REGEX_PATTERN,
+            description: 'Optional - Email used to create the default cognito user for the admin platform. If empty, the Cognito User, Group and Attachment will not be created.',
+            allowedPattern: OPTIONAL_EMAIL_REGEX_PATTERN,
             constraintDescription: 'Please provide a valid email'
         });
 
@@ -148,15 +148,15 @@ export class DeploymentPlatformStack extends BaseStack {
         existingParameterGroups.push({
             Label: {
                 default:
-                    'Optional: If you would like to provide a Cognito UserPool and UserPoolClient, you can pass their IDs here. Otherwise, a new pool and client will be created for you'
+                    'Optional: Provide existing Cognito UserPool and UserPoolClient IDs if you want to use your own managed resources. If left empty, the solution will manage these resources for you. Note: To prevent the creation of Cognito resources within the user pool (Users/Groups), simply leave the AdminUserEmail parameter empty.'
             },
             Parameters: [existingCognitoUserPoolId.logicalId, existingUserPoolClientId.logicalId]
         });
 
         // internal users are identified by being of the form "[email protected]"
         const isInternalUserCondition: cdk.CfnCondition = new cdk.CfnCondition(this, 'IsInternalUserCondition', {
             expression: cdk.Fn.conditionEquals(
-                cdk.Fn.select(0, cdk.Fn.split('.', cdk.Fn.select(1, cdk.Fn.split('@', adminUserEmail.valueAsString)))),
+                cdk.Fn.select(0, cdk.Fn.split('.', cdk.Fn.select(1, cdk.Fn.split('@', cdk.Fn.join("", [adminUserEmail.valueAsString, "@example.com"]))))),
                 INTERNAL_EMAIL_DOMAIN
             )
         });

source/infrastructure/lib/framework/bundler/runtime/langchain-layer.ts

@@ -73,8 +73,13 @@ export class LangChainLayerDockerBuild extends PythonLayerDockerBuild {
         if (process.env.SKIP_PRE_BUILD?.toLowerCase() === 'true') {
             commandList.push('python3 -m pip install poetry --upgrade');
         }
+        commandList.push('python3 -m pip install poetry-plugin-export --upgrade');
+        commandList.push(`poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`);
         commandList.push(
-            `poetry run pip install --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/python/ dist/*.whl`
+           `poetry run pip install -r ${outputDir}/requirements.txt --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/python/`
+        );
+        commandList.push(
+            `poetry run pip install --no-deps -t ${outputDir}/python/ dist/*.whl`
         );
         return commandList;
     }
@@ -94,8 +99,10 @@ export class LangChainLayerLocalBuild extends PythonLayerLocalBuild {
     protected postBuild(moduleName: string, outputDir: string): string[] {
         return [
             `cd ${moduleName}`,
-            `python3 -m pip install poetry --upgrade`,
-            `poetry run pip install --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/python/ dist/*.whl`
+            `python3 -m pip install poetry poetry-plugin-export --upgrade`,
+            `poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`,
+            `poetry run pip install -r ${outputDir}/requirements.txt --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/python/`,
+            `poetry run pip install --no-deps -t ${outputDir}/python/ dist/*.whl`
         ];
     }
 }

source/infrastructure/lib/framework/bundler/runtime/langchain-py-version.ts

@@ -33,6 +33,7 @@ export class LangchainPythonVersionAssetOptions extends PythonAssetOptions {
         entry = path.resolve(entry);
         const pipOptions = packagingOptions as PipInstallArguments;
         this.dockerBuild = new LangChainPythonVersionDockerBuild(pipOptions);
+        this.localBuild = new LangChainPythonVersionLocalBuild(pipOptions);
 
         return {
             ...(assetHash && { assetHash: assetHash, assetHashType: cdk.AssetHashType.CUSTOM }),
@@ -63,9 +64,10 @@ export class LangChainPythonVersionDockerBuild extends PythonDockerBuild {
         if (process.env.SKIP_PRE_BUILD?.toLowerCase() === 'true') {
             commandList.push('python3 -m pip install poetry --upgrade');
         }
-        commandList.push(
-            `poetry run pip install --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/ dist/*.whl`
-        );
+        commandList.push('python3 -m pip install poetry-plugin-export --upgrade');
+        commandList.push(`poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`);
+        commandList.push(`poetry run pip install -r ${outputDir}/requirements.txt --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/`);
+        commandList.push(`poetry run pip install --no-deps -t ${outputDir}/ dist/*.whl`);
         return commandList;
     }
 }
@@ -81,8 +83,10 @@ export class LangChainPythonVersionLocalBuild extends PythonLocalBuild {
     protected postBuild(moduleName: string, outputDir: string): string[] {
         return [
             `cd ${moduleName}`,
-            'python3 -m pip install poetry --upgrade',
-            `poetry run pip install --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/ dist/*.whl`
+            'python3 -m pip install poetry poetry-plugin-export --upgrade',
+            `poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`,
+            `poetry run pip install -r ${outputDir}/requirements.txt --python-version ${this.evaluatedPipOptions.pythonVersion} --platform ${this.evaluatedPipOptions.platform} --implementation ${this.evaluatedPipOptions.implementation} --only-binary=${this.evaluatedPipOptions.onlyBinary} -t ${outputDir}/`,
+            `poetry run pip install --no-deps -t ${outputDir}/ dist/*.whl`
         ];
     }
 }

source/infrastructure/lib/framework/bundler/runtime/python-layer.ts

@@ -45,7 +45,10 @@ export class PythonLayerDockerBuild extends PythonDockerBuild {
             commandList.push('python3 -m pip install poetry --upgrade');
         }
 
-        commandList.push(`poetry run pip install -t ${outputDir}/python/ dist/*.whl`);
+        commandList.push('python3 -m pip install poetry-plugin-export --upgrade')
+        commandList.push(`poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`);
+        commandList.push(`poetry run pip install -r ${outputDir}/requirements.txt -t ${outputDir}/python/`);
+        commandList.push(`poetry run pip install --no-deps -t ${outputDir}/python/ dist/*.whl`)
         return commandList;
     }
 }
@@ -61,6 +64,12 @@ export class PythonLayerLocalBuild extends PythonLocalBuild {
     }
 
     protected postBuild(moduleName: string, outputDir: string): string[] {
-        return [`cd ${moduleName}`, `poetry run pip install -t ${outputDir}/python/ dist/*.whl`];
+        return [
+            `cd ${moduleName}`,
+            `python3 -m pip install poetry poetry-plugin-export --upgrade`,
+            `poetry export -f requirements.txt --output ${outputDir}/requirements.txt --without-hashes`,
+            `poetry run pip install -r ${outputDir}/requirements.txt -t ${outputDir}/python/`,
+            `poetry run pip install --no-deps -t ${outputDir}/python/ dist/*.whl`
+        ];
     }
 }