template.yaml

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: AWS GenAI IDP Accelerator (uksb-r8evguc4p9) (SO9027) (v<VERSION>)

Mappings:
  AppSyncLogLevelMap:
    DEBUG:
      FieldLogLevel: ALL
    INFO:
      FieldLogLevel: ALL
    WARN:
      FieldLogLevel: ERROR
    ERROR:
      FieldLogLevel: ERROR
    CRITICAL:
      FieldLogLevel: ERROR

  CrawlerScheduleMap:
    Manual:
      ScheduleExpression: ""
    Every15m:
      ScheduleExpression: "cron(0/15 * * * ? *)"
    EveryHour:
      ScheduleExpression: "cron(0 * * * ? *)"
    EveryDay:
      ScheduleExpression: "cron(0 0 * * ? *)"

  ConfigurationMap:
    lending-package-sample:
      ConfigPath: "lending-package-sample"
    rvl-cdip:
      ConfigPath: "rvl-cdip"
    rvl-cdip-with-few-shot-examples:
      ConfigPath: "rvl-cdip-with-few-shot-examples"
    bank-statement-sample:
      ConfigPath: "bank-statement-sample"
    docsplit:
      ConfigPath: "docsplit"
    realkie-fcc-verified:
      ConfigPath: "realkie-fcc-verified"
    ocr-benchmark:
      ConfigPath: "ocr-benchmark"
    rule-validation:
      ConfigPath: "rule-validation"
    lending-package-sample-govcloud:
      ConfigPath: "lending-package-sample-govcloud"

Parameters:
  # Authorization params
  AdminEmail:
    Type: String
    Description: >-
      Email address of the admin user (e.g. jdoe+admin@example.com). 
      An initial temporary password is automatically sent to this user via email.
    AllowedPattern: '^[\w.+-]+@([\w-]+\.)+[\w-]{2,6}$'

  AllowedSignUpEmailDomain:
    Type: String
    Default: ""
    Description: >-
      Email address domain (example.com) or comma separated list of email domains (example1.com,
      example2.com) allowed to signup using the web UI.
      If left empty, signup via the web UI is disabled and users will have to be created
      using Cognito.
    AllowedPattern: '^(|([\w-]+\.)+[\w-]{2,6}(, *([\w-]+\.)+[\w-]{2,6})*)$'
    ConstraintDescription: >-
      Must be empty or a list of comma separated email domains (example1.com, example2.com)

  # External Identity Provider (Federation)

  ExternalIdPType:
    Type: String
    Default: ""
    AllowedValues:
      - ""
      - "SAML"
      - "OIDC"
    Description: >-
      (Optional) Type of external identity provider to federate with Cognito.
      Choose SAML for providers like PingOne, Okta SAML, or ADFS.
      Choose OIDC for providers like Okta OIDC, Auth0, or Azure AD.
      Leave empty to use Cognito-native authentication only.

  ExternalIdPName:
    Type: String
    Default: ""
    Description: >-
      (Required when ExternalIdPType is set) Display name for the external identity provider (e.g. PingOne, Okta, AzureAD).
      Must be alphanumeric with hyphens only. This name is used in the Cognito hosted UI sign-in button.
    AllowedPattern: '^(|[a-zA-Z][a-zA-Z0-9-]{0,31})$'
    ConstraintDescription: >-
      Must be empty or start with a letter, contain only alphanumeric characters and hyphens, max 32 characters

  ExternalIdPMetadataURL:
    Type: String
    Default: ""
    Description: >-
      (Required for SAML) The SAML metadata document URL from your identity provider.
      For example: https://idp.example.com/saml/metadata
    AllowedPattern: '^(|https://.+)$'
    ConstraintDescription: Must be empty or a valid HTTPS URL

  ExternalIdPOIDCIssuer:
    Type: String
    Default: ""
    Description: >-
      (Required for OIDC) The issuer URL from your OIDC identity provider.
      For example: https://login.example.com or https://example.okta.com/oauth2/default
    AllowedPattern: '^(|https://.+)$'
    ConstraintDescription: Must be empty or a valid HTTPS URL

  ExternalIdPOIDCClientId:
    Type: String
    Default: ""
    Description: >-
      (Required for OIDC) The client ID registered with your OIDC identity provider.

  ExternalIdPOIDCClientSecretArn:
    Type: String
    Default: ""
    Description: >-
      (Required for OIDC) The ARN of an AWS Secrets Manager secret containing the OIDC client secret.
      Create the secret before deploying: aws secretsmanager create-secret --name my-idp-oidc-secret --secret-string "YOUR_CLIENT_SECRET"

  ExternalIdPGroupAttributeName:
    Type: String
    Default: ""
    Description: >-
      (Optional) The SAML attribute or OIDC claim name that carries group membership from the external IdP.
      For SAML, this is typically http://schemas.xmlsoap.org/claims/Group or memberOf.
      For OIDC, this is typically groups. Leave empty to skip automatic group mapping.

  ExternalIdPAdminGroupName:
    Type: String
    Default: ""
    Description: >-
      (Optional) The group name in your external IdP that should map to the Cognito Admin role.
      For example: IDP-Admins or cn=Admins,ou=Groups,dc=example,dc=com

  ExternalIdPAuthorGroupName:
    Type: String
    Default: ""
    Description: >-
      (Optional) The group name in your external IdP that should map to the Cognito Author role.
      For example: IDP-Authors

  ExternalIdPReviewerGroupName:
    Type: String
    Default: ""
    Description: >-
      (Optional) The group name in your external IdP that should map to the Cognito Reviewer role.
      For example: IDP-Reviewers

  ExternalIdPViewerGroupName:
    Type: String
    Default: ""
    Description: >-
      (Optional) The group name in your external IdP that should map to the Cognito Viewer role.
      For example: IDP-Viewers

  ExternalIdPAutoLogin:
    Type: String
    Default: "false"
    AllowedValues:
      - "true"
      - "false"
    Description: >-
      (Optional) When enabled and an external IdP is configured, users are automatically redirected
      to the external IdP for authentication instead of seeing the Cognito login page first.
      Native Cognito username/password login is still available by navigating directly to the Cognito hosted UI.

  # Custom Configuration Path

  CustomConfigPath:
    Type: String
    Default: ""
    Description: >-
      S3 URI pointing to your custom configuration YAML file. When provided, this configuration overrides the selected pattern preset and applies to all processing patterns. 
      Leave blank to use the selected pattern configuration preset. For example s3://my-bucket/custom-config/config.yaml
    AllowedPattern: '^(|s3://.*)$'
    ConstraintDescription: Must be empty or a valid S3 URI (e.g., s3://my-bucket/custom-config/config.yaml)

  ConfigurationPreset:
    Type: String
    Default: "lending-package-sample"
    AllowedValues:
      - "lending-package-sample"
      - "lending-package-sample-govcloud"
      - "rvl-cdip"
      - "rvl-cdip-with-few-shot-examples"
      - "bank-statement-sample"
      - "docsplit"
      - "realkie-fcc-verified"
      - "ocr-benchmark"
      - "rule-validation"
    Description: >-
      Select the configuration preset. Each configuration contains pre-tuned settings for specific document processing scenarios - see https://github.com/aws-samples/sample-genai-idp/blob/main/config_library/README.md. Note: Custom Configuration Path overrides this when provided.

  Pattern2CustomClassificationModelARN:
    Type: String
    Default: ""
    Description: Specify Custom Fine Tuned Classification Model ARN. Leave blank to use pretrained model specified in the selected configuration.

  Pattern2CustomExtractionModelARN:
    Type: String
    Default: ""
    Description: Specify Custom Fine Tuned Extraction Model ARN. Leave blank to use pretrained model specified in the selected configuration.

  # Evaluation
  EvaluationBaselineBucketName:
    Type: String
    Default: ""
    Description: >-
      (Optional) Existing bucket used for baseline (ground truth) data for processed documents. Baseline data is used to asess the accuracy 
      of the processing pattern outputs. 
      Provide the name of an existing bucket here. Hint: you can use the Output bucket of another GenAIIDP stack to compare the outputs from 
      different patterns and prompts. 
      Leave blank to automatically create an empty bucket where you can (optionally) place your validated baseline data later.

  ReportingBucketName:
    Type: String
    Default: ""
    Description: >-
      (Optional) Existing bucket used for analytics. (Currently used for evaluation analytics)
      Provide the name of an existing bucket here or leave blank to automatically create a new bucket.

  DocumentSectionsCrawlerFrequency:
    Type: String
    Default: "EveryDay"
    AllowedValues:
      - "Manual"
      - "Every15m"
      - "EveryHour"
      - "EveryDay"
    Description: >-
      Frequency for the Glue Crawler to run and discover new document section tables and partitions.
      Manual requires manual execution, other options run automatically at the specified interval.


  # X-Ray Tracing
  EnableXRayTracing:
    Type: String
    Default: 'true'
    AllowedValues: [ 'true', 'false' ]
    Description: Enable X-Ray tracing

  # MCP Integration
  EnableMCP:
    Type: String
    Default: 'true'
    AllowedValues: [ 'true', 'false' ]
    Description: Enable Model Context Protocol (MCP) integration for external application access via AWS Bedrock AgentCore Gateway

  # Optional Knowledge Base Configuration
  DocumentKnowledgeBase:
    Default: "BEDROCK_KNOWLEDGE_BASE (Create)"
    Type: String
    AllowedValues:
      - "DISABLED"
      - "BEDROCK_KNOWLEDGE_BASE (Create)"
    Description: Use document processing results as knowledge base content. Model access for amazon.titan-embed-text-v2:0 MUST be enabled in Amazon Bedrock.

  KnowledgeBaseVectorStore:
    Type: String
    Default: "S3_VECTORS"
    AllowedValues:
      - "OPENSEARCH_SERVERLESS"
      - "S3_VECTORS"
    Description: Choose vector store type for Bedrock Knowledge Base. S3 Vectors (default) for cost-effective storage with sub-second latency, OpenSearch Serverless for sub-millisecond queries.

  KnowledgeBaseModelId:
    Type: String
    Default: "us.amazon.nova-pro-v1:0"
    AllowedValues:
      - "us.amazon.nova-lite-v1:0"
      - "us.amazon.nova-pro-v1:0"
      - "us.amazon.nova-premier-v1:0"
      - "us.amazon.nova-2-lite-v1:0"
      - "us.amazon.nova-2-lite-v1:0:priority"
      - "us.amazon.nova-2-lite-v1:0:flex"
      - "global.amazon.nova-2-lite-v1:0"
      - "global.amazon.nova-2-lite-v1:0:priority"
      - "global.amazon.nova-2-lite-v1:0:flex"
      - "us.anthropic.claude-3-haiku-20240307-v1:0"
      - "us.anthropic.claude-3-5-haiku-20241022-v1:0"
      - "us.anthropic.claude-3-5-sonnet-20241022-v2:0"
      - "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
      - "us.anthropic.claude-sonnet-4-20250514-v1:0"
      - "us.anthropic.claude-sonnet-4-5-20250929-v1:0"
      - "eu.amazon.nova-lite-v1:0"
      - "eu.amazon.nova-pro-v1:0"
      - "eu.amazon.nova-2-lite-v1:0"
      - "eu.amazon.nova-2-lite-v1:0:priority"
      - "eu.amazon.nova-2-lite-v1:0:flex"
      - "eu.anthropic.claude-3-haiku-20240307-v1:0"
      - "eu.anthropic.claude-3-5-sonnet-20241022-v2:0"
      - "eu.anthropic.claude-3-7-sonnet-20250219-v1:0"
      - "eu.anthropic.claude-sonnet-4-20250514-v1:0"
      - "eu.anthropic.claude-sonnet-4-5-20250929-v1:0"
      - "qwen.qwen3-vl-235b-a22b"
      - "global.amazon.nova-2-lite-v1:0"
      - "global.anthropic.claude-haiku-4-5-20251001-v1:0"
      - "global.anthropic.claude-sonnet-4-5-20250929-v1:0"

    Description: Model to use for optional Document Knowledge Base. Model access MUST be enabled in Amazon Bedrock. Note - Nova Premier may not be available in all EU regions.

  # Optional - Post processing Lambda hook
  PostProcessingLambdaHookFunctionArn:
    Default: ""
    Type: String
    AllowedPattern: "^(|arn:aws[a-z-]*:lambda:.*)$"
    Description: >
      (Optional) The specified Lambda function is invoked by EventBridge after the document processing workflow is processed.
      This function can implement custom logic to initiate downstream processing on the output of the processing pattern.

  # Optional Bedrock Guardrail Configuration
  BedrockGuardrailId:
    Type: String
    Default: ""
    AllowedPattern: "^(|[a-z0-9]+)$"
    Description: >
      Optionally provide the *Id* (not name) of an *existing* Bedrock Guardrail (looks like: wxyz3ab12x34) to be used for all Bedrock and Bedrock Knowledge Base interactions.

  BedrockGuardrailVersion:
    Type: String
    Default: "DRAFT"
    AllowedPattern: "^(|(([1-9][0-9]{0,7})|(DRAFT)))$"
    Description: >
      If you provided a Bedrock Guardrail Id above, provide the corresponding Guardrail version here (e.g. DRAFT|1|2|...).

  # General Configuration
  MaxConcurrentWorkflows:
    Type: Number
    Default: 100
    Description: Maximum number of concurrent workflow executions allowed
    MinValue: 1

  DataRetentionInDays:
    Type: Number
    Default: 365
    Description: Number of days to retain documents (S3) and tracking records (DynamoDB)
    MinValue: 1

  ErrorThreshold:
    Type: Number
    Default: 1
    Description: Number of workflow errors that triggers an alert (per 5 minutes)
    MinValue: 1

  ExecutionTimeThresholdMs:
    Type: Number
    Default: 300000
    Description: Maximum acceptable execution time in milliseconds before alerting (default 300000 = 300 seconds)
    MinValue: 1000

  # Security Configuration
  PermissionsBoundaryArn:
    Type: String
    Default: ""
    Description: >-
      (Optional) ARN of an existing IAM Permissions Boundary policy to attach to all IAM roles.
      Required by some organizations with Service Control Policies (SCPs).
      Format: arn:partition:iam::account-id:policy/policy-name
      Leave blank if no Permissions Boundary is required.
    AllowedPattern: "^(|arn:aws[a-z-]*:iam::[0-9]{12}:policy/.+)$"
    ConstraintDescription: Must be empty or a valid IAM policy ARN

  EnableECRImageScanning:
    Type: String
    Default: "false"
    AllowedValues:
      - "true"
      - "false"
    Description: >-
      Enable automatic vulnerability scanning for Lambda container images in ECR (applies to Pattern-1 and Pattern-2). 
      Disabling may improve deployment reliability but reduces security posture. 
      Recommended: true for production, false only if experiencing deployment issues.

  # Logging configuration
  LogLevel:
    Type: String
    Default: INFO
    AllowedValues:
      - DEBUG
      - INFO
      - WARN
      - ERROR
    Description: Default logging level for all logs

  LogRetentionDays:
    Type: Number
    Default: 30
    Description: Number of days to retain CloudWatch logs
    AllowedValues:
      [
        1,
        3,
        5,
        7,
        14,
        30,
        60,
        90,
        120,
        150,
        180,
        365,
        400,
        545,
        731,
        1827,
        3653,
      ]

  WebUIHosting:
    Type: String
    Default: CloudFront
    AllowedValues:
      - CloudFront
      - ALB
    Description: >-
      Frontend hosting method. Use CloudFront for public/standard deployments.
      Use ALB for GovCloud or private network deployments that require
      VPC-based hosting.

  ALBVpcId:
    Type: String
    Default: ""
    Description: >-
      (Required when WebUIHosting=ALB or AppSyncVisibility=PRIVATE) VPC ID.
      When using ALB hosting, this is the VPC for the ALB and S3 VPC endpoint.
      When using private AppSync (AppSyncVisibility=PRIVATE), this VPC ID is
      also used for the Lambda security group - private AppSync requires all
      Lambda functions to be in the same VPC as the AppSync VPC endpoint, so
      ALB hosting and private AppSync always use the same VPC.

  ALBSubnetIds:
    Type: CommaDelimitedList
    Default: ""
    Description: >-
      (Required when WebUIHosting=ALB) Comma-separated subnet IDs for the ALB
      (minimum 2 subnets in different AZs).

  ALBCertificateArn:
    Type: String
    Default: ""
    Description: >-
      (Required when WebUIHosting=ALB) ACM certificate ARN for the ALB HTTPS
      listener. Can be ACM-issued or imported (including self-signed). Use
      scripts/generate_self_signed_cert.sh for demo/testing.

  ALBScheme:
    Type: String
    Default: internal
    AllowedValues:
      - internal
      - internet-facing
    Description: >-
      (ALB hosting only) ALB scheme. Use 'internal' for private network access,
      'internet-facing' for public access.

  ALBAllowedCIDRs:
    Type: String
    Default: ""
    Description: >-
      (ALB hosting only) Comma-separated CIDR ranges allowed to access the ALB.
      Leave empty to automatically use the VPC CIDR range (recommended for
      internal ALBs). Specify explicit CIDRs to override.

  AppSyncVisibility:
    Type: String
    Default: GLOBAL
    AllowedValues:
      - GLOBAL
      - PRIVATE
    Description: >-
      Controls AppSync API accessibility. GLOBAL (default) is the standard
      internet-facing mode. Set to PRIVATE for private network deployments
      where the API must only be accessible from within the VPC via VPC
      endpoints. Requires WebUIHosting=ALB and LambdaSubnetIds to be set.
      All Lambda functions will be deployed in VPC when PRIVATE.

  LambdaSubnetIds:
    Type: CommaDelimitedList
    Default: ""
    Description: >-
      (Required when AppSyncVisibility=PRIVATE) Comma-separated private subnet
      IDs for Lambda functions. Should be private subnets with no direct
      internet route - Lambda traffic reaches AWS services via VPC endpoints.
      Can be the same as ALBSubnetIds for simpler deployments, or different
      private subnets for stricter network isolation. Minimum 2 subnets in
      different Availability Zones recommended.

  CloudFrontPriceClass:
    Type: String
    Default: PriceClass_100
    Description: >-
      (CloudFront hosting only) Specify the CloudFront price class. See
      https://aws.amazon.com/cloudfront/pricing/ for a description of each
      price class.
    AllowedValues:
      - PriceClass_100
      - PriceClass_200
      - PriceClass_All
    ConstraintDescription: >-
      Allowed Price Classes PriceClass_100 PriceClass_200 and PriceClass_All

  CloudFrontAllowedGeos:
    Type: String
    Default: ""
    Description: >-
      Specify a comma separated list of two letter country codes (uppercase ISO 3166-1)
      that are
      allowed to access the web user interface via CloudFront. For example: US,CA.
      Leave empty if
      you do not want geo restrictions to be applied.
    AllowedPattern: "^(|[A-Z]{2}(,[A-Z]{2})*)$"
    ConstraintDescription: >-
      Comma separated list of uppercase two letter country codes or empty

  WAFAllowedIPv4Ranges:
    Type: String
    Default: "0.0.0.0/0"
    Description: >-
      Comma-separated list of IPv4 CIDR ranges to allow. Default (0.0.0.0/0) disables WAF and allows all IPs.
      Example to restrict: "192.168.1.0/24, 10.0.0.0/16"
    AllowedPattern: '^([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}(,\s*([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2})*$'
    ConstraintDescription: Must be valid comma-separated list of IPv4 CIDR ranges

  ArtifactsBucketKmsKeyArn:
    Type: String
    Default: ""
    Description: >-
      (Optional) ARN of a KMS CMK used to encrypt the artifacts S3 bucket.
      When the artifacts bucket was pre-created with KMS encryption, provide
      the key ARN here so that CodeBuild (Docker image builds) and Lambda
      (configuration copy) can perform kms:Decrypt to read source artifacts.
      Leave empty if the artifacts bucket uses SSE-S3 (default AES256) encryption.
    AllowedPattern: "^(|arn:aws[a-z-]*:kms:[a-z0-9-]+:[0-9]{12}:key/.+)$"
    ConstraintDescription: Must be empty or a valid KMS key ARN

  # MLflow Integration
  EnableMLflow:
    Type: String
    Default: 'false'
    AllowedValues: ['true', 'false']
    Description: Enable MLflow experiment tracking integration

  MlflowTrackingURI:
    Type: String
    Default: ""
    Description: SageMaker MLflow tracking server ARN

  # Headless API Configuration
  # ------------------------------------------------------------------------
  # Headless API Deployment (required for GovCloud)
  #
  # These parameters control the optional "headless" deployment mode, where
  # the stack deploys a private Jobs REST API (API Gateway + Lambda) instead
  # of (or in addition to) the web UI. This mode is REQUIRED for GovCloud
  # regions because the UI-layer services (AppSync, CloudFront, Cognito UI
  # pool) aren't available there. In Commercial regions the mode is OPTIONAL
  # and useful for API-only / machine-to-machine integrations.
  #
  # All parameters below default to OFF / empty. Leaving them at defaults
  # keeps the stack as a pure web-UI deployment with no Jobs API, no VPC
  # placement of Lambdas, and no bastion EC2.
  #
  # See docs/govcloud-deployment.md for deployment patterns and
  # docs/govcloud-batch-api.md for the Jobs API reference.
  # ------------------------------------------------------------------------

  EnableHeadless:
    Type: String
    Default: 'false'
    AllowedValues: ['true', 'false']
    Description: >-
      Set to 'true' to deploy the headless Jobs REST API (Private API Gateway
      + /jobs endpoints + supporting Lambdas). Default 'false' = no Jobs API
      is deployed. Required for GovCloud. When 'true', you must also set
      DeployInVPC=true and populate VpcId, PrivateSubnetIds,
      ApiGatewayVpcEndpointId, and LambdaSecurityGroupId.

  DeployInVPC:
    Type: String
    Default: 'false'
    AllowedValues: ['true', 'false']
    Description: >-
      Set to 'true' to place all document-processing Lambdas inside the
      customer-supplied VPC (required for Headless API deployments and for
      any compliance/exfil-control use cases). Default 'false' = Lambdas run
      in the default AWS-owned network. When 'true', you must populate
      VpcId, PrivateSubnetIds, and LambdaSecurityGroupId.

  VpcId:
    Type: String
    Default: ""
    Description: >-
      Required when DeployInVPC=true. The customer-owned VPC that Lambdas
      and (if Headless) the Private API Gateway VPC endpoint are attached
      to. Leave empty for non-VPC deployments.

  PrivateSubnetIds:
    Type: CommaDelimitedList
    Default: ""
    Description: >-
      Required when DeployInVPC=true. Comma-separated list of at least 2
      private subnet IDs in different AZs within VpcId. Lambdas are
      attached to these subnets. Leave empty for non-VPC deployments.

  LambdaSecurityGroupId:
    Type: String
    Default: ""
    Description: >-
      Required when DeployInVPC=true. Security group attached to all
      VPC-resident Lambdas. Must allow outbound HTTPS to AWS service
      endpoints (either via VPC endpoints or a NAT gateway). Leave empty
      for non-VPC deployments.

  ApiGatewayVpcEndpointId:
    Type: String
    Default: ""
    Description: >-
      Required when EnableHeadless=true. The com.amazonaws.<region>.execute-api
      Interface VPC endpoint that the Private API Gateway is bound to. The
      API's resource policy denies all traffic not sourced from this VPCE.
      Leave empty if EnableHeadless=false.

  ApiStageName:
    Type: String
    Default: 'beta'
    Description: >-
      Stage name for the Headless Jobs API Gateway (e.g. 'beta', 'prod').
      Ignored when EnableHeadless=false.

  # ------------------------------------------------------------------------
  # Headless API Deployment - Bastion Host (optional, requires VPC Secured Mode)
  #
  # The bastion host is an OPTIONAL developer-convenience feature for
  # reaching the Private API Gateway from outside the VPC during
  # development. It provisions a small EC2 instance (Amazon Linux 2, t3.small,
  # IMDSv2-required, encrypted EBS, no inbound SSH) reachable via AWS SSM
  # Session Manager. Use scripts/bastion.sh to establish a local tunnel
  # through it for running scripts/e2e_test_headless.py or similar.
  #
  # These parameters are ONLY used when DeployBastionHost=true AND
  # DeployInVPC=true (the bastion shares the customer-supplied VPC).
  # Nothing is deployed if DeployBastionHost=false (the default).
  # ------------------------------------------------------------------------

  DeployBastionHost:
    Type: String
    Default: 'false'
    AllowedValues: ['true', 'false']
    Description: >-
      Set to 'true' to provision an SSM-reachable bastion EC2 for dev-time
      access to the Private API Gateway (useful for running e2e tests or
      calling the API from a local machine). Default 'false' = no EC2 is
      deployed. Requires DeployInVPC=true and the two Bastion* parameters
      below. Typically only used in dev accounts.

  BastionHostSubnetId:
    Type: String
    Default: ""
    Description: >-
      Required when DeployBastionHost=true. A PUBLIC subnet in VpcId where
      the bastion EC2 will launch. The subnet needs SSM egress so Session
      Manager can reach the instance. Leave empty when DeployBastionHost=false.

  BastionHostSecurityGroupId:
    Type: String
    Default: ""
    Description: >-
      Required when DeployBastionHost=true. Security group attached to the
      bastion EC2. No inbound SSH rule is needed - SSM Session Manager is
      the only ingress path. Leave empty when DeployBastionHost=false.

  BastionHostAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2
    Description: >-
      SSM Parameter Store path for the AMI to use on the bastion EC2. The
      default resolves to the latest Amazon Linux 2 AMI and is the right
      choice for almost all deployments. Only change if you need a custom
      hardened AMI. Ignored when DeployBastionHost=false.

Rules:
  MLflowTrackingURIRequired:
    RuleCondition: !Equals [ !Ref EnableMLflow, "true" ]
    Assertions:
      - Assert: !Not [ !Equals [ !Ref MlflowTrackingURI, "" ] ]
        AssertDescription: "MlflowTrackingURI is required when EnableMLflow is true"

  # EnableHeadless=true stands up a Private API Gateway + VPC-resident Lambdas
  # that !Ref VpcId/PrivateSubnetIds/ApiGatewayVpcEndpointId/LambdaSecurityGroupId
  # unconditionally. Those params default to empty, so without this rule a
  # misconfigured deploy would fail deep in CREATE_IN_PROGRESS with an opaque
  # Lambda/API Gateway error. Fail fast at changeset creation instead.
  HeadlessRequiresVPC:
    RuleCondition: !Equals [ !Ref EnableHeadless, "true" ]
    Assertions:
      - Assert: !Equals [ !Ref DeployInVPC, "true" ]
        AssertDescription: "EnableHeadless=true requires DeployInVPC=true (the Jobs API uses a Private API Gateway and VPC-resident Lambdas)."
      - Assert: !Not [ !Equals [ !Ref VpcId, "" ] ]
        AssertDescription: "VpcId is required when EnableHeadless=true"
      - Assert: !Not [ !Equals [ !Ref ApiGatewayVpcEndpointId, "" ] ]
        AssertDescription: "ApiGatewayVpcEndpointId is required when EnableHeadless=true"
      - Assert: !Not [ !Equals [ !Ref LambdaSecurityGroupId, "" ] ]
        AssertDescription: "LambdaSecurityGroupId is required when EnableHeadless=true"
      # Note: PrivateSubnetIds is a CommaDelimitedList. The Rules-block
      # intrinsic-function set (Fn::And / Contains / EachMember* / Equals /
      # If / Not / Or / RefAll / ValueOf*) has no portable way to assert
      # that a CommaDelimitedList isn't the "one empty string" default.
      # The remaining VpcId / VpcEndpoint / SG assertions above cover the
      # common "forgot to pass VPC parameters at all" misconfiguration;
      # invalid subnet IDs are caught later by the Lambda CreateFunction
      # call with a clear error rather than a mid-deploy rollback.

  # Bastion host is a developer-convenience layered on top of VPC-secured mode.
  # It shares the customer-supplied VPC, so DeployInVPC must be true as well.
  BastionRequiresVPC:
    RuleCondition: !Equals [ !Ref DeployBastionHost, "true" ]
    Assertions:
      - Assert: !Equals [ !Ref DeployInVPC, "true" ]
        AssertDescription: "DeployBastionHost=true requires DeployInVPC=true"
      - Assert: !Not [ !Equals [ !Ref BastionHostSubnetId, "" ] ]
        AssertDescription: "BastionHostSubnetId is required when DeployBastionHost=true"
      - Assert: !Not [ !Equals [ !Ref BastionHostSecurityGroupId, "" ] ]
        AssertDescription: "BastionHostSecurityGroupId is required when DeployBastionHost=true"

Conditions:
  # Headless/VPC/Bastion feature conditions
  DeployInVPC: !Equals [!Ref DeployInVPC, 'true']
  DeployApiGateway: !Equals [!Ref EnableHeadless, 'true']
  ShouldDeployBastionHost: !Equals [!Ref DeployBastionHost, 'true']

  HasGuardrailConfig:
    !And [
      !Not [ !Equals [ !Ref BedrockGuardrailId, "" ] ],
      !Not [ !Equals [ !Ref BedrockGuardrailVersion, "" ] ],
    ]

  # HITL and Private Workforce conditions
  # General rules
  ShouldAllowSignUpEmailDomain:
    !Not [ !Equals [ !Ref AllowedSignUpEmailDomain, "" ] ]
  ShouldEnableGeoRestriction: !Not [ !Equals [ !Ref CloudFrontAllowedGeos, "" ] ]
  ShouldEnablePostProcessingLambdaHook:
    !Not [ !Equals [ !Ref PostProcessingLambdaHookFunctionArn, "" ] ]
  ShouldCreateEvaluationBaselineBucket:
    !Equals [ !Ref EvaluationBaselineBucketName, "" ]
  ShouldCreateReportingBucket: !Equals [ !Ref ReportingBucketName, "" ]
  IsWafEnabled: !Not [ !Equals [ !Ref WAFAllowedIPv4Ranges, "0.0.0.0/0" ] ]
  ShouldCreateDocumentKnowledgeBase:
    !Equals [ !Ref DocumentKnowledgeBase, "BEDROCK_KNOWLEDGE_BASE (Create)" ]
  ShouldUseDocumentKnowledgeBase: !Condition ShouldCreateDocumentKnowledgeBase
  DocumentSectionsCrawlerScheduleEnabled:
    !Not [ !Equals [ !Ref DocumentSectionsCrawlerFrequency, "Manual" ] ]
  HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryArn, "" ] ]
  HasCustomConfigPath: !Not [ !Equals [ !Ref CustomConfigPath, "" ] ]
  IsS3VectorsVectorStore: !Equals [ !Ref KnowledgeBaseVectorStore, "S3_VECTORS" ]
  CreateAgentCoreLambda: !Equals [ !Ref EnableMCP, "true" ]
  CreateExternalAppClient: !Equals [ !Ref EnableMCP, "true" ]
  HasExternalIdP: !Not [ !Equals [ !Ref ExternalIdPType, "" ] ]
  IsExternalIdPSAML:
    !And
      - !Condition HasExternalIdP
      - !Equals [ !Ref ExternalIdPType, "SAML" ]
  IsExternalIdPOIDC:
    !And
      - !Condition HasExternalIdP
      - !Equals [ !Ref ExternalIdPType, "OIDC" ]
  HasExternalIdPGroupMapping: !Not [ !Equals [ !Ref ExternalIdPGroupAttributeName, "" ] ]
  ShouldMapExternalIdPGroups:
    !And
      - !Condition HasExternalIdP
      - !Condition HasExternalIdPGroupMapping
  UseCloudFrontHosting: !Equals [ !Ref WebUIHosting, "CloudFront" ]
  UseALBHosting: !Equals [ !Ref WebUIHosting, "ALB" ]
  EnableXRayTracingCondition: !Equals [ !Ref EnableXRayTracing, "true" ]
  UsePrivateAppSync: !Equals [ !Ref AppSyncVisibility, "PRIVATE" ]
  HasArtifactsBucketKmsKey: !Not [ !Equals [ !Ref ArtifactsBucketKmsKeyArn, "" ] ]

Metadata:
  cfn-lint:
    config:
      ignore_checks:
        - W1030  # ARN pattern matching when Ref resolves to empty string
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: "User Authentication"
        Parameters:
          - AdminEmail
          - AllowedSignUpEmailDomain
      - Label:
          default: "Configuration"
        Parameters:
          - ConfigurationPreset
          - CustomConfigPath
          - Pattern2CustomClassificationModelARN
          - Pattern2CustomExtractionModelARN
      - Label:
          default: "Evaluation"
        Parameters:
          - EvaluationBaselineBucketName
      - Label:
          default: "Reporting"
        Parameters:
          - ReportingBucketName
          - DocumentSectionsCrawlerFrequency
      - Label:
          default: "Document Knowledge Base"
        Parameters:
          - DocumentKnowledgeBase
          - KnowledgeBaseVectorStore
          - KnowledgeBaseModelId
      - Label:
          default: "Post Processing"
        Parameters:
          - PostProcessingLambdaHookFunctionArn
      - Label:
          default: "Bedrock Guardrails"
        Parameters:
          - BedrockGuardrailId
          - BedrockGuardrailVersion
      - Label:
          default: "Security Configuration"
        Parameters:
          - PermissionsBoundaryArn
          - WAFAllowedIPv4Ranges
      - Label:
          default: "MCP Integration"
        Parameters:
          - EnableMCP
      - Label:
          default: "MLflow Integration"
        Parameters:
          - EnableMLflow
          - MlflowTrackingURI
      - Label:
          default: "External Identity Provider (Federation)"
        Parameters:
          - ExternalIdPType
          - ExternalIdPName
          - ExternalIdPMetadataURL
          - ExternalIdPOIDCIssuer
          - ExternalIdPOIDCClientId
          - ExternalIdPOIDCClientSecretArn
          - ExternalIdPGroupAttributeName
          - ExternalIdPAdminGroupName
          - ExternalIdPAuthorGroupName
          - ExternalIdPReviewerGroupName
          - ExternalIdPViewerGroupName
          - ExternalIdPAutoLogin
      - Label:
          default: "Web UI Hosting"
        Parameters:
          - WebUIHosting
          - CloudFrontPriceClass
          - CloudFrontAllowedGeos
      - Label:
          default: "ALB Hosting (when WebUIHosting=ALB)"
        Parameters:
          - ALBVpcId
          - ALBSubnetIds
          - ALBCertificateArn
          - ALBScheme
          - ALBAllowedCIDRs
      - Label:
          default: "Private Network (AppSync=PRIVATE requires ALB hosting)"
        Parameters:
          - AppSyncVisibility
          - LambdaSubnetIds
      - Label:
          default: "Headless API Deployment (required for GovCloud)"
        Parameters:
          - EnableHeadless
          - DeployInVPC
          - VpcId
          - PrivateSubnetIds
          - LambdaSecurityGroupId
          - ApiGatewayVpcEndpointId
          - ApiStageName
      - Label:
          default: "Headless API Deployment - Bastion Host (optional, requires VPC Secured Mode)"
        Parameters:
          - DeployBastionHost
          - BastionHostSubnetId
          - BastionHostSecurityGroupId
          - BastionHostAmiId
      - Label:
          default: "Advanced - Artifact Bucket"
        Parameters:
          - ArtifactsBucketKmsKeyArn
      - Label:
          default: "General Configuration"
        Parameters:
          - MaxConcurrentWorkflows
          - DataRetentionInDays
          - ErrorThreshold
          - ExecutionTimeThresholdMs
          - LogLevel
          - LogRetentionDays

    ParameterLabels:
      AdminEmail:
        default: "Admin Email Address"
      AllowedSignUpEmailDomain:
        default: "Allowed Sign Up Email Domain"
      Pattern2CustomClassificationModelARN:
        default: "Custom Classification Model ARN"
      Pattern2CustomExtractionModelARN:
        default: "Custom Extraction Model ARN"
      ConfigurationPreset:
        default: "Configuration Preset"
      CustomConfigPath:
        default: "Custom Configuration Path"
      PostProcessingLambdaHookFunctionArn:
        default: "Post Processing Lambda Hook Function ARN"
      EvaluationBaselineBucketName:
        default: "Evaluation Baseline Bucket Name"
      ReportingBucketName:
        default: "Reporting Bucket Name"
      DocumentKnowledgeBase:
        default: "Document Knowledge Base Configuration"
      KnowledgeBaseModelId:
        default: "Knowledge Base Model Id"
      BedrockGuardrailId:
        default: "Bedrock Guardrail Id"
      BedrockGuardrailVersion:
        default: "Bedrock Guardrail Version"
      PermissionsBoundaryArn:
        default: "Permissions Boundary ARN"
      MaxConcurrentWorkflows:
        default: "Maximum Concurrent Workflows"
      DataRetentionInDays:
        default: "Data Retention Period (days)"
      ErrorThreshold:
        default: "Error Alert Threshold"
      ExecutionTimeThresholdMs:
        default: "Execution Time Threshold (ms)"
      LogLevel:
        default: "Logging Level"
      LogRetentionDays:
        default: "Log Retention Period (days)"
      CloudFrontPriceClass:
        default: "CloudFront Price Class"
      CloudFrontAllowedGeos:
        default: "CloudFront Allowed Geos"
      WAFAllowedIPv4Ranges:
        default: "WAF Allowed IPv4 Ranges"
      EnableMCP:
        default: "Enable MCP Integration"
      EnableMLflow:
        default: "Enable MLflow Integration"
      MlflowTrackingURI:
        default: "MLflow Tracking Server ARN"
      WebUIHosting:
        default: "Web UI Hosting Method"
      ALBVpcId:
        default: "ALB - VPC ID"
      ALBSubnetIds:
        default: "ALB - Subnet IDs"
      ALBCertificateArn:
        default: "ALB - ACM Certificate ARN"
      ALBScheme:
        default: "ALB - Scheme (internal/internet-facing)"
      ALBAllowedCIDRs:
        default: "ALB - Allowed CIDR Ranges"
      AppSyncVisibility:
        default: "AppSync API Visibility (GLOBAL or PRIVATE)"
      LambdaSubnetIds:
        default: "Lambda Subnet IDs (required when AppSyncVisibility=PRIVATE)"
      ArtifactsBucketKmsKeyArn:
        default: "Artifacts Bucket KMS Key ARN (optional, for pre-created KMS-encrypted bucket)"
      EnableHeadless:
        default: "Enable Headless API (Jobs REST API, required for GovCloud)"
      DeployInVPC:
        default: "Enable VPC Secured Mode (required when Headless API is enabled)"
      VpcId:
        default: "VPC ID (required when VPC Secured Mode is enabled)"
      PrivateSubnetIds:
        default: "Private Subnet IDs (required when VPC Secured Mode is enabled)"
      LambdaSecurityGroupId:
        default: "Lambda Security Group ID (required when VPC Secured Mode is enabled)"
      ApiGatewayVpcEndpointId:
        default: "API Gateway VPC Endpoint ID (required when Headless API is enabled)"
      ApiStageName:
        default: "API Gateway Stage Name (Headless API)"
      DeployBastionHost:
        default: "Deploy Bastion Host (optional, for dev access to Private API)"
      BastionHostSubnetId:
        default: "Bastion Host - Subnet ID (required when Bastion Host is enabled)"
      BastionHostSecurityGroupId:
        default: "Bastion Host - Security Group ID (required when Bastion Host is enabled)"
      BastionHostAmiId:
        default: "Bastion Host - AMI ID (SSM parameter path, leave default for Amazon Linux 2)"

Resources:
  # Custom resource to enforce max length of StackName - prevent downstream failures
  StacknameCheckFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: Function does not require VPC access as it has no network access
          - id: W92
            reason: Reserved concurrency not required
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      InlineCode: |
        import cfnresponse
        import time
        import json
        def handler(event, context):
            print(json.dumps(event))
            input = event['ResourceProperties'].get('InputString', '')
            max_length = int(event['ResourceProperties'].get('MaxLength', 0))
            status = cfnresponse.SUCCESS
            reason = f"Stack Name Length under {max_length} - OK"
            if event['RequestType'] == "Create":
              if len(input) > max_length:
                status = cfnresponse.FAILED
                reason = f"Stack Name ({input}) length ({len(input)}) too long - max length {max_length} - FAILED"
            else:
              print(f"Request type is {event['RequestType']} - skipping")
            cfnresponse.send(event, context, status, {}, reason=reason)
      Environment:
        Variables:
          LOG_LEVEL: INFO
      LoggingConfig:
        LogGroup:
          Ref: StacknameCheckFunctionLogGroup

  StacknameCheckFunctionLogGroup:
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W84
            reason: "LogGroup does not require KMS Key Id, since it's only logging checks on stack name length"
    # checkov:skip=CKV_AWS_158: "LogGroup does not require KMS Key Id, since it's only logging checks on stack name length"
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: !Ref LogRetentionDays

  IsStacknameLengthOK:
    Type: Custom::StacknameCheck
    Properties:
      ServiceToken: !GetAtt StacknameCheckFunction.Arn
      InputString: !Ref "AWS::StackName"
      MaxLength: 25

  ##########################################################################
  # Jobs REST API (Headless mode)
  ##########################################################################

  ApiHandlerLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: DeployApiGateway
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # API Authentication - Cognito User Pool for M2M (client credentials)
  ApiUserPool:
    Type: AWS::Cognito::UserPool
    Condition: DeployApiGateway
    Properties:
      UserPoolName: !Sub ${AWS::StackName}-api

  ApiResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Condition: DeployApiGateway
    Properties:
      Identifier: idp-api
      Name: IDP API
      UserPoolId: !Ref ApiUserPool
      Scopes:
        - ScopeName: jobs.read
          ScopeDescription: Read job status
        - ScopeName: jobs.write
          ScopeDescription: Create and manage jobs

  ApiAppClient:
    Type: AWS::Cognito::UserPoolClient
    Condition: DeployApiGateway
    DependsOn: ApiResourceServer
    Properties:
      ClientName: !Sub ${AWS::StackName}-api-client
      UserPoolId: !Ref ApiUserPool
      GenerateSecret: true
      AllowedOAuthFlows:
        - client_credentials
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes:
        - idp-api/jobs.read
        - idp-api/jobs.write

  ApiUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Condition: DeployApiGateway
    Properties:
      Domain: !Sub ${AWS::StackName}-api-${AWS::AccountId}
      UserPoolId: !Ref ApiUserPool

  # Private API Gateway with Cognito Authorization
  ApiGateway:
    Type: AWS::Serverless::Api
    Condition: DeployApiGateway
    Properties:
      StageName: !Ref ApiStageName
      EndpointConfiguration:
        Type: PRIVATE
        VPCEndpointIds:
          - !Ref ApiGatewayVpcEndpointId
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: !GetAtt ApiUserPool.Arn
        ResourcePolicy:
          CustomStatements:
            - Effect: Deny
              Principal: '*'
              Action: execute-api:Invoke
              Resource: execute-api:/*
              Condition:
                StringNotEquals:
                  aws:SourceVpce: !Ref ApiGatewayVpcEndpointId
            - Effect: Allow
              Principal: '*'
              Action: execute-api:Invoke
              Resource: execute-api:/*

  ApiHandlerFunction:
    Type: AWS::Serverless::Function
    Condition: DeployApiGateway
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W92
            reason: Reserved concurrency not required
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/api_handler/
      Handler: index.handler
      Runtime: python3.12
      MemorySize: 4096
      Timeout: 30
      Layers:
        - !Ref IDPCommonBaseLayer
      # HeadlessRequiresVPC rule (see top-level Rules: block) already asserts
      # DeployInVPC=true whenever EnableHeadless=true, so in practice this !If
      # always takes the first branch when this Function is deployed. The
      # guard is defense-in-depth: if the coupling is ever relaxed (e.g. a
      # future "headless API without VPC" pattern), this Function will still
      # render as a valid no-VpcConfig Lambda rather than fail on empty !Refs.
      VpcConfig: !If
        - DeployInVPC
        - SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
          SubnetIds: !Ref PrivateSubnetIds
        - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          DOCUMENT_TRACKING_MODE: dynamodb
          INPUT_BUCKET_NAME: !Ref InputBucket
          OUTPUT_BUCKET_NAME: !Ref OutputBucket
          STAGING_BUCKET_NAME: !Ref StagingBucket
          DATA_RETENTION_IN_DAYS: !Ref DataRetentionInDays
      LoggingConfig:
        LogGroup: !Ref ApiHandlerLogGroup
      Events:
        PostJob:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /jobs
            Method: POST
            Auth:
              Authorizer: CognitoAuthorizer
              AuthorizationScopes:
                - idp-api/jobs.write
        GetJob:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /jobs/{job_id}
            Method: GET
            Auth:
              Authorizer: CognitoAuthorizer
              AuthorizationScopes:
                - idp-api/jobs.read
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3WritePolicy:
            BucketName: !Ref InputBucket
        - S3CrudPolicy:
            BucketName: !Ref OutputBucket
        - S3WritePolicy:
            BucketName: !Ref StagingBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  BatchPreProcessorFunction:
    Type: AWS::Serverless::Function
    Condition: DeployApiGateway
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W92
            reason: Reserved concurrency not required
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/batch_pre_processor/
      Handler: index.handler
      Runtime: python3.12
      MemorySize: 3008
      Timeout: 900
      EphemeralStorage:
        Size: 5120
      Layers:
        - !Ref IDPCommonBaseLayer
      # See ApiHandlerFunction for rationale — HeadlessRequiresVPC rule gates
      # this at changeset creation; the !If is defense-in-depth.
      VpcConfig: !If
        - DeployInVPC
        - SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
          SubnetIds: !Ref PrivateSubnetIds
        - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          INPUT_BUCKET_NAME: !Ref InputBucket
          TRACKING_TABLE: !Ref TrackingTable
      Events:
        S3Event:
          Type: CloudWatchEvent
          Properties:
            Pattern:
              source:
                - aws.s3
              detail-type:
                - "Object Created"
              detail:
                bucket:
                  name:
                    - !Ref StagingBucket
                object:
                  key:
                    - suffix: .zip
      Policies:
        - S3ReadPolicy:
            BucketName: !Ref StagingBucket
        - S3WritePolicy:
            BucketName: !Ref InputBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey*
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  ##########################################################################
  # Bastion Host (optional - for testing Private API Gateway)
  ##########################################################################

  BastionKey:
    Type: AWS::KMS::Key
    Condition: ShouldDeployBastionHost
    Properties:
      Description: 'KMS Key for Bastion Host EBS encryption'
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Sid: Allow use of the key for EBS
            Effect: Allow
            Principal:
              Service: !Sub 'ec2.${AWS::URLSuffix}'
            Action:
              - kms:Decrypt
              - kms:DescribeKey
              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncrypt*
            Resource: '*'

  BastionRole:
    Type: AWS::IAM::Role
    Condition: ShouldDeployBastionHost
    Properties:
      RoleName: !Sub '${AWS::StackName}BastionHost-Role'
      Description: 'Assumed by bastion host'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub 'ec2.${AWS::URLSuffix}'
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore'

  BastionInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Condition: ShouldDeployBastionHost
    Properties:
      InstanceProfileName: !Sub '${AWS::StackName}BastionHost-InstanceProfile'
      Roles:
        - !Ref BastionRole

  BastionLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Condition: ShouldDeployBastionHost
    Properties:
      LaunchTemplateName: !Sub '${AWS::StackName}BastionLaunchTemplate'
      LaunchTemplateData:
        ImageId: !Ref BastionHostAmiId
        InstanceType: t3.small
        IamInstanceProfile:
          Arn: !GetAtt BastionInstanceProfile.Arn
        SecurityGroupIds:
          - !Ref BastionHostSecurityGroupId
        BlockDeviceMappings:
          - DeviceName: '/dev/xvda'
            Ebs:
              VolumeSize: 20
              VolumeType: gp3
              Encrypted: true
              KmsKeyId: !Ref BastionKey
              DeleteOnTermination: true
        MetadataOptions:
          HttpTokens: required
        Monitoring:
          Enabled: true

  BastionInstance:
    Type: AWS::EC2::Instance
    Condition: ShouldDeployBastionHost
    Properties:
      LaunchTemplate:
        LaunchTemplateId: !Ref BastionLaunchTemplate
        Version: !GetAtt BastionLaunchTemplate.LatestVersionNumber
      SubnetId: !Ref BastionHostSubnetId
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}BastionHost'

  ConfigurationCopyFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: Function does not require VPC access as it only interacts with S3
          - id: W92
            reason: Reserved concurrency not required
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 300
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      InlineCode: |
        import boto3
        import cfnresponse
        import json
        import logging

        logger = logging.getLogger()
        logger.setLevel(logging.INFO)

        def handler(event, context):
            logger.info(json.dumps(event))
        
            try:
                source_bucket = event['ResourceProperties']['SourceBucket']
                source_prefix = event['ResourceProperties']['SourcePrefix']
                target_bucket = event['ResourceProperties']['TargetBucket']
                target_prefix = event['ResourceProperties'].get('TargetPrefix', '')
        
                file_list = event['ResourceProperties'].get('FileList', [])
        
                s3_client = boto3.client('s3')
        
                if event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
                    # Copy files explicitly from the provided list
                    copied_count = 0
        
                    for relative_file_path in file_list:
                        # Skip empty entries
                        if not relative_file_path.strip():
                            continue
        
                        # Construct source key
                        source_key = f"{source_prefix}/{relative_file_path}"
        
                        # Construct target key with optional target prefix
                        if target_prefix:
                            target_key = f"{target_prefix}/{relative_file_path}"
                        else:
                            target_key = relative_file_path
        
                        logger.info(f"Copying {source_bucket}/{source_key} to {target_bucket}/{target_key}")
        
                        try:
                            copy_source = {'Bucket': source_bucket, 'Key': source_key}
                            s3_client.copy_object(
                                CopySource=copy_source,
                                Bucket=target_bucket,
                                Key=target_key
                            )
                            copied_count += 1
                        except Exception as copy_error:
                            logger.warning(f"Failed to copy {source_key}: {str(copy_error)}")
                            # Continue with other files instead of failing the entire operation
        
                    logger.info(f"Successfully copied {copied_count} configuration files")
                    cfnresponse.send(event, context, cfnresponse.SUCCESS, {
                        'CopiedFiles': copied_count
                    }, reason=f"Successfully copied {copied_count} configuration files")
        
                elif event['RequestType'] == 'Delete':
                    # For delete, we don't need to clean up the configuration files
                    # as they may be needed by other resources
                    logger.info("Delete request - no action needed for configuration files")
                    cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, 
                                   reason="Delete completed - configuration files retained")
        
            except Exception as e:
                logger.error(f"Error: {str(e)}")
                cfnresponse.send(event, context, cfnresponse.FAILED, {}, 
                               reason=f"Error copying configuration files: {str(e)}")

      Environment:
        Variables:
          LOG_LEVEL: INFO
      LoggingConfig:
        LogGroup:
          Ref: ConfigurationCopyFunctionLogGroup
      Policies:
        - S3ReadPolicy:
            BucketName: "<ARTIFACT_BUCKET_TOKEN>"
        - S3WritePolicy:
            BucketName: !Ref ConfigurationBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            # Grant kms:Decrypt on the artifacts bucket KMS key when provided
            # This allows ConfigurationCopyFunction to read config files from a KMS-encrypted artifact bucket
            - !If
              - HasArtifactsBucketKmsKey
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - kms:GenerateDataKey*
                  - kms:DescribeKey
                Resource: !Ref ArtifactsBucketKmsKeyArn
              - !Ref AWS::NoValue

  ConfigurationCopyFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: !Ref LogRetentionDays
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn

  CopyConfigurationFiles:
    Type: Custom::ConfigurationCopy
    Properties:
      ServiceToken: !GetAtt ConfigurationCopyFunction.Arn
      SourceBucket: "<ARTIFACT_BUCKET_TOKEN>"
      SourcePrefix: "<ARTIFACT_PREFIX_TOKEN>/config_library"
      TargetBucket: !Ref ConfigurationBucket
      TargetPrefix: "config_library"
      ConfigLibraryHash: "<CONFIG_LIBRARY_HASH_TOKEN>"
      FileList: <CONFIG_FILES_LIST_TOKEN>

  ##########################################################################
  # Nested stack for selected options
  ##########################################################################

  DOCUMENTKB:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::CloudFormation::Stack
    Condition: ShouldCreateDocumentKnowledgeBase
    Properties:
      TemplateURL: ./nested/bedrockkb/.aws-sam/packaged.yaml
      Parameters:
        pKnowledgeBaseBucketName: !Ref OutputBucket
        pInputDocumentUploadFolderPrefix: ""
        pS3SyncScheduleExpression: "cron(0/30 * ? * * *)" # default is to sync documents every 30 minutes
        pCustomerManagedEncryptionKeyArn: !GetAtt CustomerManagedEncryptionKey.Arn
        pChunkingStrategy: "Fixed-size chunking"
        pMaxTokens: 8192
        pVectorStoreType: !Ref KnowledgeBaseVectorStore
        LogLevel: !Ref LogLevel
        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn



  ##########################################################################
  # AgentCore MCP Handler Lambda Function
  ##########################################################################

  AgentCoreMCPHandlerLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: CreateAgentCoreLambda
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  AgentCoreMCPHandlerFunction:
    Type: AWS::Serverless::Function
    Condition: CreateAgentCoreLambda
    Metadata:
      BuildMethod: python3.12
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "bedrock-agentcore:InvokeAgentRuntime, aws-marketplace, and logs:DescribeLogGroups APIs do not support resource-level permissions"
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for AgentCore MCP handler function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      FunctionName: !Sub "${AWS::StackName}-agentcore-mcp-handler"
      CodeUri: src/lambda/agentcore_mcp_handler/
      Handler: index.lambda_handler
      Runtime: python3.12
      MemorySize: 1024
      Timeout: 900
      Layers:
        - !Ref IDPCommonAgentsLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
          TRACKING_TABLE_NAME: !Ref TrackingTable
          LOOKUP_FUNCTION_NAME: !Ref LookupFunction
          STRANDS_LOG_LEVEL: !Ref LogLevel
          AGENT_TABLE: !Ref AgentTable
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          ATHENA_DATABASE: !Ref ReportingDatabase
          ATHENA_WORKGROUP: primary
          QUERY_RESULTS_BUCKET: !If
            - ShouldCreateReportingBucket
            - !Ref ReportingBucket
            - !Ref ReportingBucketName
          ATHENA_OUTPUT_LOCATION: !Sub
            - "s3://${Bucket}/athena-results/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          AWS_STACK_NAME: !Ref AWS::StackName
          GUARDRAIL_ID_AND_VERSION:
            !If [
              HasGuardrailConfig,
              !Sub "${BedrockGuardrailId}:${BedrockGuardrailVersion}",
              "",
            ]
          CLOUDWATCH_LOG_GROUP_PREFIX: !Sub "/aws/lambda/${AWS::StackName}"
          SETTINGS_PARAMETER_NAME: !Ref SettingsParameter
          MCP_SERVER_BUCKET: !Ref MCPContentBucket
      LoggingConfig:
        LogGroup: !Ref AgentCoreMCPHandlerLogGroup
      Policies:
        - Statement:
            Effect: Allow
            Action: bedrock-agentcore:InvokeAgentRuntime
            Resource: "*"
        - Statement:
            Effect: Allow
            Action: appsync:GraphQL
            Resource: !Sub "arn:${AWS::Partition}:appsync:${AWS::Region}:${AWS::AccountId}:apis/${GraphQLApi.ApiId}/*"
        - DynamoDBCrudPolicy:
            TableName: !Ref ChatMessagesTable
        - DynamoDBCrudPolicy:
            TableName: !Ref IdHelperChatMemoryTable
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - S3CrudPolicy:
            BucketName: !If
              - ShouldCreateReportingBucket
              - !Ref ReportingBucket
              - !Ref ReportingBucketName
        - Statement:
            - Effect: Allow
              Action:
                - athena:StartQueryExecution
                - athena:GetQueryExecution
                - athena:GetQueryResults
                - athena:StopQueryExecution
              Resource:
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/primary"
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/*"
            - Effect: Allow
              Action:
                - s3:ListBucket
                - s3:GetBucketLocation
                - s3:GetBucketVersioning
              Resource:
                - !Sub
                  - "${BucketArn}"
                  - BucketArn: !If
                      - ShouldCreateReportingBucket
                      - !GetAtt ReportingBucket.Arn
                      - !Sub "arn:${AWS::Partition}:s3:::${ReportingBucketName}"
                - !GetAtt InputBucket.Arn
                - !GetAtt OutputBucket.Arn
                - !GetAtt MCPContentBucket.Arn
            - Effect: Allow
              Action:
                - s3:GetObject
                - s3:PutObject
                - s3:DeleteObject
                - s3:AbortMultipartUpload
                - s3:ListMultipartUploadParts
              Resource:
                - !Sub
                  - "${BucketArn}/*"
                  - BucketArn: !If
                      - ShouldCreateReportingBucket
                      - !GetAtt ReportingBucket.Arn
                      - !Sub "arn:${AWS::Partition}:s3:::${ReportingBucketName}"
                - !Sub "${InputBucket.Arn}/*"
                - !Sub "${OutputBucket.Arn}/*"
                - !Sub "${MCPContentBucket.Arn}/*"
            - Effect: Allow
              Action:
                - glue:GetTable
                - glue:GetTables
                - glue:GetDatabase
                - glue:GetDatabases
                - glue:GetPartitions
              Resource:
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${ReportingDatabase}"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${ReportingDatabase}/*"
            - Effect: Allow
              Action:
                - bedrock:InvokeModel
                - bedrock:InvokeModelWithResponseStream
                - bedrock:GetInferenceProfile
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:*::foundation-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:inference-profile/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
            - Effect: Allow
              Action:
                - aws-marketplace:Subscribe
                - aws-marketplace:Unsubscribe
                - aws-marketplace:ViewSubscriptions
              Resource: "*"
            - !If
              - HasGuardrailConfig
              - Effect: Allow
                Action:
                  - "bedrock:ApplyGuardrail"
                Resource:
                  - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:guardrail/${BedrockGuardrailId}"
              - !Ref AWS::NoValue
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - bedrock-agentcore:StartCodeInterpreterSession
                - bedrock-agentcore:StopCodeInterpreterSession
                - bedrock-agentcore:InvokeCodeInterpreter
                - bedrock-agentcore:GetCodeInterpreterSession
                - bedrock-agentcore:ListCodeInterpreterSessions
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock-agentcore:*:aws:code-interpreter/*"
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource:
                - !Ref ExternalMCPAgentsSecret
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
                - logs:DescribeLogStreams
                - logs:FilterLogEvents
                - logs:GetLogEvents
              Resource:
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/vendedlogs/states/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::StackName}*"
                - !GetAtt QueueSenderLogGroup.Arn
                - !GetAtt QueueProcessorLogGroup.Arn
                - !GetAtt WorkflowTrackerLogGroup.Arn
                - !GetAtt SaveReportingDataFunctionV2LogGroup.Arn
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
              Resource:
                - "*"
            - Effect: Allow
              Action:
                - dynamodb:DescribeTable
                - dynamodb:Scan
                - dynamodb:Query
                - dynamodb:GetItem
                - dynamodb:Query
              Resource:
                - !GetAtt TrackingTable.Arn
                - !GetAtt ConfigurationTable.Arn
                - !GetAtt AgentTable.Arn
            - Effect: Allow
              Action:
                - cloudformation:DescribeStackResources
                - cloudformation:DescribeStacks
                - cloudformation:ListStackResources
              Resource:
                - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource:
                - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - states:DescribeExecution
                - states:GetExecutionHistory
              Resource:
                - !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - ssm:GetParameter
              Resource:
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"

  ##########################################################################
  # AgentCore Gateway Manager Lambda Function
  ##########################################################################

  AgentCoreGatewayManagerFunction:
    Type: AWS::Serverless::Function
    Condition: CreateAgentCoreLambda
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: F38
            reason: "PassRole permission is required to delegate the execution role to the Bedrock AgentCore Gateway service securely"
          - id: F3
            reason: "Wildcard actions required for AgentCore Gateway lifecycle management (create, update, delete) and CloudWatch Logs delivery configuration"
          - id: W11
            reason: "Wildcard resource required as AgentCore Gateway ARNs are dynamically generated and unknown at deployment time"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/agentcore_gateway_manager/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 512
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
      LoggingConfig:
        LogGroup: !Ref AgentCoreGatewayManagerLogGroup
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - bedrock-agent:*
                - bedrock-agentcore:*
                - bedrock-agentcore-control:*
                - logs:CreateLogGroup
                - logs:PutLogEvents
                - logs:DeleteLogGroup
                - logs:PutDeliverySource
                - logs:DeleteDeliverySource
                - logs:PutDeliveryDestination
                - logs:DeleteDeliveryDestination
                - logs:DescribeDeliveryDestinations
                - logs:DescribeDeliverySources
                - iam:PassRole
                - iam:CreateRole
                - iam:AttachRolePolicy
                - iam:GetRole
                - cognito-idp:DescribeUserPool
              Resource: "*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  AgentCoreGatewayManagerLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: CreateAgentCoreLambda
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  AgentCoreGatewayExecutionRole:
    Type: AWS::IAM::Role
    Condition: CreateAgentCoreLambda
    Properties:
      RoleName: !Sub "${AWS::StackName}-AgentCoreGatewayExecutionRole"
      Description: Execution role for AgentCore Gateway
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "bedrock-agentcore.${AWS::URLSuffix}"
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
              ArnLike:
                aws:SourceArn: !Sub "arn:${AWS::Partition}:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:*"
      Policies:
        - PolicyName: InvokeLambdaPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource: !GetAtt AgentCoreMCPHandlerFunction.Arn
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess"
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-AgentCoreGatewayExecutionRole"

  AgentCoreGateway:
    Type: Custom::AgentCoreGateway
    Condition: CreateAgentCoreLambda
    Properties:
      ServiceToken: !GetAtt AgentCoreGatewayManagerFunction.Arn
      StackName: !Ref AWS::StackName
      Region: !Ref AWS::Region
      LambdaArn: !GetAtt AgentCoreMCPHandlerFunction.Arn
      UserPoolId: !Ref UserPool
      ClientId: !Ref ExternalAppClient
      ClientSecret: !GetAtt ExternalAppClient.ClientSecret
      ConnectorClientId: !Ref MCPConnectorClient
      ExecutionRoleArn: !GetAtt AgentCoreGatewayExecutionRole.Arn
      SourceCodeHash: <LAMBDA_HASH_TOKEN>

  ##########################################################################
  # Read previous IDPPattern from SSM before PATTERNSTACK overwrites it
  # This detects Pattern-1 → Unified upgrades so BDA can be auto-enabled
  ##########################################################################

  ReadPreviousIDPPatternFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: Function does not require VPC access
          - id: W92
            reason: Reserved concurrency not required
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 10
      CodeUri: src/lambda/read_previous_idp_pattern
      Environment:
        Variables:
          LOG_LEVEL: INFO
      LoggingConfig:
        LogGroup: !Ref ReadPreviousIDPPatternFunctionLogGroup
      Policies:
        - Statement:
            - Effect: Allow
              Action: ssm:GetParameter
              Resource:
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"

  ReadPreviousIDPPatternFunctionLogGroup:
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W84
            reason: "LogGroup does not require KMS Key Id"
    # checkov:skip=CKV_AWS_158: "LogGroup does not require KMS Key Id"
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: !Ref LogRetentionDays

  PreviousIDPPatternValue:
    Type: Custom::ReadPreviousIDPPattern
    Properties:
      ServiceToken: !GetAtt ReadPreviousIDPPatternFunction.Arn
      SettingsParameterName: !Ref SettingsParameter

  ##########################################################################
  # Nested stack for selected pattern
  ##########################################################################

  PATTERNSTACK:
    DependsOn:
      - IsStacknameLengthOK
      - CopyConfigurationFiles
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./patterns/unified/.aws-sam/packaged.yaml
      Parameters:
        StackName: !Ref AWS::StackName
        InputBucket: !Ref InputBucket
        DiscoveryBucket: !Ref DiscoveryBucket
        DiscoveryTrackingTable: !Ref DiscoveryTrackingTable
        ConfigurationBucket: !Ref ConfigurationBucket
        WorkingBucket: !Ref WorkingBucket
        OutputBucket: !Ref OutputBucket
        TrackingTable: !Ref TrackingTable
        CustomerManagedEncryptionKeyArn: !GetAtt CustomerManagedEncryptionKey.Arn
        LogRetentionDays: !Ref LogRetentionDays
        LogLevel: !Ref LogLevel
        ExecutionTimeThresholdMs: !Ref ExecutionTimeThresholdMs
        BedrockGuardrailId: !Ref BedrockGuardrailId
        BedrockGuardrailVersion: !Ref BedrockGuardrailVersion
        UpdateConfigurationFunctionArn: !GetAtt UpdateConfigurationFunction.Arn
        ConfigurationTable: !Ref ConfigurationTable
        AppSyncApiUrl: !GetAtt GraphQLApi.GraphQLUrl
        AppSyncApiArn: !GetAtt GraphQLApi.Arn
        ConfigurationDefaultS3Uri: !If
          - HasCustomConfigPath
          - !Ref CustomConfigPath
          - !Sub
            - "s3://${ConfigurationBucket}/config_library/unified/${ConfigPath}/config.yaml"
            - ConfigPath:
                !FindInMap [
                  ConfigurationMap,
                  !Ref ConfigurationPreset,
                  ConfigPath,
                ]
        ConfigLibraryHash: "<CONFIG_LIBRARY_HASH_TOKEN>"
        EnableXRayTracing: !Ref EnableXRayTracing
        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
        ReportingBucket: !If
          - ShouldCreateReportingBucket
          - !Ref ReportingBucket
          - !Ref ReportingBucketName
        BaselineBucket: !If
          - ShouldCreateEvaluationBaselineBucket
          - !Ref EvaluationBaselineBucket
          - !Ref EvaluationBaselineBucketName
        SaveReportingFunctionName: !Ref SaveReportingDataFunctionV2
        ImageVersion: "<UNIFIED_IMAGE_VERSION>"
        ArtifactBucket: "<ARTIFACT_BUCKET_TOKEN>"
        ArtifactPrefix: "<ARTIFACT_PREFIX_TOKEN>"
        ArtifactsBucketKmsKeyArn: !Ref ArtifactsBucketKmsKeyArn
        SourceZipfile: "<UNIFIED_SOURCE_ZIPFILE_TOKEN>"
        CustomClassificationModelARN: !Ref Pattern2CustomClassificationModelARN
        CustomExtractionModelARN: !Ref Pattern2CustomExtractionModelARN
        EnableECRImageScanning: !Ref EnableECRImageScanning
        PreviousIDPPattern: !GetAtt PreviousIDPPatternValue.IDPPattern

        # Private AppSync VPC config (req #2) — puts processing Lambdas in VPC
        UsePrivateAppSync: !If [UsePrivateAppSync, "true", "false"]
        LambdaSubnetIds: !If
          - UsePrivateAppSync
          - !Join [",", !Ref LambdaSubnetIds]
          - ""
        LambdaSecurityGroupId: !If
          - UsePrivateAppSync
          - !Ref LambdaVpcSecurityGroup
          - ""

        # MLflow Integration
        EnableMLflow: !Ref EnableMLflow
        MlflowTrackingURI: !Ref MlflowTrackingURI

  ##########################################################################
  # Encryption key
  ##########################################################################


  ##########################################################################
  # Nested stack for AppSync resolvers
  ##########################################################################

  APPSYNCSTACK:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./nested/appsync/.aws-sam/packaged.yaml
      Parameters:
        # Core AppSync resources
        GraphQLApiId: !GetAtt GraphQLApi.ApiId
        GraphQLApiArn: !GetAtt GraphQLApi.Arn
        GraphQLApiUrl: !GetAtt GraphQLApi.GraphQLUrl
        
        # Background worker ARNs
        AgentChatProcessorFunctionArn: !GetAtt AgentChatProcessorFunction.Arn
        AgentProcessorFunctionArn: !GetAtt AgentProcessorFunction.Arn
        TestExecutionAggregationFunctionArn: !GetAtt PATTERNSTACK.Outputs.TestExecutionAggregationFunctionArn
        
        # DynamoDB Tables
        TrackingTableName: !Ref TrackingTable
        ConfigurationTableName: !Ref ConfigurationTable
        AgentTableName: !Ref AgentTable
        ChatMessagesTableName: !Ref ChatMessagesTable
        ChatSessionsTableName: !Ref ChatSessionsTable
        IdHelperChatMemoryTableName: !Ref IdHelperChatMemoryTable
        DiscoveryTrackingTableName: !Ref DiscoveryTrackingTable
        
        # S3 Buckets
        InputBucketName: !Ref InputBucket
        OutputBucketName: !Ref OutputBucket
        ConfigurationBucketName: !Ref ConfigurationBucket
        TestSetBucketName: !Ref TestSetBucket
        EvaluationBaselineBucketName: !If
          - ShouldCreateEvaluationBaselineBucket
          - !Ref EvaluationBaselineBucket
          - !Ref EvaluationBaselineBucketName
        ReportingBucketName: !If
          - ShouldCreateReportingBucket
          - !Ref ReportingBucket
          - !Ref ReportingBucketName
        WorkingBucketName: !Ref WorkingBucket
        DiscoveryBucketName: !Ref DiscoveryBucket
        MultiDocDiscoveryStateMachineArn: !Ref MultiDocDiscoveryStateMachine
        
        # SQS Queues
        DocumentQueueUrl: !Ref DocumentQueue
        DiscoveryQueueUrl: !Ref DiscoveryQueue
        TestFileCopyQueueUrl: !Ref TestFileCopyQueue
        TestSetFileCopyQueueUrl: !Ref TestSetFileCopyQueue
        TestResultCacheUpdateQueueUrl: !Ref TestResultCacheUpdateQueue
        TestResultCacheUpdateQueueArn: !GetAtt TestResultCacheUpdateQueue.Arn
        
        # SQS Queue Names (for IAM policies)
        DocumentQueueName: !GetAtt DocumentQueue.QueueName
        DiscoveryQueueName: !GetAtt DiscoveryQueue.QueueName
        TestFileCopyQueueName: !GetAtt TestFileCopyQueue.QueueName
        TestSetFileCopyQueueName: !GetAtt TestSetFileCopyQueue.QueueName
        TestResultCacheUpdateQueueName: !GetAtt TestResultCacheUpdateQueue.QueueName
        
        # Other resources
        CustomerManagedEncryptionKeyArn: !GetAtt CustomerManagedEncryptionKey.Arn
        ReportingDatabaseName: !Ref ReportingDatabase
        LookupFunctionName: !Ref LookupFunction
        SaveReportingFunctionName: !Ref SaveReportingDataFunctionV2
        
        # Runtime settings (read from Parameter Store)
        SettingsParameterName: !Ref SettingsParameter
        
        # Configuration
        StackName: !Ref AWS::StackName
        LogRetentionDays: !Ref LogRetentionDays
        LogLevel: !Ref LogLevel
        DataRetentionInDays: !Ref DataRetentionInDays
        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
        ExecutionTimeThresholdMs: !Ref ExecutionTimeThresholdMs
        
        # Conditional parameters
        HasGuardrailConfig: !If [HasGuardrailConfig, "true", "false"]
        BedrockGuardrailId: !Ref BedrockGuardrailId
        BedrockGuardrailVersion: !Ref BedrockGuardrailVersion
        KnowledgeBaseModelId: !Ref KnowledgeBaseModelId
        ShouldCreateEvaluationBaselineBucket: !If [ShouldCreateEvaluationBaselineBucket, "true", "false"]
        ShouldCreateReportingBucket: !If [ShouldCreateReportingBucket, "true", "false"]
                
        # Lambda Layers
        IDPCommonBaseLayerArn: !Ref IDPCommonBaseLayer
        IDPCommonAgentsLayerArn: !Ref IDPCommonAgentsLayer
        
        # User management (for config-version scoping)
        UsersTableName: !Ref UsersTable
        UsersTableArn: !GetAtt UsersTable.Arn

        # Private AppSync VPC config (req #2) — passed to nested/appsync resolver Lambdas
        UsePrivateAppSync: !If [UsePrivateAppSync, "true", "false"]
        LambdaSubnetIds: !If
          - UsePrivateAppSync
          - !Join [",", !Ref LambdaSubnetIds]
          - ""
        LambdaSecurityGroupId: !If
          - UsePrivateAppSync
          - !Ref LambdaVpcSecurityGroup
          - ""

  CustomerManagedEncryptionKey:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::KMS::Key
    Metadata:
      security-matrix:
        rules_to_suppress:
          - id: IAM-005
            reason: "No cross-account access - only same account root and AWS services"
          - id: KMS-007
            reason: "KMS monitoring not required for this IDP solution - comprehensive CloudWatch monitoring already in place"
          - id: KMS-002
            reason: "kms:* permission for account root is standard pattern for administrative access to KMS keys"
    Properties:
      Description: KMS key for DynamoDB encryption
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Sid: Enable IAM User Permissions
            Effect: Allow
            Principal:
              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
            Action: kms:*
            Resource: "*"
          - Sid: Allow lambda to access the Keys
            Effect: Allow
            Principal:
              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
          - Sid: Allow DynamoDB to use the key
            Effect: Allow
            Principal:
              Service: !Sub "dynamodb.${AWS::URLSuffix}"
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
          - Sid: Allow CloudWatch Logs to use the key
            Effect: Allow
            Principal:
              Service: !Sub "logs.${AWS::URLSuffix}"
            Action:
              - kms:Encrypt
              - kms:Decrypt
              - kms:ReEncrypt*
              - kms:GenerateDataKey*
              - kms:DescribeKey
            Resource: "*"
          - !If
            - IsS3VectorsVectorStore
            - Sid: Allow S3 Vectors indexing service to use the key
              Effect: Allow
              Principal:
                Service: !Sub "indexing.s3vectors.${AWS::URLSuffix}"
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: "*"
            - !Ref AWS::NoValue

  CustomerManagedEncryptionKeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: !Sub "alias/${AWS::StackName}-customer-encryption-key"
      TargetKeyId: !Ref CustomerManagedEncryptionKey

  ##########################################################################
  # Lambda Layers for idp_common package
  ##########################################################################

  IDPCommonBaseLayer:
    Type: AWS::Lambda::LayerVersion
    Properties:
      LayerName: !Sub "${AWS::StackName}-idp-common-base"
      Description: "IDP Common base layer (core + docs_service + image)"
      Content:
        S3Bucket: "<ARTIFACT_BUCKET_TOKEN>"
        S3Key: "<ARTIFACT_PREFIX_TOKEN>/layers/<IDP_COMMON_BASE_LAYER_ZIP>"
      CompatibleRuntimes:
        - python3.12
        - python3.13

  IDPCommonReportingLayer:
    Type: AWS::Lambda::LayerVersion
    Properties:
      LayerName: !Sub "${AWS::StackName}-idp-common-reporting"
      Description: "IDP Common reporting layer (core + docs_service + reporting)"
      Content:
        S3Bucket: "<ARTIFACT_BUCKET_TOKEN>"
        S3Key: "<ARTIFACT_PREFIX_TOKEN>/layers/<IDP_COMMON_REPORTING_LAYER_ZIP>"
      CompatibleRuntimes:
        - python3.12
        - python3.13

  IDPCommonAgentsLayer:
    Type: AWS::Lambda::LayerVersion
    Properties:
      LayerName: !Sub "${AWS::StackName}-idp-common-agents"
      Description: "IDP Common agents layer (core + agents)"
      Content:
        S3Bucket: "<ARTIFACT_BUCKET_TOKEN>"
        S3Key: "<ARTIFACT_PREFIX_TOKEN>/layers/<IDP_COMMON_AGENTS_LAYER_ZIP>"
      CompatibleRuntimes:
        - python3.12
        - python3.13

  # IDPCommonMultiDocDiscoveryLayer removed — dependencies exceed 250MB Lambda layer limit.
  # Multi-doc discovery Lambdas now use container images via nested/multi-doc-discovery stack.

  ##########################################################################
  # MCP Content Bucket for base64 document processing
  ##########################################################################

  MCPContentBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: mcp-content-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteMCPTempFiles
            Status: Enabled
            Prefix: mcp-temp/
            ExpirationInDays: 7
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  MCPContentBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MCPContentBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${MCPContentBucket.Arn}/*"
              - !Sub "${MCPContentBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  ##########################################################################
  # S3 buckets for data processing, webUI static assets, and logging
  ##########################################################################

  LoggingBucket:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W35
            reason: "This is the logging destination bucket - does not require its own access logging"
      security-matrix:
        rules_to_suppress:
          - id: S3-001
            reason: "This is the logging destination bucket - does not require its own access logging"
    # checkov:skip=CKV_AWS_18: "This is the logging destination bucket - does not require its own access logging"
    DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      # see https://stackoverflow.com/questions/70645117/enable-s3-acl-access-for-cloudfront-logs
      # for configuration required by CloudFront logging
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred # to enable CloudFront to write logs
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
          - Id: DeleteOldLogs
            Status: Enabled
            ExpirationInDays: 180
            Prefix: "" # Applies to all objects in the bucket
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 7

  LoggingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Metadata:
      security-matrix:
        rules_to_suppress:
          - id: IAM-005
            reason: "Already has aws:SourceAccount condition for confused deputy prevention"
    Properties:
      Bucket: !Ref LoggingBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowS3ServerAccessLogs
            Effect: Allow
            Principal:
              Service: !Sub "logging.s3.${AWS::URLSuffix}"
            Action:
              - s3:PutObject
            Resource: !Sub "${LoggingBucket.Arn}/*"
            Condition:
              StringEquals:
                "aws:SourceAccount": !Ref "AWS::AccountId"
          - Sid: AllowCloudFrontLogs
            Effect: Allow
            Principal:
              Service: !Sub "cloudfront.${AWS::URLSuffix}"
            Action:
              - s3:PutObject
            Resource: !Sub "${LoggingBucket.Arn}/*"
            Condition:
              StringEquals:
                "AWS:SourceAccount": !Ref "AWS::AccountId"
          - !If
            - UseALBHosting
            - Sid: AllowALBAccessLogs
              Effect: Allow
              Principal:
                Service: !Sub "logdelivery.elasticloadbalancing.${AWS::URLSuffix}"
              Action:
                - s3:PutObject
              Resource: !Sub "${LoggingBucket.Arn}/alb-access-logs/*"
              Condition:
                StringEquals:
                  "aws:SourceAccount": !Ref "AWS::AccountId"
            - !Ref AWS::NoValue
          - !If
            - UseALBHosting
            - Sid: AllowALBAccessLogsBucketACL
              Effect: Allow
              Principal:
                Service: !Sub "logdelivery.elasticloadbalancing.${AWS::URLSuffix}"
              Action:
                - s3:GetBucketAcl
              Resource: !Sub "${LoggingBucket.Arn}"
              Condition:
                StringEquals:
                  "aws:SourceAccount": !Ref "AWS::AccountId"
            - !Ref AWS::NoValue
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${LoggingBucket.Arn}/*"
              - !Sub "${LoggingBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  DiscoveryBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            AllowedMethods:
              - PUT
              - POST
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: discov-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  DiscoveryBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref DiscoveryBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${DiscoveryBucket.Arn}/*"
              - !Sub "${DiscoveryBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  InputBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
              - "x-amz-meta-config-version"
            # GET / HEAD are required so the Web UI can read objects via presigned
            # URLs — e.g. the Document Details "Download" button, which fetches
            # document assets directly from S3 into a client-side ZIP.
            AllowedMethods:
              - PUT
              - POST
              - GET
              - HEAD
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: input-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  InputBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref InputBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${InputBucket.Arn}/*"
              - !Sub "${InputBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  StagingBucket:
    Type: AWS::S3::Bucket
    Condition: DeployApiGateway
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Properties:
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: staging-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  StagingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: DeployApiGateway
    Properties:
      Bucket: !Ref StagingBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${StagingBucket.Arn}/*"
              - !Sub "${StagingBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  TestSetBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Properties:
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            AllowedMethods:
              - PUT
              - POST
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: test-set-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  TestSetBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TestSetBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${TestSetBucket.Arn}/*"
              - !Sub "${TestSetBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  ##########################################################################
  # TestSetBucket Auto-Delete - Empties bucket before CloudFormation deletion
  ##########################################################################

  TestSetBucketAutoDeleteFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 512
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      InlineCode: |
        import boto3
        import cfnresponse
        import json
        import logging

        logger = logging.getLogger()
        logger.setLevel(logging.INFO)

        def handler(event, context):
            logger.info(json.dumps(event))
            
            try:
                bucket_name = event['ResourceProperties']['BucketName']
                
                if event['RequestType'] == 'Delete':
                    logger.info(f"Emptying bucket {bucket_name} before deletion")
                    s3 = boto3.resource('s3')
                    bucket = s3.Bucket(bucket_name)
                    
                    # Delete all objects including versions
                    bucket.object_versions.all().delete()
                    logger.info(f"Successfully emptied bucket {bucket_name}")
                
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
                
            except Exception as e:
                logger.error(f"Error: {str(e)}")
                # On delete, we want to succeed even if there's an error
                # to avoid blocking stack deletion
                if event['RequestType'] == 'Delete':
                    cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, 
                                   reason=f"Bucket cleanup attempted: {str(e)}")
                else:
                    cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
      LoggingConfig:
        LogGroup: !Ref TestSetBucketAutoDeleteFunctionLogGroup
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - s3:DeleteObject
                - s3:DeleteObjectVersion
                - s3:GetBucketVersioning
                - s3:ListBucket
                - s3:ListBucketVersions
              Resource:
                - !Sub "arn:${AWS::Partition}:s3:::${TestSetBucket}"
                - !Sub "arn:${AWS::Partition}:s3:::${TestSetBucket}/*"
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  TestSetBucketAutoDeleteFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  TestSetBucketAutoDelete:
    Type: Custom::S3AutoDelete
    Properties:
      ServiceToken: !GetAtt TestSetBucketAutoDeleteFunction.Arn
      BucketName: !Ref TestSetBucket

  ##########################################################################
  # FCC Dataset Deployer - Automatically deploys RealKIE-FCC-Verified dataset
  ##########################################################################

  FccDatasetDeployerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FccDatasetDeployerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      FunctionName: !Sub "${AWS::StackName}-FccDatasetDeployer"
      CodeUri: src/lambda/fcc_dataset_deployer/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 2048
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref FccDatasetDeployerLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TESTSET_BUCKET: !Ref TestSetBucket
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref TestSetBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  FccDatasetDeployment:
    Type: Custom::FccDatasetDeployer
    DependsOn:
      - TestSetBucket
      - TrackingTable
    Properties:
      ServiceToken: !GetAtt FccDatasetDeployerFunction.Arn
      DatasetVersion: "1.1"
      DatasetName: "RealKIE-FCC-Verified"
      DatasetDescription: "Test set with single and multi-page invoices sourced from the Federal Communications Commission (FCC) to evaluate extraction performance."
      SourceCodeHash: <FCC_DATASET_DEPLOYER_HASH_TOKEN>

  ##########################################################################
  # OCR Benchmark Deployer - Automatically deploys OmniAI OCR Benchmark dataset
  ##########################################################################

  OcrBenchmarkDeployerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  OcrBenchmarkDeployerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      FunctionName: !Sub "${AWS::StackName}-OcrBenchmarkDeployer"
      CodeUri: src/lambda/ocr_benchmark_deployer/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 2048
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref OcrBenchmarkDeployerLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TESTSET_BUCKET: !Ref TestSetBucket
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref TestSetBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  OcrBenchmarkDeployment:
    Type: Custom::OcrBenchmarkDeployer
    DependsOn:
      - TestSetBucket
      - TrackingTable
    Properties:
      ServiceToken: !GetAtt OcrBenchmarkDeployerFunction.Arn
      DatasetVersion: "1.0"
      DatasetName: "OmniAI-OCR-Benchmark"
      DatasetDescription: "Test set with diverse document formats (tables, charts, forms, etc.) from the OmniAI OCR Benchmark, filtered for top format/schema pairs with at least 6 samples each."
      SourceCodeHash: <OCR_BENCHMARK_DEPLOYER_HASH_TOKEN>

  ##########################################################################
  # RVL-CDIP-NMP Packet Deployer - Automatically deploys packet TestSet
  ##########################################################################

  RvlCdipNmpDeployerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  RvlCdipNmpDeployerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      FunctionName: !Sub "${AWS::StackName}-RvlCdipNmpDeployer"
      CodeUri: src/lambda/docsplit_testset_deployer/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 3008
      EphemeralStorage:
        Size: 10240
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref RvlCdipNmpDeployerLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TESTSET_BUCKET: !Ref TestSetBucket
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref TestSetBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  RvlCdipNmpDeployment:
    Type: Custom::RvlCdipNmpDeployer
    DependsOn:
      - TestSetBucket
      - TrackingTable
    Properties:
      ServiceToken: !GetAtt RvlCdipNmpDeployerFunction.Arn
      DatasetVersion: "0.1"
      DatasetName: "RVL-CDIP-NMP-Packets"
      DatasetDescription: "Test set with 500 multi-page document packets combining 13 document types (budget, email, form, handwritten, invoice, language, letter, memo, news article, questionnaire, resume, scientific publication, specification) for classification and document splitting evaluation."
      SourceCodeHash: <docsplit_testset_deployer_HASH_TOKEN>

  ##########################################################################
  # W2 Dataset Deployer - Automatically deploys Fake W-2 Tax Form dataset
  ##########################################################################

  W2DatasetDeployerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  W2DatasetDeployerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      FunctionName: !Sub "${AWS::StackName}-W2DatasetDeployer"
      CodeUri: src/lambda/w2_dataset_deployer/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 3008
      EphemeralStorage:
        Size: 10240
      LoggingConfig:
        LogGroup: !Ref W2DatasetDeployerLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TESTSET_BUCKET: !Ref TestSetBucket
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref TestSetBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  W2DatasetDeployment:
    Type: Custom::W2DatasetDeployer
    DependsOn:
      - TestSetBucket
      - TrackingTable
    Properties:
      ServiceToken: !GetAtt W2DatasetDeployerFunction.Arn
      DatasetVersion: "1.0"
      DatasetName: "Fake-W2-Tax-Forms"
      DatasetDescription: "Test set with 2,000 synthetic US W-2 tax form images and 45-field structured ground truth for extraction evaluation. Source: HuggingFace singhsays/fake-w2-us-tax-form-dataset (CC0: Public Domain)."
      SourceCodeHash: <w2_dataset_deployer_HASH_TOKEN>

  ConfigurationBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Properties:
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            AllowedMethods:
              - PUT
              - POST
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: input-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  ConfigurationBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ConfigurationBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${ConfigurationBucket.Arn}/*"
              - !Sub "${ConfigurationBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  WorkingBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: working-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            # Since bucket is for intermediate storage only, use log retention rather than data retention period
            ExpirationInDays: !Ref LogRetentionDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  WorkingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WorkingBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${WorkingBucket.Arn}/*"
              - !Sub "${WorkingBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  OutputBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            # GET / HEAD are required so the Web UI can read objects via presigned
            # URLs — e.g. the Document Details "Download" button, which fetches
            # document outputs (section results, page text, summaries, page images)
            # directly from S3 into a client-side ZIP.
            AllowedMethods:
              - PUT
              - POST
              - GET
              - HEAD
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: output-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  OutputBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref OutputBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${OutputBucket.Arn}/*"
              - !Sub "${OutputBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  ReportingBucket:
    Type: AWS::S3::Bucket
    Condition: ShouldCreateReportingBucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            AllowedMethods:
              - PUT
              - POST
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: reporting-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  ReportingBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: ShouldCreateReportingBucket
    Properties:
      Bucket: !Ref ReportingBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${ReportingBucket.Arn}/*"
              - !Sub "${ReportingBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  GetLowercase:
    Type: Custom::GetLowercase
    Properties:
      ServiceToken: !GetAtt GetDomainLambda.Arn
      InputString: !Ref AWS::StackName

  ReportingDatabase:
    Type: AWS::Glue::Database
    Properties:
      CatalogId: !Ref AWS::AccountId
      DatabaseInput:
        Name: !Sub "${GetLowercase.Lowercase}-reporting-db"
        Description: "Database for evaluation results"

  DocumentEvaluationsTable:
    Type: AWS::Glue::Table
    Properties:
      CatalogId: !Ref AWS::AccountId
      DatabaseName: !Ref ReportingDatabase
      TableInput:
        Name: "document_evaluations"
        Description: "Table for document-level evaluation metrics"
        TableType: "EXTERNAL_TABLE"
        Parameters:
          classification: "parquet"
          typeOfData: "file"
          projection.enabled: "true"
          projection.date.type: "date"
          projection.date.format: "yyyy-MM-dd"
          projection.date.range: "2024-01-01,2030-12-31"
          projection.date.interval: "1"
          projection.date.interval.unit: "DAYS"
          storage.location.template: !Sub
            - "s3://${Bucket}/evaluation_metrics/document_metrics/date=${date}/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
              date: "${date}"
        StorageDescriptor:
          Location: !Sub
            - "s3://${Bucket}/evaluation_metrics/document_metrics/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          InputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat"
          OutputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat"
          SerdeInfo:
            SerializationLibrary: "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe"
          Columns:
            - Name: document_id
              Type: string
            - Name: input_key
              Type: string
            - Name: evaluation_date
              Type: timestamp
            - Name: accuracy
              Type: double
            - Name: precision
              Type: double
            - Name: recall
              Type: double
            - Name: f1_score
              Type: double
            - Name: false_alarm_rate
              Type: double
            - Name: false_discovery_rate
              Type: double
            - Name: weighted_overall_score
              Type: double
            - Name: execution_time
              Type: double
            - Name: page_level_accuracy
              Type: double
            - Name: split_accuracy_without_order
              Type: double
            - Name: split_accuracy_with_order
              Type: double
            - Name: total_pages
              Type: int
            - Name: total_splits
              Type: int
            - Name: correctly_classified_pages
              Type: int
            - Name: correctly_split_without_order
              Type: int
            - Name: correctly_split_with_order
              Type: int
            - Name: config_version
              Type: string
          Compressed: true
        PartitionKeys:
          - Name: date
            Type: string

  SectionEvaluationsTable:
    Type: AWS::Glue::Table
    Properties:
      CatalogId: !Ref AWS::AccountId
      DatabaseName: !Ref ReportingDatabase
      TableInput:
        Name: "section_evaluations"
        Description: "Table for section-level evaluation metrics"
        TableType: "EXTERNAL_TABLE"
        Parameters:
          classification: "parquet"
          typeOfData: "file"
          projection.enabled: "true"
          projection.date.type: "date"
          projection.date.format: "yyyy-MM-dd"
          projection.date.range: "2024-01-01,2030-12-31"
          projection.date.interval: "1"
          projection.date.interval.unit: "DAYS"
          storage.location.template: !Sub
            - "s3://${Bucket}/evaluation_metrics/section_metrics/date=${date}/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
              date: "${date}"
        StorageDescriptor:
          Location: !Sub
            - "s3://${Bucket}/evaluation_metrics/section_metrics/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          InputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat"
          OutputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat"
          SerdeInfo:
            SerializationLibrary: "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe"
          Columns:
            - Name: document_id
              Type: string
            - Name: section_id
              Type: string
            - Name: section_type
              Type: string
            - Name: accuracy
              Type: double
            - Name: precision
              Type: double
            - Name: recall
              Type: double
            - Name: f1_score
              Type: double
            - Name: false_alarm_rate
              Type: double
            - Name: false_discovery_rate
              Type: double
            - Name: weighted_overall_score
              Type: double
            - Name: evaluation_date
              Type: timestamp
            - Name: config_version
              Type: string
          Compressed: true
        PartitionKeys:
          - Name: date
            Type: string

  AttributeEvaluationsTable:
    Type: AWS::Glue::Table
    Properties:
      CatalogId: !Ref AWS::AccountId
      DatabaseName: !Ref ReportingDatabase
      TableInput:
        Name: "attribute_evaluations"
        Description: "Table for attribute-level evaluation metrics"
        TableType: "EXTERNAL_TABLE"
        Parameters:
          classification: "parquet"
          typeOfData: "file"
          projection.enabled: "true"
          projection.date.type: "date"
          projection.date.format: "yyyy-MM-dd"
          projection.date.range: "2024-01-01,2030-12-31"
          projection.date.interval: "1"
          projection.date.interval.unit: "DAYS"
          storage.location.template: !Sub
            - "s3://${Bucket}/evaluation_metrics/attribute_metrics/date=${date}/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
              date: "${date}"
        StorageDescriptor:
          Location: !Sub
            - "s3://${Bucket}/evaluation_metrics/attribute_metrics/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          InputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat"
          OutputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat"
          SerdeInfo:
            SerializationLibrary: "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe"
          Columns:
            - Name: document_id
              Type: string
            - Name: section_id
              Type: string
            - Name: section_type
              Type: string
            - Name: attribute_name
              Type: string
            - Name: expected
              Type: string
            - Name: actual
              Type: string
            - Name: matched
              Type: boolean
            - Name: score
              Type: double
            - Name: reason
              Type: string
            - Name: evaluation_method
              Type: string
            - Name: confidence
              Type: string
            - Name: confidence_threshold
              Type: string
            - Name: weight
              Type: double
            - Name: evaluation_date
              Type: timestamp
            - Name: config_version
              Type: string
          Compressed: true
        PartitionKeys:
          - Name: date
            Type: string

  MeteringTable:
    Type: AWS::Glue::Table
    Properties:
      CatalogId: !Ref AWS::AccountId
      DatabaseName: !Ref ReportingDatabase
      TableInput:
        Name: "metering"
        Description: "Table for document metering data"
        TableType: "EXTERNAL_TABLE"
        Parameters:
          classification: "parquet"
          typeOfData: "file"
          projection.enabled: "true"
          projection.date.type: "date"
          projection.date.format: "yyyy-MM-dd"
          projection.date.range: "2024-01-01,2030-12-31"
          projection.date.interval: "1"
          projection.date.interval.unit: "DAYS"
          storage.location.template: !Sub
            - "s3://${Bucket}/metering/date=${date}/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
              date: "${date}"
        StorageDescriptor:
          Location: !Sub
            - "s3://${Bucket}/metering/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          InputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat"
          OutputFormat: "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat"
          SerdeInfo:
            SerializationLibrary: "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe"
          Columns:
            - Name: document_id
              Type: string
            - Name: context
              Type: string
            - Name: service_api
              Type: string
            - Name: unit
              Type: string
            - Name: value
              Type: double
            - Name: number_of_pages
              Type: int
            - Name: unit_cost
              Type: double
            - Name: estimated_cost
              Type: double
            - Name: timestamp
              Type: timestamp
            - Name: config_version
              Type: string
          Compressed: true
        PartitionKeys:
          - Name: date
            Type: string

  DocumentSectionsCrawlerSecurityConfigurationV2:
    Type: AWS::Glue::SecurityConfiguration
    # checkov:skip=CKV_AWS_99:Encryption is already enabled with SSE-KMS
    Properties:
      Name: !Sub "${AWS::StackName}-document-sections-crawler-security-config-v2"
      EncryptionConfiguration:
        S3Encryptions:
          - S3EncryptionMode: SSE-KMS
            KmsKeyArn: !GetAtt CustomerManagedEncryptionKey.Arn

  DocumentSectionsCrawler:
    Type: AWS::Glue::Crawler
    Properties:
      Name: !Sub "${AWS::StackName}-document-sections-crawler"
      Description: "Crawler to discover document section tables in the reporting bucket with conservative schema handling"
      Role: !GetAtt DocumentSectionsCrawlerRole.Arn
      DatabaseName: !Ref ReportingDatabase
      CrawlerSecurityConfiguration: !Ref DocumentSectionsCrawlerSecurityConfigurationV2
      Targets:
        S3Targets:
          - Path: !Sub
              - "s3://${Bucket}/document_sections/"
              - Bucket: !If
                  - ShouldCreateReportingBucket
                  - !Ref ReportingBucket
                  - !Ref ReportingBucketName
      SchemaChangePolicy:
        UpdateBehavior: "UPDATE_IN_DATABASE"
        DeleteBehavior: "LOG"
      TablePrefix: "document_sections_"
      Configuration: |
        {
          "Version": 1.0,
          "CrawlerOutput": {
            "Partitions": { "AddOrUpdateBehavior": "InheritFromTable" },
            "Tables": { "AddOrUpdateBehavior": "MergeNewColumns" }
          },
          "Grouping": { "TableLevelConfiguration": 3 },
          "CreatePartitionIndex": true
        }
      Schedule: !If
        - DocumentSectionsCrawlerScheduleEnabled
        - ScheduleExpression:
            !FindInMap [
              CrawlerScheduleMap,
              !Ref DocumentSectionsCrawlerFrequency,
              ScheduleExpression,
            ]
        - !Ref AWS::NoValue

  DocumentSectionsCrawlerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "glue.${AWS::URLSuffix}"
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSGlueServiceRole"
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Policies:
        - PolicyName: DocumentSectionsCrawlerS3Access
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !Sub
                    - "arn:${AWS::Partition}:s3:::${Bucket}"
                    - Bucket: !If
                        - ShouldCreateReportingBucket
                        - !Ref ReportingBucket
                        - !Ref ReportingBucketName
                  - !Sub
                    - "arn:${AWS::Partition}:s3:::${Bucket}/document_sections/*"
                    - Bucket: !If
                        - ShouldCreateReportingBucket
                        - !Ref ReportingBucket
                        - !Ref ReportingBucketName
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - kms:DescribeKey
                Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  EvaluationBaselineBucket:
    Type: AWS::S3::Bucket
    Condition: ShouldCreateEvaluationBaselineBucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - "Content-Type"
              - "x-amz-content-sha256"
              - "x-amz-date"
              - "Authorization"
              - "x-amz-security-token"
            # GET / HEAD are required so the Web UI can read baseline objects
            # via presigned URLs — e.g. the Document Details "Download Baselines"
            # button, which fetches section baselines directly from S3 into a
            # client-side ZIP.
            AllowedMethods:
              - PUT
              - POST
              - GET
              - HEAD
            AllowedOrigins:
              - !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
              # For local development only
              - "http://localhost:3000"
            ExposedHeaders:
              - "ETag"
              - "x-amz-server-side-encryption"
            MaxAge: 3000
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: output-bucket-logs/
      # No lifecycle policy - retain baseline data permanently

  EvaluationBaselineBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Condition: ShouldCreateEvaluationBaselineBucket
    Properties:
      Bucket: !Ref EvaluationBaselineBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${EvaluationBaselineBucket.Arn}/*"
              - !Sub "${EvaluationBaselineBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false

  WebUIBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      cfn-lint:
        config:
          ignore_checks:
            - W3045
    Properties:
      AccessControl: Private
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      WebsiteConfiguration: !If
        - UseCloudFrontHosting
        - IndexDocument: index.html
          ErrorDocument: index.html
        - !Ref AWS::NoValue
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: webapp-bucket-logs/

  WebUIBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebUIBucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - !If
            - UseCloudFrontHosting
            - Effect: Allow
              Principal:
                CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
              Action: s3:GetObject
              Resource: !Sub "${WebUIBucket.Arn}/*"
            - !Ref AWS::NoValue
          - !If
            - UseALBHosting
            - Effect: Allow
              Principal: "*"
              Action: s3:GetObject
              Resource: !Sub "${WebUIBucket.Arn}/*"
              Condition:
                StringEquals:
                  "aws:sourceVpce": !GetAtt ALBHOSTINGSTACK.Outputs.S3VPCEndpointId
            - !Ref AWS::NoValue
          - Effect: "Deny"
            Action:
              - "s3:*"
            Principal: "*"
            Resource:
              - !GetAtt WebUIBucket.Arn
              - !Sub "${WebUIBucket.Arn}/*"
            Condition:
              Bool:
                "aws:SecureTransport": false

  ##########################################################################
  # DynamoDB table for process tracking
  ##########################################################################

  TrackingTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
        - AttributeName: InitialEventTime
          AttributeType: S
        - AttributeName: ItemType
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      GlobalSecondaryIndexes:
        # TypeDateIndex replaces both the old listDocuments scan and the HITLPendingReviewIndex.
        # Pending reviews use: ItemType='document' + time range + FilterExpression: HITLPendingReview='true'
        - IndexName: TypeDateIndex
          KeySchema:
            - AttributeName: ItemType
              KeyType: HASH
            - AttributeName: InitialEventTime
              KeyType: RANGE
          Projection:
            ProjectionType: INCLUDE
            NonKeyAttributes:
              - ObjectKey
              - ObjectStatus
              - CompletionTime
              - ConfigVersion
              - EvaluationStatus
              - NumPages
              - ConfidenceAlertCount
              - HITLTriggered
              - HITLCompleted
              - HITLStatus
              - HITLReviewOwner
              - HITLReviewedBy
              - TestRunId
              - TestSetName
              - CreatedAt
              - CompletedFiles
              - FailedFiles
              - FilesCount
              - Status
              - CompletedAt
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  ##########################################################################
  # GSI Attribute Backfill - Step Functions + Lambda for populating
  # TypeDateIndex and HITLPendingReviewIndex on existing items
  ##########################################################################

  BackfillWorkerFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  BackfillWorkerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with DynamoDB"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.lambda_handler
      Runtime: python3.12
      CodeUri: src/lambda/backfill_gsi_attributes/
      Timeout: 900
      MemorySize: 512
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
      LoggingConfig:
        LogGroup: !Ref BackfillWorkerFunctionLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  BackfillStateMachineRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "states.${AWS::URLSuffix}"
            Action: sts:AssumeRole
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Policies:
        - PolicyName: BackfillStateMachinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource: !GetAtt BackfillWorkerFunction.Arn

  BackfillStateMachine:
    Type: AWS::Serverless::StateMachine
    Properties:
      Name: !Sub "${AWS::StackName}-GSIBackfill"
      DefinitionUri: src/lambda/backfill_gsi_attributes/statemachine.asl.json
      DefinitionSubstitutions:
        BackfillWorkerFunctionArn: !GetAtt BackfillWorkerFunction.Arn
      Role: !GetAtt BackfillStateMachineRole.Arn

  BackfillTriggerFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  BackfillTriggerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/backfill_gsi_attributes/
      Timeout: 60
      MemorySize: 256
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
      LoggingConfig:
        LogGroup: !Ref BackfillTriggerFunctionLogGroup
      Policies:
        - DynamoDBReadPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action: states:StartExecution
              Resource: !Ref BackfillStateMachine
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  BackfillCustomResource:
    Type: Custom::GSIBackfill
    Properties:
      ServiceToken: !GetAtt BackfillTriggerFunction.Arn
      TrackingTableName: !Ref TrackingTable
      BackfillStateMachineArn: !Ref BackfillStateMachine
      TotalSegments: "10"
      # Force re-evaluation on each stack update (bumped for ConfidenceAlertCount=0 repair)
      BackfillVersion: "3.0"

  ##############################################################################
  # DynamoDB table and initialization function for workflow concurrency counter
  ##############################################################################

  ConcurrencyTable:
    Type: AWS::DynamoDB::Table
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W78
            reason: "Point-in-time recovery not required for concurrency tracking table as data is transient"
    # checkov:skip=CKV_AWS_28: "Point-in-time recovery not required for concurrency tracking table as data is transient"
    Properties:
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: counter_id
          AttributeType: S
      KeySchema:
        - AttributeName: counter_id
          KeyType: HASH
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  InitializeConcurrencyTableLambda:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      CodeUri: src/lambda/initialize_counter
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONCURRENCY_TABLE: !Ref ConcurrencyTable
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref ConcurrencyTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  InitializeConcurrencyTableCustomResource:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ServiceToken: !GetAtt InitializeConcurrencyTableLambda.Arn
      TableName: !Ref ConcurrencyTable

  ##########################################################################
  # Configuration table, for pattern specific prompts and config
  ##########################################################################

  # Valid values for 'Configuration' (PK) are Schema, Default, Custom
  # Schema, and Default are set by pattern templates during stack deploy/update
  # Custom is left for user to define during stack deploy/update

  ConfigurationTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: Configuration
          KeyType: HASH
      AttributeDefinitions:
        - AttributeName: Configuration
          AttributeType: S
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey
  ##########################################################################
  # Discovery tracking table for discovery jobs
  ##########################################################################

  DiscoveryTrackingTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: jobId
          AttributeType: S
      KeySchema:
        - AttributeName: jobId
          KeyType: HASH
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true

      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  ##########################################################################
  # Discovery SQS queue for processing discovery jobs
  ##########################################################################

  DiscoveryQueue:
    Type: AWS::SQS::Queue
    Properties:
      VisibilityTimeout: 900
      MessageRetentionPeriod: 86400 # 1 day
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt DiscoveryDLQ.Arn
        maxReceiveCount: 1000

  DiscoveryDLQ:
    Type: AWS::SQS::Queue
    Properties:
      VisibilityTimeout: 900
      MessageRetentionPeriod: 345600 # 4 days
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  UpdateConfigurationFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Custom Resource function"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue

      Layers:
        - !Ref IDPCommonBaseLayer
      CodeUri: src/lambda/update_configuration
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
      LoggingConfig:
        LogGroup: !Ref UpdateConfigurationFunctionLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref ConfigurationTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - "s3:GetObject"
                - "s3:ListBucket"
              Resource:
                - !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>"
                - !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>/*"
                - !Sub "arn:${AWS::Partition}:s3:::${ConfigurationBucket}"
                - !Sub "arn:${AWS::Partition}:s3:::${ConfigurationBucket}/*"
            # Allow reading user-supplied config file only if CustomConfigPath is specified
            - !If
              - HasCustomConfigPath
              - Effect: Allow
                Action:
                  - "s3:GetObject"
                Resource: !Sub
                  - "arn:${AWS::Partition}:s3:::${Path}"
                  - Path: !Select [ 1, !Split [ "s3://", !Ref CustomConfigPath ] ]
              - !Ref AWS::NoValue
            # Allow listing the specific bucket containing the custom config file
            - !If
              - HasCustomConfigPath
              - Effect: Allow
                Action:
                  - "s3:ListBucket"
                Resource: !Sub
                  - "arn:${AWS::Partition}:s3:::${BucketName}"
                  - BucketName:
                      !Select [
                        0,
                        !Split [
                          "/",
                          !Select [ 1, !Split [ "s3://", !Ref CustomConfigPath ] ],
                        ],
                      ]
              - !Ref AWS::NoValue

  UpdateConfigurationFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # Pattern stacks can update the Configuration table with a CustomResource, using the
  # UpdateConfigurationFunctionArn parameter passed to them. See examples in provided
  # pattern templates.

  ##########################################################################
  # SSM Parameter for application settings
  ##########################################################################

  # Initialise SettingsParameter as empty (so it never gets replaced)
  # and use Custom Resource UpdateSettingsFunction to add/update values
  SettingsParameter:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Name: !Sub "${AWS::StackName}-Settings"
      Value: "{}"

  UpdateSettingsFunction:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Custom Resource function"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      CodeUri: src/lambda/update_settings
      LoggingConfig:
        LogGroup: !Ref UpdateSettingsFunctionLogGroup
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - ssm:GetParameter
                - ssm:PutParameter
              Resource:
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"

  UpdateSettingsFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  UpdateSettingsValues:
    Type: AWS::CloudFormation::CustomResource
    Properties:
      ServiceToken: !GetAtt UpdateSettingsFunction.Arn
      SettingsName: !Ref SettingsParameter
      SettingsKeyValuePairs:
        StackName: !Sub "${AWS::StackName}"
        Version: <VERSION>
        BuildDateTime: <BUILD_DATE_TIME>
        IDPPattern: "Unified"
        InputBucket: !Ref InputBucket
        DiscoveryBucket: !Ref DiscoveryBucket
        TestSetBucket: !Ref TestSetBucket
        ConfigurationBucket: !Ref ConfigurationBucket
        OutputBucket: !Ref OutputBucket
        ReportingBucket: !If
          - ShouldCreateReportingBucket
          - !Ref ReportingBucket
          - !Ref ReportingBucketName
        EvaluationBaselineBucket: !If
          - ShouldCreateEvaluationBaselineBucket
          - !Ref EvaluationBaselineBucket
          - !Ref EvaluationBaselineBucketName
        ShouldUseDocumentKnowledgeBase: !If
          - ShouldUseDocumentKnowledgeBase
          - True
          - False
        # Runtime-resolved values for APPSYNCSTACK decoupling
        # CloudWatch log groups moved here to decouple Agent Lambda functions from Pattern stacks
        CloudWatchLogGroups: !Join
          - ","
          - - !Ref QueueSenderLogGroup
            - !Ref QueueProcessorLogGroup
            - !Ref WorkflowTrackerLogGroup
            - !Ref SaveReportingDataFunctionV2LogGroup
            - !GetAtt PATTERNSTACK.Outputs.PatternLogGroups
        StateMachineArn: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
        StateMachineName: !GetAtt PATTERNSTACK.Outputs.StateMachineName
        KnowledgeBaseId: !If
          - ShouldCreateDocumentKnowledgeBase
          - !GetAtt DOCUMENTKB.Outputs.KnowledgeBaseID
          - ""
        AllowedSignUpEmailDomains: !Ref AllowedSignUpEmailDomain
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete

  ##########################################################################
  # SQS Queue for queueing pending documents in order
  ##########################################################################

  DocumentQueueDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 30
      MessageRetentionPeriod: 345600 # 4 days

  DocumentQueueDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref DocumentQueueDLQ
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt DocumentQueueDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": false

  DocumentQueue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 30
      MessageRetentionPeriod: 86400 # 1 day
      RedrivePolicy:
        maxReceiveCount: 1000 # should retry up to 8hrs (1000 * 30 sec visibility) before moving to DLQ
        deadLetterTargetArn: !GetAtt DocumentQueueDLQ.Arn

  DocumentQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref DocumentQueue
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt DocumentQueue.Arn
            Condition:
              Bool:
                "aws:SecureTransport": false

  ##########################################################################
  # Event triggered Lambdas to publish and consume from the queue
  ##########################################################################

  QueueSenderDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 30
      MessageRetentionPeriod: 345600 # 4 days

  QueueSenderDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref QueueSenderDLQ
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt QueueSenderDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": false

  QueueSender:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/queue_sender/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30

      Layers:
        - !Ref IDPCommonBaseLayer
      Tracing: Active
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt QueueSenderDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref QueueSenderLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          QUEUE_URL: !Ref DocumentQueue
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          DATA_RETENTION_IN_DAYS: !Ref DataRetentionInDays
          OUTPUT_BUCKET: !Ref OutputBucket
          CONFIG_TABLE: !Ref ConfigurationTable
      Policies:
        - SQSSendMessagePolicy:
            QueueName: !GetAtt DocumentQueue.QueueName
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - S3ReadPolicy:
            BucketName: !Ref InputBucket
        - Statement:
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
      Events:
        S3Event:
          Type: CloudWatchEvent
          Properties:
            Pattern:
              source:
                - aws.s3
              detail-type:
                - "Object Created"
              detail:
                bucket:
                  name:
                    - !Ref InputBucket

  QueueSenderLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  QueueProcessor:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for these functions as they are either idempotent or have error handling"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/queue_processor/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30

      Layers:
        - !Ref IDPCommonBaseLayer
      Tracing: Active
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref QueueProcessorLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          STATE_MACHINE_ARN: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          CONCURRENCY_TABLE: !Ref ConcurrencyTable
          MAX_CONCURRENT: !Ref MaxConcurrentWorkflows
          WORKING_BUCKET: !Ref WorkingBucket
          CONFIG_TABLE: !Ref ConfigurationTable
      Policies:
        - SQSPollerPolicy:
            QueueName: !GetAtt DocumentQueue.QueueName
        - StepFunctionsExecutionPolicy:
            StateMachineName: !GetAtt PATTERNSTACK.Outputs.StateMachineName
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - DynamoDBCrudPolicy:
            TableName: !Ref ConcurrencyTable
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - S3CrudPolicy:
            BucketName: !Ref WorkingBucket
        - Statement:
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Query/*"
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
      Events:
        SQSEvent:
          Type: SQS
          Properties:
            Queue: !GetAtt DocumentQueue.Arn
            BatchSize: 50 # Process up to 50 messages at once
            # Per https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html
            # If you're using a batch window and your SQS queue contains very low traffic,
            # Lambda might wait for up to 20 seconds before invoking your function.
            # This is true even if you set a batch window lower than 20 seconds.
            MaximumBatchingWindowInSeconds: 1 # Minimize delay (see above caveat)
            FunctionResponseTypes:
              - ReportBatchItemFailures

  QueueProcessorLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # Event triggered Lambda for statemachine workflow tracking updates
  ##########################################################################

  WorkflowTrackerDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 30
      MessageRetentionPeriod: 345600 # 4 days

  WorkflowTrackerDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref WorkflowTrackerDLQ
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt WorkflowTrackerDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": false

  WorkflowTracker:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/workflow_tracker/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30

      Layers:
        - !Ref IDPCommonBaseLayer
      Tracing: Active
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt WorkflowTrackerDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref WorkflowTrackerLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONCURRENCY_TABLE: !Ref ConcurrencyTable
          METRIC_NAMESPACE: !Ref AWS::StackName
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          OUTPUT_BUCKET: !Ref OutputBucket
          REPORTING_BUCKET:
            !If [
              ShouldCreateReportingBucket,
              !Ref ReportingBucket,
              !Ref ReportingBucketName,
            ]
          SAVE_REPORTING_FUNCTION_NAME: !Ref SaveReportingDataFunctionV2
          WORKING_BUCKET: !Ref WorkingBucket
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - DynamoDBCrudPolicy:
            TableName: !Ref ConcurrencyTable
        - S3CrudPolicy:
            BucketName: !Ref WorkingBucket
        - Statement:
            - Effect: Allow
              Action:
                - cloudwatch:PutMetricData
              Resource: "*"
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource: !GetAtt SaveReportingDataFunctionV2.Arn
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  WorkflowTrackerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  WorkflowStateChangeRule:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.states
        detail-type:
          - Step Functions Execution Status Change
        detail:
          stateMachineArn:
            - !GetAtt PATTERNSTACK.Outputs.StateMachineArn
          status:
            - FAILED
            - TIMED_OUT
            - ABORTED
            - SUCCEEDED
      State: ENABLED
      Targets:
        - Arn: !GetAtt WorkflowTracker.Arn
          Id: TrackWorkflowCompletion
          RetryPolicy:
            MaximumRetryAttempts: 3
        - !If
          - DeployApiGateway
          - Arn: !GetAtt JobTracker.Arn
            Id: TrackJobCompletion
            RetryPolicy:
              MaximumRetryAttempts: 3
          - !Ref "AWS::NoValue"

  WorkflowTrackerPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref WorkflowTracker
      Principal: !Sub "events.${AWS::URLSuffix}"
      SourceArn: !GetAtt WorkflowStateChangeRule.Arn

  ##########################################################################
  # Job Tracker (Headless mode - tracks API-initiated jobs)
  ##########################################################################

  JobTrackerDLQ:
    Type: AWS::SQS::Queue
    Condition: DeployApiGateway
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  JobTrackerLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: DeployApiGateway
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  JobTracker:
    Type: AWS::Serverless::Function
    Condition: DeployApiGateway
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref "AWS::NoValue"]
      CodeUri: src/lambda/job_tracker/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900
      MemorySize: 3008
      EphemeralStorage:
        Size: 5120
      Layers:
        - !Ref IDPCommonBaseLayer
      Tracing: Active
      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt JobTrackerDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref JobTrackerLogGroup
      VpcConfig:
        SecurityGroupIds:
          - !Ref LambdaSecurityGroupId
        SubnetIds: !Ref PrivateSubnetIds
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          OUTPUT_BUCKET: !Ref OutputBucket
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3CrudPolicy:
            BucketName: !Ref OutputBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:GenerateDataKey*
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  JobTrackerPermission:
    Type: AWS::Lambda::Permission
    Condition: DeployApiGateway
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref JobTracker
      Principal: !Sub "events.${AWS::URLSuffix}"
      SourceArn: !GetAtt WorkflowStateChangeRule.Arn

  ##########################################################################
  # Optional Post Processing Lambda Hook
  ##########################################################################
  
  # Decompression Lambda - handles document decompression before invoking custom post-processor
  PostProcessingDecompressorDLQ:
    Type: AWS::SQS::Queue
    Condition: ShouldEnablePostProcessingLambdaHook
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 30
      MessageRetentionPeriod: 345600 # 4 days

  PostProcessingDecompressorDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Condition: ShouldEnablePostProcessingLambdaHook
    Properties:
      Queues:
        - !Ref PostProcessingDecompressorDLQ
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt PostProcessingDecompressorDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": false

  PostProcessingDecompressor:
    Type: AWS::Serverless::Function
    Condition: ShouldEnablePostProcessingLambdaHook
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/post_processing_decompressor/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 300
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue

      Layers:
        - !Ref IDPCommonBaseLayer
      MemorySize: 512
      Tracing: Active
      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt PostProcessingDecompressorDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref PostProcessingDecompressorLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CUSTOM_POST_PROCESSOR_ARN: !Ref PostProcessingLambdaHookFunctionArn
          WORKING_BUCKET: !Ref WorkingBucket
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref WorkingBucket
        - Statement:
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource: !Ref PostProcessingLambdaHookFunctionArn
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  PostProcessingDecompressorLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: ShouldEnablePostProcessingLambdaHook
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  PostProcessingLambdaHookRule:
    Type: AWS::Events::Rule
    Condition: ShouldEnablePostProcessingLambdaHook
    Properties:
      EventPattern:
        source:
          - aws.states
        detail-type:
          - Step Functions Execution Status Change
        detail:
          stateMachineArn:
            - !GetAtt PATTERNSTACK.Outputs.StateMachineArn
          status:
            - SUCCEEDED
      State: ENABLED
      Targets:
        - Arn: !GetAtt PostProcessingDecompressor.Arn
          Id: PostProcessingDecompressor
          RetryPolicy:
            MaximumRetryAttempts: 3

  PostProcessingDecompressorPermission:
    Type: AWS::Lambda::Permission
    Condition: ShouldEnablePostProcessingLambdaHook
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref PostProcessingDecompressor
      Principal: !Sub "events.${AWS::URLSuffix}"
      SourceArn: !GetAtt PostProcessingLambdaHookRule.Arn

  ##########################################################################
  # SaveReportingDataFunctionV2 Lambda, writes to ReportingBucket
  ##########################################################################

  SaveReportingDataFunctionV2:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    # checkov:skip=CKV_AWS_116: "DLQ not required for this functions as it is called sychronously"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/save_reporting_data/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 300

      Layers:
        - !Ref IDPCommonReportingLayer
      MemorySize: 1024
      Tracing: Active
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref SaveReportingDataFunctionV2LogGroup
      Policies:
        - S3CrudPolicy:
            BucketName: !If
              - ShouldCreateReportingBucket
              - !Ref ReportingBucket
              - !Ref ReportingBucketName
        - S3ReadPolicy:
            BucketName: !Ref OutputBucket
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - Statement:
            - Effect: Allow
              Action:
                - cloudwatch:PutMetricData
              Resource: "*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - glue:CreateTable
                - glue:GetTable
                - glue:UpdateTable
                - glue:GetDatabase
              Resource:
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${GetLowercase.Lowercase}-reporting-db"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/document_sections_*"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/metering"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/document_evaluations"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/section_evaluations"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/attribute_evaluations"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${GetLowercase.Lowercase}-reporting-db/rule_validation_*"
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          METRIC_NAMESPACE: !Ref AWS::StackName
          STACK_NAME: !Ref AWS::StackName
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable

  SaveReportingDataFunctionV2LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # CloudWatch monitoring
  ##########################################################################

  AlertsTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: Workflow Alerts
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  WorkflowErrorsAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmDescription: !Sub "Alert when workflow errors exceed ${ErrorThreshold} in 5 minutes"
      MetricName: ExecutionsFailedCount
      Namespace: AWS/States
      Statistic: Sum
      Period: 300
      EvaluationPeriods: 1
      Threshold: !Ref ErrorThreshold
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Dimensions:
        - Name: StateMachineArn
          Value: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
      AlarmActions:
        - !Ref AlertsTopic

  SlowExecutionsAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmDescription: !Sub "Alert when average execution time exceeds ${ExecutionTimeThresholdMs} milliseconds"
      MetricName: ExecutionTime
      Namespace: AWS/States
      Statistic: Average
      Period: 300
      EvaluationPeriods: 1
      Threshold: !Ref ExecutionTimeThresholdMs
      ComparisonOperator: GreaterThanThreshold
      Dimensions:
        - Name: StateMachineArn
          Value: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
      AlarmActions:
        - !Ref AlertsTopic

  # This dasboard is merged with dashboard created by the pattern stack to create an overall dashboard
  MainTemplateSubsetDashboard:
    Type: AWS::CloudWatch::Dashboard
    Properties:
      DashboardName: !Sub "${AWS::StackName}-${AWS::Region}-MainTemplate-Subset"
      DashboardBody: !Sub
        - |
          {
            "widgets": [
              {
                "type": "metric",
                "x": 0,
                "y": 0,
                "width": 8,
                "height": 6,
                "properties": {
                  "metrics": [
                    [
                      "${AWS::StackName}",
                      "QueueLatencyMilliseconds",
                      {
                        "stat": "Average"
                      }
                    ],
                    [
                      ".",
                      "QueueLatencyMilliseconds",
                      {
                        "stat": "p90"
                      }
                    ],
                    [
                      ".",
                      "QueueLatencyMilliseconds",
                      {
                        "stat": "Maximum"
                      }
                    ]
                  ],
                  "region": "${AWS::Region}",
                  "title": "Queue Latency",
                  "period": 300,
                  "view": "timeSeries",
                  "annotations": {
                    "horizontal": [
                      {
                        "value": ${ExecutionTimeThresholdMs
                        },
                        "label": "Threshold (${ExecutionTimeThresholdMs}ms)",
                        "color": "#ff0000"
                      }
                    ]
                  }
                }
              },
              {
                "type": "metric",
                "x": 8,
                "y": 0,
                "width": 8,
                "height": 6,
                "properties": {
                  "metrics": [
                    [
                      "${AWS::StackName}",
                      "WorkflowLatencyMilliseconds",
                      {
                        "stat": "Average"
                      }
                    ],
                    [
                      ".",
                      "WorkflowLatencyMilliseconds",
                      {
                        "stat": "p90"
                      }
                    ],
                    [
                      ".",
                      "WorkflowLatencyMilliseconds",
                      {
                        "stat": "Maximum"
                      }
                    ]
                  ],
                  "region": "${AWS::Region}",
                  "title": "Workflow Latency",
                  "period": 300,
                  "view": "timeSeries",
                  "annotations": {
                    "horizontal": [
                      {
                        "value": ${ExecutionTimeThresholdMs
                        },
                        "label": "Threshold (${ExecutionTimeThresholdMs}ms)",
                        "color": "#ff0000"
                      }
                    ]
                  }
                }
              },
              {
                "type": "metric",
                "x": 16,
                "y": 0,
                "width": 8,
                "height": 6,
                "properties": {
                  "metrics": [
                    [
                      "${AWS::StackName}",
                      "TotalLatencyMilliseconds",
                      {
                        "stat": "Average"
                      }
                    ],
                    [
                      ".",
                      "TotalLatencyMilliseconds",
                      {
                        "stat": "p90"
                      }
                    ],
                    [
                      ".",
                      "TotalLatencyMilliseconds",
                      {
                        "stat": "Maximum"
                      }
                    ]
                  ],
                  "region": "${AWS::Region}",
                  "title": "Total Processing Latency",
                  "period": 300,
                  "view": "timeSeries",
                  "annotations": {
                    "horizontal": [
                      {
                        "value": ${ExecutionTimeThresholdMs
                        },
                        "label": "Threshold (${ExecutionTimeThresholdMs}ms)",
                        "color": "#ff0000"
                      }
                    ]
                  }
                }
              },
              {
                "type": "metric",
                "x": 0,
                "y": 6,
                "width": 8,
                "height": 6,
                "properties": {
                  "metrics": [
                    [
                      {
                        "expression": "m1/PERIOD(m1)*60",
                        "label": "Messages Received per Minute",
                        "id": "e1"
                      }
                    ],
                    [
                      {
                        "expression": "m2/PERIOD(m2)*60",
                        "label": "Messages Deleted per Minute",
                        "id": "e2"
                      }
                    ],
                    [
                      "AWS/SQS",
                      "NumberOfMessagesReceived",
                      "QueueName",
                      "${DocumentQueue.QueueName}",
                      {
                        "id": "m1",
                        "stat": "Sum",
                        "visible": false
                      }
                    ],
                    [
                      ".",
                      "NumberOfMessagesDeleted",
                      ".",
                      ".",
                      {
                        "id": "m2",
                        "stat": "Sum",
                        "visible": false
                      }
                    ]
                  ],
                  "region": "${AWS::Region}",
                  "title": "SQS Queue Metrics (per Minute)",
                  "view": "timeSeries",
                  "period": 60,
                  "yAxis": {
                    "left": {
                      "label": "Count per Minute"
                    }
                  }
                }
              },
              {
                "type": "metric",
                "x": 8,
                "y": 6,
                "width": 8,
                "height": 6,
                "properties": {
                  "metrics": [
                    [
                      {
                        "expression": "m1/PERIOD(m1)*60",
                        "label": "Started per Minute",
                        "id": "e1"
                      }
                    ],
                    [
                      {
                        "expression": "m2/PERIOD(m2)*60",
                        "label": "Succeeded per Minute",
                        "id": "e2"
                      }
                    ],
                    [
                      {
                        "expression": "m3/PERIOD(m3)*60",
                        "label": "Failed per Minute",
                        "id": "e3"
                      }
                    ],
                    [
                      "AWS/States",
                      "ExecutionsStarted",
                      "StateMachineArn",
                      "${StateMachineArn}",
                      {
                        "id": "m1",
                        "stat": "Sum",
                        "visible": false
                      }
                    ],
                    [
                      ".",
                      "ExecutionsSucceeded",
                      ".",
                      ".",
                      {
                        "id": "m2",
                        "stat": "Sum",
                        "visible": false
                      }
                    ],
                    [
                      ".",
                      "ExecutionsFailed",
                      ".",
                      ".",
                      {
                        "id": "m3",
                        "stat": "Sum",
                        "visible": false
                      }
                    ]
                  ],
                  "region": "${AWS::Region}",
                  "title": "Workflow Executions (per Minute)",
                  "view": "timeSeries",
                  "period": 60,
                  "yAxis": {
                    "left": {
                      "label": "Count per Minute"
                    }
                  }
                }
              },
              {
                "type": "log",
                "x": 18,
                "y": 6,
                "width": 8,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${WorkflowTrackerLogGroup}' | fields @timestamp, @message | filter @message like /Publishing latency metrics/ | parse @message 'total: *ms' as totalTime |  filter totalTime > ${ExecutionTimeThresholdMs} |  stats count(*) as high_latency_count by bin(1m)",
                  "region": "${AWS::Region}",
                  "title": "Count of Workflow Executions over latency threshold (${ExecutionTimeThresholdMs}ms)",
                  "stacked": false,
                  "view": "timeSeries"
                }
              },
              {
                "type": "log",
                "x": 0,
                "y": 12,
                "width": 24,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${StateMachineLogGroup}' | fields @timestamp, @message | filter @message like /ExecutionFailed/ or @message like /TimedOut/ | parse @message /execution: (?<execution_arn>[^ ]*)/ | parse @message /error: (?<error>[^\"]*)/| sort @timestamp desc | limit 20",
                  "region": "${AWS::Region}",
                  "title": "Step Functions Executions Failed",
                  "view": "table"
                }
              },
              {
                "type": "log",
                "x": 0,
                "y": 18,
                "width": 12,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${QueueSenderLogGroup}' | fields @timestamp, @logStream, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20",
                  "region": "${AWS::Region}",
                  "title": "Queue Sender Lambda Errors",
                  "view": "table"
                }
              },
              {
                "type": "log",
                "x": 12,
                "y": 18,
                "width": 12,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${QueueProcessorLogGroup}' | fields @timestamp, @logStream, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20",
                  "region": "${AWS::Region}",
                  "title": "Queue Processor Lambda Errors",
                  "view": "table"
                }
              },
              {
                "type": "log",
                "x": 0,
                "y": 24,
                "width": 12,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${WorkflowTrackerLogGroup}' | fields @timestamp, @logStream, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20",
                  "region": "${AWS::Region}",
                  "title": "Workflow Tracker Lambda Errors",
                  "view": "table"
                }
              },
              {
                "type": "log",
                "x": 12,
                "y": 24,
                "width": 12,
                "height": 6,
                "properties": {
                  "query": "SOURCE '${SaveReportingDataFunctionV2LogGroup}' | fields @timestamp, @logStream, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20",
                  "region": "${AWS::Region}",
                  "title": "Save Reporting Data Tracker Lambda Errors",
                  "view": "table"
                }
              }
            ]
          }
        - StateMachineArn: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
          StateMachineLogGroup: !GetAtt PATTERNSTACK.Outputs.StateMachineLogGroup

  DashboardMergerFunction:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Role requires * resource access for CloudWatch Dashboards"
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/dashboard_merger
      Handler: index.handler
      Runtime: python3.12
      Timeout: 60
      MemorySize: 128
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          STACK_NAME: !Ref AWS::StackName
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - cloudwatch:GetDashboard
                - cloudwatch:ListDashboards
                - cloudwatch:PutDashboard
                - cloudwatch:DeleteDashboards
              Resource: "*"

  MergedDashboard:
    Type: Custom::DashboardMerger
    Properties:
      ServiceToken: !GetAtt DashboardMergerFunction.Arn
      Dashboard1Name: !Ref MainTemplateSubsetDashboard
      Dashboard2Name: !GetAtt PATTERNSTACK.Outputs.DashboardName
      MergedDashboardName: !Sub "${AWS::StackName}-${AWS::Region}"
      ChangeToForceUpdate: <HASH_TOKEN> # Source code hash set by publish script

  ##########################################################################
  # Lambda function that retrieves status details for specified document
  ##########################################################################

  LookupFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: ""DLQ not required for Lookup function as it is called only from CLI"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/lookup_function/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      LoggingConfig:
        LogGroup: !Ref LookupFunctionLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - DynamoDBReadPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - states:DescribeExecution
                - states:GetExecutionHistory
              Resource:
                - !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  LookupFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn

      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # Agent resources for text-to-agent feature
  ##########################################################################
  # DynamoDB table for agent job tracking
  AgentTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  # DynamoDB table for HITL user management
  UsersTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
        - AttributeName: email
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      GlobalSecondaryIndexes:
        - IndexName: EmailIndex
          KeySchema:
            - AttributeName: email
              KeyType: HASH
          Projection:
            ProjectionType: ALL
      StreamSpecification:
        StreamViewType: NEW_AND_OLD_IMAGES
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  # Secrets Manager secret for External MCP Agent credentials
  ExternalMCPAgentsSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${AWS::StackName}/external-mcp-agents/credentials"
      Description: "Credentials for External MCP Agents - JSON array with required fields: mcp_url, cognito_user_pool_id, cognito_client_id, cognito_username, cognito_password. Optional fields: agent_name, agent_description"
      SecretString: "[]"
      KmsKeyId: !Ref CustomerManagedEncryptionKey

  # Lambda function for agent chat resolver
  AgentChatProcessorFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W58
            reason: "DLQ not required for Cfn Custom Resource function"
          - id: W76
            reason: "Suppressing W76: SPCM for IAM policy document is higher than 25"
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
    # checkov:skip=CKV_AWS_116: "DLQ not required for analytics processor as it's invoked asynchronously by request handler with error handling and job status tracking in DynamoDB"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/agent_chat_processor/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 600 # Increase timeout to handle longer Bedrock responses

      Layers:
        - !Ref IDPCommonAgentsLayer
      MemorySize: 1024 # Increase memory for agents with MCP clients and streaming
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
          TRACKING_TABLE_NAME: !Ref TrackingTable
          LOOKUP_FUNCTION_NAME: !Ref LookupFunction
          STRANDS_LOG_LEVEL: !Ref LogLevel
          BEDROCK_REGION: !Ref AWS::Region
          CHAT_MESSAGES_TABLE: !Ref ChatMessagesTable
          ID_HELPER_CHAT_MEMORY_TABLE: !Ref IdHelperChatMemoryTable
          MEMORY_METHOD: dynamodb
          STREAMING_ENABLED: true
          MAX_CONVERSATION_TURNS: 20
          MAX_MESSAGE_SIZE_KB: 8.5
          DATA_RETENTION_DAYS: !Ref DataRetentionInDays
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          ATHENA_DATABASE: !Ref ReportingDatabase
          ATHENA_OUTPUT_LOCATION: !Sub
            - "s3://${Bucket}/athena-results/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          AWS_STACK_NAME: !Ref AWS::StackName
          GUARDRAIL_ID_AND_VERSION:
            !If [
              HasGuardrailConfig,
              !Sub "${BedrockGuardrailId}:${BedrockGuardrailVersion}",
              "",
            ]
          CLOUDWATCH_LOG_GROUP_PREFIX: !Sub "/aws/lambda/${AWS::StackName}"
          SETTINGS_PARAMETER_NAME: !Ref SettingsParameter
      LoggingConfig:
        LogGroup: !Ref AgentChatProcessorLogGroup
      Policies:
        - Statement:
            Effect: Allow
            Action: bedrock-agentcore:InvokeAgentRuntime
            Resource: "*"
        - Statement:
            Effect: Allow
            Action: appsync:GraphQL
            Resource: !Sub "arn:${AWS::Partition}:appsync:${AWS::Region}:${AWS::AccountId}:apis/${GraphQLApi.ApiId}/*"
        - DynamoDBCrudPolicy:
            TableName: !Ref ChatMessagesTable
        - DynamoDBCrudPolicy:
            TableName: !Ref IdHelperChatMemoryTable
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - S3CrudPolicy:
            BucketName: !If
              - ShouldCreateReportingBucket
              - !Ref ReportingBucket
              - !Ref ReportingBucketName
        - Statement:
            - Effect: Allow
              Action:
                - athena:StartQueryExecution
                - athena:GetQueryExecution
                - athena:GetQueryResults
              Resource:
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/primary"
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/*"
            - Effect: Allow
              Action:
                - glue:GetTable
                - glue:GetTables
                - glue:GetDatabase
                - glue:GetDatabases
                - glue:GetPartitions
              Resource:
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${ReportingDatabase}"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${ReportingDatabase}/*"
            - Effect: Allow
              Action:
                - bedrock:InvokeModel
                - bedrock:InvokeModelWithResponseStream
                - bedrock:GetInferenceProfile
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:*::foundation-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:inference-profile/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
            - Effect: Allow
              Action:
                - aws-marketplace:Subscribe
                - aws-marketplace:Unsubscribe
                - aws-marketplace:ViewSubscriptions
              Resource: "*"
            - !If
              - HasGuardrailConfig
              - Effect: Allow
                Action:
                  - "bedrock:ApplyGuardrail"
                Resource:
                  - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:guardrail/${BedrockGuardrailId}"
              - !Ref AWS::NoValue
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - bedrock-agentcore:StartCodeInterpreterSession
                - bedrock-agentcore:StopCodeInterpreterSession
                - bedrock-agentcore:InvokeCodeInterpreter
                - bedrock-agentcore:GetCodeInterpreterSession
                - bedrock-agentcore:ListCodeInterpreterSessions
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock-agentcore:*:aws:code-interpreter/*"
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource:
                - !Ref ExternalMCPAgentsSecret
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
                - logs:DescribeLogStreams
                - logs:FilterLogEvents
                - logs:GetLogEvents
              Resource:
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/vendedlogs/states/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::StackName}*"
                - !GetAtt QueueSenderLogGroup.Arn
                - !GetAtt QueueProcessorLogGroup.Arn
                - !GetAtt WorkflowTrackerLogGroup.Arn
                - !GetAtt SaveReportingDataFunctionV2LogGroup.Arn
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
              Resource:
                - "*"
            - Effect: Allow
              Action:
                - dynamodb:DescribeTable
                - dynamodb:Scan
                - dynamodb:Query
                - dynamodb:GetItem
                - dynamodb:Query
              Resource:
                - !GetAtt TrackingTable.Arn
            - Effect: Allow
              Action:
                - cloudformation:DescribeStackResources
                - cloudformation:DescribeStacks
              Resource:
                - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource:
                - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - states:DescribeExecution
                - states:GetExecutionHistory
              Resource:
                - !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - xray:GetTraceSummaries
                - xray:BatchGetTraces
                - xray:GetServiceGraph
              Resource: "*"
            - Effect: Allow
              Action:
                - ssm:GetParameter
              Resource:
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"

  AgentChatProcessorLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # DynamoDB Table for Agent Chat Session Metadata
  ##########################################################################

  ChatSessionsTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: userId
          AttributeType: S
        - AttributeName: sessionId
          AttributeType: S
      KeySchema:
        - AttributeName: userId
          KeyType: HASH
        - AttributeName: sessionId
          KeyType: RANGE
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  ##########################################################################
  # Lambda Functions for Agent Chat Session Management
  ##########################################################################

  # Lambda function for listing agent chat sessions
  ChatMessagesTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  IdHelperChatMemoryTable:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: PK
          AttributeType: S
        - AttributeName: SK
          AttributeType: S
      KeySchema:
        - AttributeName: PK
          KeyType: HASH
        - AttributeName: SK
          KeyType: RANGE
      TimeToLiveSpecification:
        AttributeName: ExpiresAfter
        Enabled: true
      SSESpecification:
        SSEEnabled: true
        SSEType: KMS
        KMSMasterKeyId: !Ref CustomerManagedEncryptionKey

  ##########################################################################
  # Capacity Planning Lambda Functions
  ##########################################################################

  CalculateCapacityFunction:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "servicequotas:GetServiceQuota and ListServiceQuotas APIs do not support resource-level permissions"
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for capacity planning function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level and feature flags)"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.lambda_handler
      Runtime: python3.12
      Timeout: 300
      MemorySize: 512
      CodeUri: src/lambda/calculate_capacity
      LoggingConfig:
        LogGroup: !Ref CalculateCapacityFunctionLogGroup
      Environment:
        Variables:
          # Required: DynamoDB table for tracking and metering data
          TRACKING_TABLE: !Ref TrackingTable
          METERING_TABLE_NAME: !Ref TrackingTable
          # Required: Lambda memory size for processing time calculation from gb_seconds
          LAMBDA_MEMORY_GB: "0.5"
          # Recommendation thresholds
          RECOMMENDATION_HIGH_COMPLEXITY_THRESHOLD: "2.5"
          RECOMMENDATION_MEDIUM_COMPLEXITY_THRESHOLD: "1.5"
          RECOMMENDATION_HIGH_LOAD_THRESHOLD: "3.0"
          RECOMMENDATION_MEDIUM_LOAD_THRESHOLD: "2.0"
          RECOMMENDATION_HIGH_LATENCY_THRESHOLD: "300"
          RECOMMENDATION_LARGE_DOC_THRESHOLD: "50000"
          RECOMMENDATION_HIGH_PAGE_THRESHOLD: "20"
          # Document complexity thresholds
          MEDIUM_COMPLEXITY_THRESHOLD: "5000"
          HIGH_COMPLEXITY_THRESHOLD: "15000"
          PAGE_COMPLEXITY_FACTOR: "0.1"
          HIGH_COMPLEXITY_MULTIPLIER: "2.0"
          MEDIUM_COMPLEXITY_MULTIPLIER: "1.5"
          # Token calculation
          MIN_TOKENS_PER_REQUEST: "500"
          # Bedrock model quota codes (TPM and RPM)
          BEDROCK_MODEL_QUOTA_CODES: '{"us.amazon.nova-lite-v1:0":"L-7C42E72A","us.amazon.nova-pro-v1:0":"L-C0326783","us.amazon.nova-premier-v1:0":"L-AA7FE948","us.amazon.nova-2-lite-v1:0":"L-C6F5908D","global.amazon.nova-2-lite-v1:0":"L-C6F5908D","us.anthropic.claude-3-haiku-20240307-v1:0":"L-DCADBC78","us.anthropic.claude-haiku-4-5-20251001-v1:0":"L-58BE175A","us.anthropic.claude-3-5-sonnet-20241022-v2:0":"L-FF8B4E28","us.anthropic.claude-3-7-sonnet-20250219-v1:0":"L-6E888CC2","us.anthropic.claude-sonnet-4-20250514-v1:0":"L-59759B4A","us.anthropic.claude-sonnet-4-5-20250929-v1:0":"L-F4DDD3EB","us.anthropic.claude-opus-4-20250514-v1:0":"L-29C2B0A3","us.anthropic.claude-opus-4-1-20250805-v1:0":"L-BD85BFCD","us.anthropic.claude-opus-4-5-20251101-v1:0":"L-7007E9C9","global.anthropic.claude-haiku-4-5-20251001-v1:0":"L-58BE175A","global.anthropic.claude-sonnet-4-5-20250929-v1:0":"L-F4DDD3EB","global.anthropic.claude-opus-4-5-20251101-v1:0":"L-7007E9C9"}'
          BEDROCK_MODEL_RPM_QUOTA_CODES: '{"us.amazon.nova-lite-v1:0":"L-89F8391A","us.amazon.nova-pro-v1:0":"L-ED46B8C5","us.amazon.nova-premier-v1:0":"L-9AD981E7","us.amazon.nova-2-lite-v1:0":"L-F06F1187","global.amazon.nova-2-lite-v1:0":"L-F06F1187","us.anthropic.claude-3-haiku-20240307-v1:0":"L-616A3F5B","us.anthropic.claude-haiku-4-5-20251001-v1:0":"L-CCA5DF70","us.anthropic.claude-3-5-sonnet-20241022-v2:0":"L-1D3E59A3","us.anthropic.claude-3-7-sonnet-20250219-v1:0":"L-3D8CC480","us.anthropic.claude-sonnet-4-20250514-v1:0":"L-559DCC33","us.anthropic.claude-sonnet-4-5-20250929-v1:0":"L-4A6BFAB1","us.anthropic.claude-opus-4-20250514-v1:0":"L-C99C7EF6","us.anthropic.claude-opus-4-1-20250805-v1:0":"L-7EC72A47","us.anthropic.claude-opus-4-5-20251101-v1:0":"L-27989F42","global.anthropic.claude-haiku-4-5-20251001-v1:0":"L-CCA5DF70","global.anthropic.claude-sonnet-4-5-20250929-v1:0":"L-4A6BFAB1","global.anthropic.claude-opus-4-5-20251101-v1:0":"L-27989F42"}'
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - servicequotas:GetServiceQuota
                - servicequotas:ListServiceQuotas
              Resource: "*"
            - Effect: Allow
              Action:
                - dynamodb:Scan
                - dynamodb:Query
              Resource: !GetAtt TrackingTable.Arn
            - Effect: Allow
              Action:
                - kms:Decrypt
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  CalculateCapacityFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${AWS::StackName}-CalculateCapacity"
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  CalculateCapacityResolverFunction:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required"
    # checkov:skip=CKV_AWS_117: "VPC not required"
    # checkov:skip=CKV_AWS_115: "Reserved concurrency not required"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.lambda_handler
      Runtime: python3.12
      Timeout: 60
      CodeUri: src/lambda/calculate_capacity_resolver
      LoggingConfig:
        LogGroup: !Ref CalculateCapacityResolverFunctionLogGroup
      Environment:
        Variables:
          CALCULATE_CAPACITY_FUNCTION_NAME: !Ref CalculateCapacityFunction
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource: !GetAtt CalculateCapacityFunction.Arn

  CalculateCapacityResolverFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${AWS::StackName}-CalculateCapacityResolver"
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  CalculateCapacityDataSource:
    Type: AWS::AppSync::DataSource
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      Name: CalculateCapacityDataSource
      Description: Lambda function for calculating capacity requirements
      Type: AWS_LAMBDA
      ServiceRoleArn: !GetAtt HITLAppSyncServiceRole.Arn
      LambdaConfig:
        LambdaFunctionArn: !GetAtt CalculateCapacityResolverFunction.Arn

  CalculateCapacityResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt CalculateCapacityDataSource.Name
      TypeName: Query
      FieldName: calculateCapacity

  AgentProcessorLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/lambda/${AWS::StackName}-AgentProcessor"
      RetentionInDays: !Ref LogRetentionDays
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn

  # Lambda function for agent request handler
  AgentProcessorFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W58
            reason: "DLQ not required for Cfn Custom Resource function"
          - id: W76
            reason: "Suppressing W76: SPCM for IAM policy document is higher than 25"
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
    # checkov:skip=CKV_AWS_116: "DLQ not required for analytics processor as it's invoked asynchronously by request handler with error handling and job status tracking in DynamoDB"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/agent_processor/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 900

      Layers:
        - !Ref IDPCommonAgentsLayer
      MemorySize: 1024
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
          TRACKING_TABLE_NAME: !Ref TrackingTable
          LOOKUP_FUNCTION_NAME: !Ref LookupFunction
          STRANDS_LOG_LEVEL: !Ref LogLevel
          AGENT_TABLE: !Ref AgentTable
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          ATHENA_DATABASE: !Ref ReportingDatabase
          ATHENA_OUTPUT_LOCATION: !Sub
            - "s3://${Bucket}/athena-results/"
            - Bucket: !If
                - ShouldCreateReportingBucket
                - !Ref ReportingBucket
                - !Ref ReportingBucketName
          AWS_STACK_NAME: !Ref AWS::StackName
          GUARDRAIL_ID_AND_VERSION:
            !If [
              HasGuardrailConfig,
              !Sub "${BedrockGuardrailId}:${BedrockGuardrailVersion}",
              "",
            ]
          CLOUDWATCH_LOG_GROUP_PREFIX: !Sub "/aws/lambda/${AWS::StackName}"
          SETTINGS_PARAMETER_NAME: !Ref SettingsParameter
      LoggingConfig:
        LogGroup: !Ref AgentProcessorLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref AgentTable
        - DynamoDBReadPolicy:
            TableName: !Ref ConfigurationTable
        - S3CrudPolicy:
            BucketName: !If
              - ShouldCreateReportingBucket
              - !Ref ReportingBucket
              - !Ref ReportingBucketName
        - Statement:
            - Effect: Allow
              Action:
                - athena:StartQueryExecution
                - athena:GetQueryExecution
                - athena:GetQueryResults
              Resource:
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/primary"
                - !Sub "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/*"
            - Effect: Allow
              Action:
                - glue:GetTable
                - glue:GetTables
                - glue:GetDatabase
                - glue:GetDatabases
                - glue:GetPartitions
              Resource:
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${ReportingDatabase}"
                - !Sub "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${ReportingDatabase}/*"
            - Effect: Allow
              Action:
                - bedrock:InvokeModel
                - bedrock:InvokeModelWithResponseStream
                - bedrock:GetInferenceProfile
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:*::foundation-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:inference-profile/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
            - Effect: Allow
              Action:
                - aws-marketplace:Subscribe
                - aws-marketplace:Unsubscribe
                - aws-marketplace:ViewSubscriptions
              Resource: "*"
            - !If
              - HasGuardrailConfig
              - Effect: Allow
                Action:
                  - "bedrock:ApplyGuardrail"
                Resource:
                  - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:guardrail/${BedrockGuardrailId}"
              - !Ref AWS::NoValue
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - bedrock-agentcore:StartCodeInterpreterSession
                - bedrock-agentcore:StopCodeInterpreterSession
                - bedrock-agentcore:InvokeCodeInterpreter
                - bedrock-agentcore:GetCodeInterpreterSession
                - bedrock-agentcore:ListCodeInterpreterSessions
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock-agentcore:*:aws:code-interpreter/*"
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource:
                - !Ref ExternalMCPAgentsSecret
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
                - logs:DescribeLogStreams
                - logs:FilterLogEvents
                - logs:GetLogEvents
              Resource:
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/vendedlogs/states/${AWS::StackName}*"
                - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/${AWS::StackName}*"
                - !GetAtt QueueSenderLogGroup.Arn
                - !GetAtt QueueProcessorLogGroup.Arn
                - !GetAtt WorkflowTrackerLogGroup.Arn
                - !GetAtt SaveReportingDataFunctionV2LogGroup.Arn
            - Effect: Allow
              Action:
                - logs:DescribeLogGroups
              Resource:
                - "*"
            - Effect: Allow
              Action:
                - dynamodb:DescribeTable
                - dynamodb:Scan
                - dynamodb:Query
                - dynamodb:GetItem
                - dynamodb:Query
              Resource:
                - !GetAtt TrackingTable.Arn
            - Effect: Allow
              Action:
                - cloudformation:DescribeStackResources
                - cloudformation:DescribeStacks
              Resource:
                - !Sub "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource:
                - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - states:DescribeExecution
                - states:GetExecutionHistory
              Resource:
                - !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}*"
            - Effect: Allow
              Action:
                - xray:GetTraceSummaries
                - xray:BatchGetTraces
                - xray:GetServiceGraph
              Resource: "*"
            - Effect: Allow
              Action:
                - ssm:GetParameter
              Resource:
                - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"

  ExternalAppClient:
    Type: AWS::Cognito::UserPoolClient
    Condition: CreateExternalAppClient
    Properties:
      ClientName: "external-app-client"
      UserPoolId: !Ref UserPool
      GenerateSecret: true
      ExplicitAuthFlows:
        - ALLOW_ADMIN_USER_PASSWORD_AUTH
        - ALLOW_USER_PASSWORD_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      SupportedIdentityProviders:
        - COGNITO
      AllowedOAuthFlows:
        - code
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes:
        - openid
        - email
        - profile
      CallbackURLs:
        - !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
        - !If
          - UseCloudFrontHosting
          - !Sub "https://${CloudFrontDistribution.DomainName}/"
          - !Sub "${ALBHOSTINGSTACK.Outputs.WebUIURL}/"
        - !Sub "https://${AWS::Region}.quicksight.aws.amazon.com/sn/oauthcallback"
        - https://us-east-1.quicksight.aws.amazon.com/sn/oauthcallback
        - https://us-west-2.quicksight.aws.amazon.com/sn/oauthcallback
        - https://eu-west-1.quicksight.aws.amazon.com/sn/oauthcallback
        - https://ap-southeast-2.quicksight.aws.amazon.com/sn/oauthcallback
      LogoutURLs:
        - !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
        - !If
          - UseCloudFrontHosting
          - !Sub "https://${CloudFrontDistribution.DomainName}/"
          - !Sub "${ALBHOSTINGSTACK.Outputs.WebUIURL}/"
        - !Sub "https://${AWS::Region}.quicksight.aws.amazon.com/sn/oauthcallback"
        - https://us-east-1.quicksight.aws.amazon.com/sn/oauthcallback
        - https://us-west-2.quicksight.aws.amazon.com/sn/oauthcallback
        - https://eu-west-1.quicksight.aws.amazon.com/sn/oauthcallback
        - https://ap-southeast-2.quicksight.aws.amazon.com/sn/oauthcallback

  MCPResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Condition: CreateAgentCoreLambda
    Properties:
      UserPoolId: !Ref UserPool
      Identifier: idp-mcp-connector
      Name: idp-mcp-connector
      Scopes:
        - ScopeName: access
          ScopeDescription: Full access to IDP MCP Connector

  MCPConnectorClient:
    Type: AWS::Cognito::UserPoolClient
    Condition: CreateAgentCoreLambda
    DependsOn: MCPResourceServer
    Properties:
      ClientName: "mcp-connector-client"
      UserPoolId: !Ref UserPool
      GenerateSecret: true
      AllowedOAuthFlows:
        - client_credentials
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes:
        - idp-mcp-connector/access
      SupportedIdentityProviders:
        - COGNITO

  ##########################################################################
  # Cognoito user authentication for AppSync API and WebUI
  ##########################################################################

  UserPool:
    Type: AWS::Cognito::UserPool
    Metadata:
      cfn-nag:
        rules_to_suppress:
          - id: W57 # MFA warning
            reason: "MFA configurations specific to target environment - disabled by default"
    Properties:
      UserPoolName: !Sub ${AWS::StackName}-users
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: !If
          - ShouldAllowSignUpEmailDomain
          - false
          - true
        InviteMessageTemplate:
          EmailSubject: Welcome to GenAI-IDP!
          EmailMessage: !Sub
            - |-
              <p>Hello {username},</p>
              <p>Welcome to the AWS GenAIIDP Solution! Your temporary password is: <strong>{####}</strong></p>
              <p>When the CloudFormation stack is COMPLETE, use the link below to log in and set your permanent password.
              <p>     ${WebUIURL}
              <p>
              <p>Thanks,</p>
              <p>AWS GenAIIDP Team</p>
              <p>
              <p><em>Stack: ${AWS::StackName}, v<VERSION>, <BUILD_DATE_TIME></em>
            - WebUIURL: !If
                - UseCloudFrontHosting
                - !Sub "https://${CloudFrontDistribution.DomainName}/"
                - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
      AutoVerifiedAttributes:
        - email
      EmailConfiguration:
        EmailSendingAccount: COGNITO_DEFAULT
      EmailVerificationMessage: >-
        Please verify your email to complete account registration. Confirmation Code
        {####}.
      EmailVerificationSubject: >-
        Account Verification
      # LambdaConfig condition matrix (ShouldAllowSignUpEmailDomain × ShouldMapExternalIdPGroups):
      #   EmailDomain=Y, GroupMap=Y → PreAuth + PreSignUp + PreTokenGen
      #   EmailDomain=Y, GroupMap=N → PreAuth + PreSignUp only
      #   EmailDomain=N, GroupMap=Y → PreTokenGen only
      #   EmailDomain=N, GroupMap=N → no LambdaConfig (AWS::NoValue)
      LambdaConfig: !If
        - ShouldAllowSignUpEmailDomain
        - PreAuthentication: !GetAtt CognitoUserPoolEmailDomainVerifyFunction.Arn
          PreSignUp: !GetAtt CognitoUserPoolEmailDomainVerifyFunction.Arn
          PreTokenGeneration: !If
            - ShouldMapExternalIdPGroups
            - !GetAtt ExternalIdPGroupMappingFunction.Arn
            - !Ref AWS::NoValue
        - !If
          - ShouldMapExternalIdPGroups
          - PreTokenGeneration: !GetAtt ExternalIdPGroupMappingFunction.Arn
          - !Ref AWS::NoValue
      Policies:
        PasswordPolicy:
          MinimumLength: 8
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true
      Schema:
        - Name: email
          AttributeDataType: String
          Mutable: false
          Required: true
        - Name: idp_groups
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MaxLength: "2048"
      UsernameConfiguration:
        CaseSensitive: false

  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    DependsOn: ExternalIdentityProviderReady
    Properties:
      ClientName: !Sub "${AWS::StackName}-Client"
      AllowedOAuthFlows:
        - code
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes:
        - openid
        - email
        - phone
        - profile
      CallbackURLs:
        - !If
          - UseCloudFrontHosting
          - !Sub "https://${CloudFrontDistribution.DomainName}"
          - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
        - !If
          - UseCloudFrontHosting
          - !Sub "https://${CloudFrontDistribution.DomainName}/"
          - !Sub "${ALBHOSTINGSTACK.Outputs.WebUIURL}/"
      LogoutURLs: !If
        - HasExternalIdP
        - - !If
            - UseCloudFrontHosting
            - !Sub "https://${CloudFrontDistribution.DomainName}"
            - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
          - !If
            - UseCloudFrontHosting
            - !Sub "https://${CloudFrontDistribution.DomainName}/"
            - !Sub "${ALBHOSTINGSTACK.Outputs.WebUIURL}/"
        - !Ref AWS::NoValue
      AccessTokenValidity: 1
      EnableTokenRevocation: true
      ExplicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
      GenerateSecret: false # pragma: allowlist secret - CloudFormation parameter, not actual secret
      IdTokenValidity: 1
      PreventUserExistenceErrors: ENABLED
      ReadAttributes:
        - email
        - email_verified
        - preferred_username
        - !If
          - HasExternalIdP
          - custom:idp_groups
          - !Ref AWS::NoValue
      RefreshTokenValidity: 30
      SupportedIdentityProviders: !If
        - HasExternalIdP
        - - COGNITO
          - !Ref ExternalIdPName
        - - COGNITO
      UserPoolId: !Ref UserPool

  ##########################################################################
  # External Identity Provider (SAML/OIDC Federation)
  ##########################################################################

  # Custom Resource Lambda to resolve OIDC client secret from Secrets Manager at deploy time.
  # This avoids passing the secret as a CloudFormation parameter (visible via describe-stacks API).
  ResolveOIDCClientSecretFunction:
    Type: AWS::Serverless::Function
    Condition: IsExternalIdPOIDC
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Description: Resolves OIDC client secret from Secrets Manager for Cognito IdP configuration
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      MemorySize: 128
      LoggingConfig:
        LogGroup: !Ref ResolveOIDCClientSecretFunctionLogGroup
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - secretsmanager:GetSecretValue
              Resource: !Ref ExternalIdPOIDCClientSecretArn
      InlineCode: |
        import cfnresponse
        import boto3
        def handler(event, context):
            if event['RequestType'] == 'Delete':
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
                return
            try:
                secret_arn = event['ResourceProperties']['SecretArn']
                client = boto3.client('secretsmanager')
                response = client.get_secret_value(SecretId=secret_arn)
                # Return secret value as a custom resource attribute (NoEcho by design)
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {
                    'SecretValue': response['SecretString']
                })
            except Exception as e:
                cfnresponse.send(event, context, cfnresponse.FAILED, {}, reason=str(e))

  ResolveOIDCClientSecretFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: IsExternalIdPOIDC
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ResolveOIDCClientSecret:
    Type: Custom::ResolveSecret
    Condition: IsExternalIdPOIDC
    Properties:
      ServiceToken: !GetAtt ResolveOIDCClientSecretFunction.Arn
      SecretArn: !Ref ExternalIdPOIDCClientSecretArn

  # Create conditional dependency on ExternalIdentityProvider
  ExternalIdentityProviderReady:
    Type: AWS::CloudFormation::WaitConditionHandle
    Metadata:
      ConditionalDependency:
        !If [
          HasExternalIdP,
          !Ref ExternalIdentityProvider,
          "",
        ]

  ExternalIdentityProvider:
    Type: AWS::Cognito::UserPoolIdentityProvider
    Condition: HasExternalIdP
    Properties:
      UserPoolId: !Ref UserPool
      ProviderName: !Ref ExternalIdPName
      ProviderType: !Ref ExternalIdPType
      ProviderDetails: !If
        - IsExternalIdPSAML
        - MetadataURL: !Ref ExternalIdPMetadataURL
        - client_id: !Ref ExternalIdPOIDCClientId
          client_secret: !GetAtt ResolveOIDCClientSecret.SecretValue
          oidc_issuer: !Ref ExternalIdPOIDCIssuer
          attributes_request_method: GET
          authorize_scopes: "openid email profile"
      AttributeMapping:
        email: !If
          - IsExternalIdPSAML
          - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
          - "email"
        custom:idp_groups: !If
          - HasExternalIdPGroupMapping
          - !Ref ExternalIdPGroupAttributeName
          - !Ref AWS::NoValue

  ExternalIdPGroupMappingFunction:
    Type: AWS::Serverless::Function
    Condition: ShouldMapExternalIdPGroups
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cognito trigger function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only group name mappings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Description: Maps external IdP group claims to Cognito groups before token generation
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      MemorySize: 128
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          ADMIN_GROUP_NAME: !Ref ExternalIdPAdminGroupName
          AUTHOR_GROUP_NAME: !Ref ExternalIdPAuthorGroupName
          REVIEWER_GROUP_NAME: !Ref ExternalIdPReviewerGroupName
          VIEWER_GROUP_NAME: !Ref ExternalIdPViewerGroupName
      LoggingConfig:
        LogGroup: !Ref ExternalIdPGroupMappingFunctionLogGroup
      Policies: []
      InlineCode: |
        """Post-authentication Lambda trigger to map external IdP groups to Cognito groups."""
        import os
        import logging
        import boto3

        logger = logging.getLogger()
        logger.setLevel(os.environ.get("LOG_LEVEL", "INFO"))

        cognito = boto3.client("cognito-idp")

        # Mapping: external IdP group name -> Cognito group name
        GROUP_MAPPING = {}
        for env_key, cognito_group in [
            ("ADMIN_GROUP_NAME", "Admin"),
            ("AUTHOR_GROUP_NAME", "Author"),
            ("REVIEWER_GROUP_NAME", "Reviewer"),
            ("VIEWER_GROUP_NAME", "Viewer"),
        ]:
            idp_group = os.environ.get(env_key, "").strip()
            if idp_group:
                GROUP_MAPPING[idp_group] = cognito_group

        COGNITO_GROUPS = set(GROUP_MAPPING.values())


        def handler(event, context):
            """Handle pre-token-generation trigger from Cognito."""
            logger.info(f"Pre-token trigger source: {event.get('triggerSource')}")

            # Extract user pool ID from the event (avoids circular CloudFormation dependency)
            user_pool_id = event.get("userPoolId", "")
            username = event.get("userName", "")
            user_attributes = event.get("request", {}).get("userAttributes", {})
            idp_groups_raw = user_attributes.get("custom:idp_groups", "")

            if not idp_groups_raw:
                logger.info(f"No IdP groups claim for user {username}")
                return event

            # Parse IdP groups - handle comma-separated, JSON array, or single value
            idp_groups = []
            idp_groups_raw = idp_groups_raw.strip()
            if not idp_groups_raw:
                logger.info(f"No IdP groups claim for user {username}")
                return event
            if idp_groups_raw.startswith("["):
                import json
                try:
                    idp_groups = json.loads(idp_groups_raw)
                except Exception:
                    idp_groups = [g.strip().strip('"') for g in idp_groups_raw.strip("[]").split(",")]
            else:
                idp_groups = [g.strip() for g in idp_groups_raw.split(",")]

            logger.info(f"User {username} IdP groups: {idp_groups}")

            # Determine target Cognito groups from mapping
            target_groups = set()
            for idp_group in idp_groups:
                if idp_group in GROUP_MAPPING:
                    target_groups.add(GROUP_MAPPING[idp_group])

            if not target_groups:
                logger.warning(f"No matching Cognito groups for user {username} with IdP groups {idp_groups}")
                return event

            # Get current Cognito groups for user
            try:
                response = cognito.admin_list_groups_for_user(
                    UserPoolId=user_pool_id, Username=username
                )
                current_groups = {g["GroupName"] for g in response.get("Groups", [])}
            except Exception as e:
                logger.error(f"Failed to list groups for user {username}: {e}")
                return event

            # Add user to target groups they are not already in
            for group in target_groups - current_groups:
                try:
                    cognito.admin_add_user_to_group(
                        UserPoolId=user_pool_id, Username=username, GroupName=group
                    )
                    logger.info(f"Added user {username} to group {group}")
                except Exception as e:
                    logger.error(f"Failed to add user {username} to group {group}: {e}")

            # Remove user from managed groups they should no longer be in
            for group in (current_groups & COGNITO_GROUPS) - target_groups:
                try:
                    cognito.admin_remove_user_from_group(
                        UserPoolId=user_pool_id, Username=username, GroupName=group
                    )
                    logger.info(f"Removed user {username} from group {group}")
                except Exception as e:
                    logger.error(f"Failed to remove user {username} from group {group}: {e}")

            logger.info(f"User {username} group sync complete. Groups: {target_groups}")

            # Inject groups into the token so they are available immediately on first sign-in
            event.setdefault("response", {})
            event["response"]["claimsAndScopeOverrideDetails"] = {
                "groupOverrideDetails": {
                    "groupsToOverride": list(target_groups)
                }
            }

            return event

  ExternalIdPGroupMappingFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: ShouldMapExternalIdPGroups
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # Separate IAM policy scoped to the specific UserPool.
  # Defined as a standalone resource to avoid a circular dependency:
  # UserPool → LambdaConfig → Function → Role → UserPool
  ExternalIdPGroupMappingCognitoPolicy:
    Type: AWS::IAM::Policy
    Condition: ShouldMapExternalIdPGroups
    Properties:
      PolicyName: ExternalIdPGroupMappingCognitoAccess
      Roles:
        - !Ref ExternalIdPGroupMappingFunctionRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - cognito-idp:AdminListGroupsForUser
              - cognito-idp:AdminAddUserToGroup
              - cognito-idp:AdminRemoveUserFromGroup
            Resource: !Sub "arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPool}"

  ExternalIdPGroupMappingPermission:
    Type: AWS::Lambda::Permission
    Condition: ShouldMapExternalIdPGroups
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref ExternalIdPGroupMappingFunction
      Principal: !Sub "cognito-idp.${AWS::URLSuffix}"
      SourceAccount: !Ref AWS::AccountId
      SourceArn: !Sub "arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPool}"

  GetDomainLambda:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Description: Converts Stackname to lowercase and adds unique timestamp
      Handler: index.handler
      Runtime: python3.12
      Timeout: 30
      MemorySize: 128
      LoggingConfig:
        LogGroup: !Ref GetDomainLambdaLogGroup
      InlineCode: |
        import cfnresponse
        import time
        def handler(event, context):                                                    
            lowercase = event['ResourceProperties'].get('InputString', '').lower()
            lowercaseWithTimestamp = f"{lowercase}-{time.time_ns()}" # make unique
            responseData = {
              'Lowercase': lowercase, 
              'OutputString': lowercaseWithTimestamp, # don't change key - avoid UserPool update errors
            }                                            
            cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData)

  GetDomainLambdaLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # Preserve CR name - avoid forcing UserPoolDomain update.
  GetDomain:
    Type: Custom::GetDomain
    Properties:
      ServiceToken: !GetAtt GetDomainLambda.Arn
      InputString: !Ref AWS::StackName

  UserPoolDomain:
    Type: "AWS::Cognito::UserPoolDomain"
    Properties:
      Domain: !GetAtt GetDomain.OutputString
      UserPoolId: !Ref UserPool

  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !Sub "${AWS::StackName}-IdentityPool"
      AllowUnauthenticatedIdentities: false
      CognitoIdentityProviders:
        - ClientId: !Ref UserPoolClient
          ProviderName: !GetAtt UserPool.ProviderName

  CognitoIdentityPoolSetRole:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles:
        authenticated: !GetAtt CognitoAuthorizedRole.Arn

  CognitoAuthorizedRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Federated: cognito-identity.amazonaws.com
            Action:
              - sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Policies:
        - PolicyName: S3
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "s3:GetObject"
                  - "s3:ListBucket"
                Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::${OutputBucket}"
                  - !Sub "arn:${AWS::Partition}:s3:::${OutputBucket}/*"
                  - !Sub "arn:${AWS::Partition}:s3:::${InputBucket}"
                  - !Sub "arn:${AWS::Partition}:s3:::${InputBucket}/*"
                  - !Sub "arn:${AWS::Partition}:s3:::${ConfigurationBucket}"
                  - !Sub "arn:${AWS::Partition}:s3:::${ConfigurationBucket}/*"
              - Effect: Allow
                Action:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:ReEncrypt*
                  - kms:GenerateDataKey*
                  - kms:DescribeKey
                Resource: !GetAtt CustomerManagedEncryptionKey.Arn
        - PolicyName: ParameterStore
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - "ssm:GetParameter"
                Resource:
                  - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${SettingsParameter}"
        - PolicyName: GraphQL
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - appsync:GraphQL
                Resource:
                  - !Sub "${GraphQLApi.Arn}/types/Query/*"
                  - !Sub "${GraphQLApi.Arn}/types/Subscription/*"

  AdminUser:
    Type: AWS::Cognito::UserPoolUser
    DependsOn: CognitoUserPoolEmailDomainVerifyPermissionReady
    Properties:
      DesiredDeliveryMediums:
        - EMAIL
      UserAttributes:
        - Name: email
          Value: !Ref AdminEmail
      Username: !Ref AdminEmail
      UserPoolId: !Ref UserPool

  # Create conditional dependency on CognitoUserPoolEmailDomainVerifyPermission
  CognitoUserPoolEmailDomainVerifyPermissionReady:
    Type: AWS::CloudFormation::WaitConditionHandle
    Metadata:
      ConditionalDependency:
        !If [
          ShouldAllowSignUpEmailDomain,
          !Ref CognitoUserPoolEmailDomainVerifyPermission,
          "",
        ]

  AdminGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      Description: Administrators
      GroupName: Admin
      Precedence: 0
      UserPoolId: !Ref UserPool

  AuthorGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      Description: Authors - read/write access to documents and configuration
      GroupName: Author
      Precedence: 1
      UserPoolId: !Ref UserPool

  ReviewerGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      Description: Document Reviewers for HITL
      GroupName: Reviewer
      Precedence: 2
      UserPoolId: !Ref UserPool

  ViewerGroup:
    Type: AWS::Cognito::UserPoolGroup
    Properties:
      Description: Viewers - read-only access to documents and configuration
      GroupName: Viewer
      Precedence: 3
      UserPoolId: !Ref UserPool

  AdminUserToGroupAttachment:
    Type: AWS::Cognito::UserPoolUserToGroupAttachment
    Properties:
      GroupName: !Ref AdminGroup
      Username: !Ref AdminUser
      UserPoolId: !Ref UserPool

  CognitoUserPoolEmailDomainVerifyFunction:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for email verifier function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Condition: ShouldAllowSignUpEmailDomain
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Description: Verifies email address is in allowed domain
      Handler: index.lambda_handler
      Runtime: python3.12
      Timeout: 10
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          ALLOWED_SIGNUP_EMAIL_DOMAINS: !Ref AllowedSignUpEmailDomain
      InlineCode: |
        import os
        import boto3
        import json
        def lambda_handler(event, context):
            print(json.dumps(event))
            allowed_domains = [
                domain.strip() 
                for domain in os.environ.get('ALLOWED_SIGNUP_EMAIL_DOMAINS', '').split(',')
            ]
            user_attributes = event.get('request', {}).get('userAttributes', {})
            email = user_attributes.get('email')
            if not email or '@' not in email:
                raise ValueError('Username does not exist or invalid email address')
            email_domain = email.split('@')[1]
            if not email_domain or not allowed_domains:
                raise ValueError('Server error - invalid configuration')
            if email_domain not in allowed_domains:
                raise ValueError('Invalid email address domain')
            return event
      LoggingConfig:
        LogGroup: !Ref CognitoUserPoolEmailDomainVerifyFunctionLogGroup

  CognitoUserPoolEmailDomainVerifyFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  CognitoUserPoolEmailDomainVerifyPermission:
    Type: AWS::Lambda::Permission
    Condition: ShouldAllowSignUpEmailDomain
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref CognitoUserPoolEmailDomainVerifyFunction
      Principal: !Sub "cognito-idp.${AWS::URLSuffix}"
      SourceAccount: !Ref AWS::AccountId
      SourceArn: !GetAtt UserPool.Arn

  ##########################################################################
  # AppSync GraphQL API
  ##########################################################################

  ##########################################################################
  # Lambda Security Group (conditional on UsePrivateAppSync)
  # Used by Lambda functions in VPC to reach AppSync + AWS service endpoints
  ##########################################################################

  LambdaVpcSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Condition: UsePrivateAppSync
    Properties:
      GroupDescription: !Sub "Security group for ${AWS::StackName} Lambda functions in VPC (private AppSync mode)"
      # ALBVpcId is used here because AppSyncVisibility=PRIVATE always requires
      # WebUIHosting=ALB — a private AppSync API is only accessible from inside
      # the VPC, so the browser must also be inside the VPC via the internal ALB.
      VpcId: !Ref ALBVpcId
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
          Description: "Allow HTTPS to VPC endpoints"
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-lambda-sg"

  GraphQLApi:
    Type: AWS::AppSync::GraphQLApi
    # checkov:skip=CKV_AWS_194: AppSync has Field-Level logging is determined by LogLevel parameter
    Properties:
      Name: !Sub ${AWS::StackName}-api
      Visibility: !If [UsePrivateAppSync, PRIVATE, GLOBAL]
      AuthenticationType: AMAZON_COGNITO_USER_POOLS
      UserPoolConfig:
        UserPoolId: !Ref UserPool
        AwsRegion: !Ref AWS::Region
        DefaultAction: ALLOW
      AdditionalAuthenticationProviders:
        - AuthenticationType: AWS_IAM
      LogConfig:
        CloudWatchLogsRoleArn: !GetAtt AppSyncCwlRole.Arn
        ExcludeVerboseContent: false
        FieldLogLevel:
          !FindInMap [ AppSyncLogLevelMap, !Ref LogLevel, FieldLogLevel ]
      # Disable introspection for security purposes
      IntrospectionConfig: DISABLED

  GraphQLApiLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      LogGroupName: !Sub "/aws/appsync/apis/${GraphQLApi.ApiId}"
      RetentionInDays: !Ref LogRetentionDays

  AppSyncCwlRole:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
            Principal:
              Service:
                - !Sub "appsync.${AWS::URLSuffix}"

  # Optionally Secure API with WAF

  WAFIPV4Set:
    Type: AWS::WAFv2::IPSet
    Condition: IsWafEnabled
    Properties:
      Name: !Sub ${AWS::StackName}-allowed-ips
      Description: IP ranges allowed to access the AppSync API
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses: !Split [ ", ", !Ref WAFAllowedIPv4Ranges ]

  WAFLambdaServiceIPSet:
    Type: AWS::WAFv2::IPSet
    Condition: IsWafEnabled
    Properties:
      Name: !Sub ${AWS::StackName}-lambda-service-ips
      Description: IP ranges used by AWS Lambda service
      Scope: REGIONAL
      IPAddressVersion: IPV4
      Addresses: [ "0.0.0.0/32" ] # Placeholder - will be updated by IPSetUpdaterFunction

  IPSetUpdaterFunction:
    Type: AWS::Serverless::Function
    Condition: IsWafEnabled
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: ./src/lambda/ipset_updater
      Handler: index.lambda_handler
      Runtime: python3.12
      Timeout: 300
      MemorySize: 256
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          IPSET_NAME: !Sub ${AWS::StackName}-lambda-service-ips
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - wafv2:GetIPSet
                - wafv2:UpdateIPSet
              Resource: !GetAtt WAFLambdaServiceIPSet.Arn
            - Effect: Allow
              Action:
                - wafv2:ListIPSets
              Resource: !Sub "arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:regional/ipset/*"
      Events:
        Schedule:
          Type: Schedule
          Properties:
            Schedule: rate(1 day)
            Description: Update Lambda IP ranges daily
            Enabled: true

  IPSetUpdaterCustomResource:
    Type: Custom::IPSetUpdater
    Condition: IsWafEnabled
    Properties:
      ServiceToken: !GetAtt IPSetUpdaterFunction.Arn
      UpdateTime: <BUILD_DATE_TIME> # To force an update when stack is updated

  WAFWebACL:
    Type: AWS::WAFv2::WebACL
    Condition: IsWafEnabled
    Properties:
      Name: !Sub ${AWS::StackName}-appsync-acl
      Description: Web ACL for AppSync API
      Scope: REGIONAL
      DefaultAction:
        Block: { }
      Rules:
        - Name: AllowLambdaServiceIPs
          Priority: 1
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt WAFLambdaServiceIPSet.Arn
          Action:
            Allow: { }
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AllowLambdaServiceIPsRule
        - Name: AllowListedIPs
          Priority: 2
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt WAFIPV4Set.Arn
          Action:
            Allow: { }
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: AllowListedIPsRule
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: APIAccessControl

  WAFWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Condition: IsWafEnabled
    Properties:
      ResourceArn: !GetAtt GraphQLApi.Arn
      WebACLArn: !GetAtt WAFWebACL.Arn

  # Api Schema, datasource, resolvers

  TestFileCopyQueueDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      MessageRetentionPeriod: 1209600 # 14 days
      VisibilityTimeout: 900

  TestFileCopyQueueDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref TestFileCopyQueueDLQ
      PolicyDocument:
        Statement:
          - Sid: DenyInsecureConnections
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt TestFileCopyQueueDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": "false"

  TestFileCopyQueue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 900
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt TestFileCopyQueueDLQ.Arn
        maxReceiveCount: 3

  TestFileCopyQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref TestFileCopyQueue
      PolicyDocument:
        Statement:
          - Sid: DenyInsecureConnections
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt TestFileCopyQueue.Arn
            Condition:
              Bool:
                "aws:SecureTransport": "false"

  ##########################################################################
  # SQS Queue for test set file copying jobs
  ##########################################################################

  TestSetFileCopyQueueDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      MessageRetentionPeriod: 1209600 # 14 days
      VisibilityTimeout: 900

  TestSetFileCopyQueueDLQPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref TestSetFileCopyQueueDLQ
      PolicyDocument:
        Statement:
          - Sid: DenyInsecureConnections
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt TestSetFileCopyQueueDLQ.Arn
            Condition:
              Bool:
                "aws:SecureTransport": "false"

  TestSetFileCopyQueue:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey
      VisibilityTimeout: 900
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt TestSetFileCopyQueueDLQ.Arn
        maxReceiveCount: 3

  TestSetFileCopyQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref TestSetFileCopyQueue
      PolicyDocument:
        Statement:
          - Sid: DenyInsecureConnections
            Effect: Deny
            Principal: "*"
            Action: "sqs:*"
            Resource: !GetAtt TestSetFileCopyQueue.Arn
            Condition:
              Bool:
                "aws:SecureTransport": "false"

  ##########################################################################
  # Lambda function to copy test set files
  ##########################################################################

  TestSetFileCopierFunctionDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  TestSetFileCopierFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W12
            reason: "Lambda requires CloudWatch logs permissions"
    # checkov:skip=CKV_AWS_116: "DLQ not required for SQS triggered function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/test_set_file_copier
      Description: Lambda function to copy test set files from SQS queue
      MemorySize: 1024
      Timeout: 900

      Layers:
        - !Ref IDPCommonBaseLayer
      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt TestSetFileCopierFunctionDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref TestSetFileCopierFunctionLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          INPUT_BUCKET: !Ref InputBucket
          TEST_SET_BUCKET: !Ref TestSetBucket
          BASELINE_BUCKET: !If
            - ShouldCreateEvaluationBaselineBucket
            - !Ref EvaluationBaselineBucket
            - !Ref EvaluationBaselineBucketName
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3ReadPolicy:
            BucketName: !Ref InputBucket
        - S3ReadPolicy:
            BucketName: !If
              - ShouldCreateEvaluationBaselineBucket
              - !Ref EvaluationBaselineBucket
              - !Ref EvaluationBaselineBucketName
        - S3CrudPolicy:
            BucketName: !Ref TestSetBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
      Events:
        SQSEvent:
          Type: SQS
          Properties:
            Queue: !GetAtt TestSetFileCopyQueue.Arn
            BatchSize: 1

  TestSetFileCopierFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # Lambda function to extract uploaded ZIP files for TestSets
  ##########################################################################

  TestSetZipExtractorFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Lambda function does not need to be in VPC"
          - id: W92
            reason: "Lambda function does not need reserved concurrency"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for synchronous AppSync resolver"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      CodeUri: src/lambda/test_set_zip_extractor/
      Handler: index.handler
      Runtime: python3.12
      Timeout: 300
      MemorySize: 1024
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          TEST_SET_BUCKET: !Ref TestSetBucket
      LoggingConfig:
        LogGroup: !Ref TestSetZipExtractorFunctionLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  TestSetZipExtractorFunctionInvokePermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref TestSetZipExtractorFunction
      Action: lambda:InvokeFunction
      Principal: !Sub "s3.${AWS::URLSuffix}"
      SourceArn: !GetAtt TestSetBucket.Arn
      SourceAccount: !Ref AWS::AccountId

  TestSetZipExtractorFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # Separate policies to break circular dependency
  TestSetZipExtractorS3Policy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: TestSetZipExtractorS3Access
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:DeleteObject
              - s3:ListBucket
            Resource:
              - !Sub "${TestSetBucket.Arn}/*"
              - !GetAtt TestSetBucket.Arn
      Roles:
        - !Ref TestSetZipExtractorFunctionRole

  # Custom resource to configure S3 bucket notification after both bucket and function exist
  TestSetBucketNotificationFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      Timeout: 60
      VpcConfig:
        !If
          - DeployInVPC
          - SecurityGroupIds:
              - !Ref LambdaSecurityGroupId
            SubnetIds: !Ref PrivateSubnetIds
          - !Ref AWS::NoValue
      InlineCode: |
        import boto3
        import cfnresponse
        import json
        import logging

        logger = logging.getLogger()
        logger.setLevel(logging.INFO)

        def handler(event, context):
            logger.info(json.dumps(event))
            
            try:
                s3_client = boto3.client('s3')
                bucket_name = event['ResourceProperties']['BucketName']
                function_arn = event['ResourceProperties']['FunctionArn']
                
                if event['RequestType'] == 'Create' or event['RequestType'] == 'Update':
                    # Configure bucket notification
                    notification_config = {
                        'LambdaFunctionConfigurations': [
                            {
                                'Id': 'TestSetZipExtractor',
                                'LambdaFunctionArn': function_arn,
                                'Events': ['s3:ObjectCreated:*'],
                                'Filter': {
                                    'Key': {
                                        'FilterRules': [
                                            {
                                                'Name': 'suffix',
                                                'Value': '.zip'
                                            }
                                        ]
                                    }
                                }
                            }
                        ]
                    }
                    
                    s3_client.put_bucket_notification_configuration(
                        Bucket=bucket_name,
                        NotificationConfiguration=notification_config
                    )
                    
                elif event['RequestType'] == 'Delete':
                    # Remove bucket notification
                    s3_client.put_bucket_notification_configuration(
                        Bucket=bucket_name,
                        NotificationConfiguration={}
                    )
                
                cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
                
            except Exception as e:
                logger.error(f"Error: {str(e)}")
                cfnresponse.send(event, context, cfnresponse.FAILED, {}, 
                               reason=f"Error configuring bucket notification: {str(e)}")
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - s3:PutBucketNotification
                - s3:GetBucketNotification
              Resource: !GetAtt TestSetBucket.Arn

  TestSetBucketNotificationConfiguration:
    Type: Custom::S3BucketNotification
    DependsOn:
      - TestSetZipExtractorFunctionInvokePermission
      - TestSetZipExtractorS3Policy
    Properties:
      ServiceToken: !GetAtt TestSetBucketNotificationFunction.Arn
      BucketName: !Ref TestSetBucket
      FunctionArn: !GetAtt TestSetZipExtractorFunction.Arn


  ##########################################################################
  # Lambda function to copy test files
  ##########################################################################

  TestFileCopierFunctionDLQ:
    Type: AWS::SQS::Queue
    Properties:
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  TestFileCopierFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W12
            reason: "Lambda requires CloudWatch logs permissions"
    # checkov:skip=CKV_AWS_116: "DLQ configured for SQS triggered function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (bucket names and log level)"
    Properties:
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/test_file_copier
      Description: Lambda function to copy test files from SQS queue
      MemorySize: 1024
      Timeout: 900

      DeadLetterQueue:
        Type: SQS
        TargetArn: !GetAtt TestFileCopierFunctionDLQ.Arn
      LoggingConfig:
        LogGroup: !Ref TestFileCopierFunctionLogGroup
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          INPUT_BUCKET: !Ref InputBucket
          TEST_SET_BUCKET: !Ref TestSetBucket
          BASELINE_BUCKET: !If
            - ShouldCreateEvaluationBaselineBucket
            - !Ref EvaluationBaselineBucket
            - !Ref EvaluationBaselineBucketName
          TRACKING_TABLE: !Ref TrackingTable
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3ReadPolicy:
            BucketName: !Ref TestSetBucket
        - S3CrudPolicy:
            BucketName: !Ref InputBucket
        - S3CrudPolicy:
            BucketName: !If
              - ShouldCreateEvaluationBaselineBucket
              - !Ref EvaluationBaselineBucket
              - !Ref EvaluationBaselineBucketName
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
      Events:
        SQSEvent:
          Type: SQS
          Properties:
            Queue: !GetAtt TestFileCopyQueue.Arn
            BatchSize: 1

  TestFileCopierFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  TestResultCacheUpdateQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Sub "${AWS::StackName}-test-result-cache-update"
      VisibilityTimeout: 900
      MessageRetentionPeriod: 1209600
      KmsMasterKeyId: !Ref CustomerManagedEncryptionKey

  DiscoveryProcessorFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W12
            reason: "Lambda requires CloudWatch logs permissions"
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
    # checkov:skip=CKV_AWS_116: "DLQ not required for SQS triggered function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/discovery_processor
      Description: Lambda function to process discovery jobs from SQS queue
      MemorySize: 1024
      Timeout: 900

      Layers:
        - !Ref IDPCommonBaseLayer
      VpcConfig: !If
        - DeployInVPC
        - SubnetIds: !Ref PrivateSubnetIds
          SecurityGroupIds:
            - !Ref LambdaSecurityGroupId
        - !If
          - UsePrivateAppSync
          - SubnetIds: !Ref LambdaSubnetIds
            SecurityGroupIds:
              - !Ref LambdaVpcSecurityGroup
          - !Ref AWS::NoValue
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          DISCOVERY_BUCKET: !Ref DiscoveryBucket
          DISCOVERY_TRACKING_TABLE: !Ref DiscoveryTrackingTable
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          BLUEPRINT_OPTIMIZATION_FUNCTION_NAME: !Ref BlueprintOptimizationFunction
      LoggingConfig:
        LogGroup: !Ref DiscoveryProcessorFunctionLogGroup
      Events:
        SQSEvent:
          Type: SQS
          Properties:
            Queue: !GetAtt DiscoveryQueue.Arn
            BatchSize: 1
            FunctionResponseTypes:
              - ReportBatchItemFailures
      Policies:
        - S3ReadPolicy:
            BucketName: !Ref DiscoveryBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref DiscoveryTrackingTable
        - DynamoDBCrudPolicy:
            TableName: !Ref ConfigurationTable
        - Statement:
            - Effect: Allow
              Action:
                - cloudwatch:PutMetricData
              Resource: "*"
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action:
                - bedrock:InvokeModel
                - bedrock:GetInferenceProfile
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:*::foundation-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:inference-profile/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
            - Effect: Allow
              Action:
                - aws-marketplace:Subscribe
                - aws-marketplace:Unsubscribe
                - aws-marketplace:ViewSubscriptions
              Resource: "*"
            - Effect: Allow
              Action:
                - lambda:InvokeFunction
              Resource: !GetAtt BlueprintOptimizationFunction.Arn

  DiscoveryProcessorFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # Multi-Document Discovery (Clustering + Agentic Analysis)
  ##########################################################################

  # --- Lambda Functions (5 step handlers sharing same CodeUri) ---

  MultiDocDiscoveryPrepareFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ handled at Step Functions level"
    # checkov:skip=CKV_AWS_117: "No VPC needed"
    # checkov:skip=CKV_AWS_115: "No reserved concurrency needed"
    # checkov:skip=CKV_AWS_173: "No sensitive env vars"
    Properties:
      FunctionName: !Sub "GENAIIDP-${AWS::StackName}-MultiDocPrepare"
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: prepare_handler.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/multi_doc_discovery
      Description: Multi-doc discovery - prepare and list documents
      MemorySize: 512
      Timeout: 300
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          DISCOVERY_BUCKET: !Ref DiscoveryBucket
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
      LoggingConfig:
        LogGroup: !Ref MultiDocDiscoveryPrepareFunctionLogGroup
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref DiscoveryBucket
        - S3ReadPolicy:
            BucketName: !Ref InputBucket
        - S3ReadPolicy:
            BucketName: !Ref TestSetBucket
        - Statement:
            - Effect: Allow
              Action: [kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, kms:DescribeKey]
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            - Effect: Allow
              Action: [appsync:GraphQL]
              Resource: !Sub "${GraphQLApi.Arn}/*"

  MultiDocDiscoveryPrepareFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # --- Nested Stack for container-based multi-doc discovery Lambdas ---
  # Embed, Cluster, Analyze, Save functions use Docker images because their
  # dependencies (scikit-learn, scipy, numpy, strands-agents) exceed Lambda's
  # 250MB unzipped layer limit.

  MULTIDOCDISCOVERYSTACK:
    DependsOn:
      - IsStacknameLengthOK
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./nested/multi-doc-discovery/.aws-sam/packaged.yaml
      Parameters:
        StackName: !Ref AWS::StackName
        DiscoveryBucketName: !Ref DiscoveryBucket
        DiscoveryBucketArn: !GetAtt DiscoveryBucket.Arn
        InputBucketName: !Ref InputBucket
        TestSetBucketName: !Ref TestSetBucket
        ConfigurationTableName: !Ref ConfigurationTable
        ConfigurationTableArn: !GetAtt ConfigurationTable.Arn
        CustomerManagedEncryptionKeyArn: !GetAtt CustomerManagedEncryptionKey.Arn
        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
        LogLevel: !Ref LogLevel
        LogRetentionDays: !Ref LogRetentionDays
        BuildHash: <MULTI_DOC_DISCOVERY_BUILD_HASH_TOKEN>
        ArtifactBucket: "<ARTIFACT_BUCKET_TOKEN>"
        SourceZipfile: "<ARTIFACT_PREFIX_TOKEN>/multi-doc-discovery-source.zip"
        AppSyncApiUrl: !GetAtt GraphQLApi.GraphQLUrl
        AppSyncApiArn: !GetAtt GraphQLApi.Arn

  # --- Step Functions State Machine ---

  MultiDocDiscoveryStateMachineRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "states.${AWS::URLSuffix}"
            Action: sts:AssumeRole
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Policies:
        - PolicyName: MultiDocDiscoveryStateMachinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource:
                  - !GetAtt MultiDocDiscoveryPrepareFunction.Arn
                  - !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.EmbedFunctionArn
                  - !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.ClusterFunctionArn
                  - !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.AnalyzeFunctionArn
                  - !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.SaveFunctionArn
              - Effect: Allow
                Action:
                  - dynamodb:UpdateItem
                  - dynamodb:GetItem
                Resource: !GetAtt DiscoveryTrackingTable.Arn
              - Effect: Allow
                Action:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:GenerateDataKey*
                Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  MultiDocDiscoveryStateMachine:
    Type: AWS::Serverless::StateMachine
    Properties:
      Name: !Sub "${AWS::StackName}-MultiDocDiscovery"
      DefinitionUri: src/lambda/multi_doc_discovery/statemachine.asl.json
      DefinitionSubstitutions:
        DiscoveryTrackingTable: !Ref DiscoveryTrackingTable
        PrepareFunction: !GetAtt MultiDocDiscoveryPrepareFunction.Arn
        EmbedFunction: !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.EmbedFunctionArn
        ClusterFunction: !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.ClusterFunctionArn
        AnalyzeFunction: !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.AnalyzeFunctionArn
        SaveFunction: !GetAtt MULTIDOCDISCOVERYSTACK.Outputs.SaveFunctionArn
      Role: !GetAtt MultiDocDiscoveryStateMachineRole.Arn

  ##########################################################################
  # Blueprint Optimization Function
  ##########################################################################

  BlueprintOptimizationFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
          - id: W12
            reason: "Lambda requires CloudWatch logs permissions"
          - id: W11
            reason: "Role requires * resource access for CloudWatch Metrics and Logs"
    # checkov:skip=CKV_AWS_116: "DLQ not required for async invoked function - failures are handled internally"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      FunctionName: !Sub "${AWS::StackName}-blueprint-optimization"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/blueprint_optimization/
      Description: Lambda function to optimize BDA blueprints using ground truth data
      MemorySize: 3008
      Timeout: 900
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
          STACK_NAME: !Ref AWS::StackName
          DISCOVERY_TRACKING_TABLE: !Ref DiscoveryTrackingTable
      LoggingConfig:
        LogGroup: !Ref BlueprintOptimizationFunctionLogGroup
      Policies:
        - S3CrudPolicy:
            BucketName: !Ref DiscoveryBucket
        - DynamoDBCrudPolicy:
            TableName: !Ref ConfigurationTable
        - DynamoDBCrudPolicy:
            TableName: !Ref DiscoveryTrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - cloudwatch:PutMetricData
              Resource: "*"
            - Effect: Allow
              Action:
                - appsync:GraphQL
              Resource:
                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:ReEncrypt*
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
            # BDA permissions for blueprint optimization
            - Effect: Allow
              Action:
                - bedrock:InvokeDataAutomationAsync
                - bedrock:CreateDataAutomationProject
                - bedrock:UpdateDataAutomationProject
                - bedrock:GetDataAutomationProject
                - bedrock:GetDataAutomationStatus
                - bedrock:GetBlueprint
                - bedrock:UpdateBlueprint
                - bedrock:CreateBlueprint
                - bedrock:CreateBlueprintVersion
                - bedrock:DeleteBlueprint
                - bedrock:ListBlueprints
                - bedrock:InvokeBlueprintOptimizationAsync
                - bedrock:GetBlueprintOptimizationStatus
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:data-automation-project/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:blueprint/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:aws:blueprint/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:blueprint-optimization-invocation/*"

  BlueprintOptimizationFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  ##########################################################################
  # Knowledge Base Query Resolver
  ##########################################################################

  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Condition: UseCloudFrontHosting
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub "${AWS::StackName} CloudFront OAI for ${WebUIBucket}"

  # Define a custom response headers policy for security headers
  SecurityHeadersPolicy:
    Type: AWS::CloudFront::ResponseHeadersPolicy
    Condition: UseCloudFrontHosting
    Properties:
      ResponseHeadersPolicyConfig:
        Name: !Sub "${AWS::StackName}-security-headers-policy"
        Comment: "Security headers policy"
        SecurityHeadersConfig:
          ContentSecurityPolicy:
            Override: true
            # Tightened CSP:
            #   - object-src: was 'self' blob: data: https:; now 'none'
            #     (we don't embed <object>/<embed>/<applet>; strips a class
            #     of plugin-execution XSS).
            #   - connect-src: was `https:` (any https origin). Tightened to
            #     AWS service hostnames so exfiltration to an arbitrary
            #     attacker-controlled https:// origin is blocked. Realtime
            #     subscriptions (wss) and localhost:* (dev) retained. The
            #     `amplify://` and `blob:` schemes are not used.
            #   - script-src/style-src: 'unsafe-inline' and 'unsafe-eval'
            #     retained pending Monaco editor compatibility work
            #     (tracked as Talos finding #12 phase 2).
            #   - img-src: retains `https:` to allow user-supplied
            #     document thumbnails from any S3 / CloudFront origin.
            ContentSecurityPolicy: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self'; img-src 'self' data: blob: https:; style-src 'self' 'unsafe-inline' https:; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com https://cognito-idp.*.amazonaws.com https://cognito-identity.*.amazonaws.com https://*.appsync-api.*.amazonaws.com https://*.execute-api.*.amazonaws.com https://*.s3.*.amazonaws.com https://*.s3-accelerate.amazonaws.com wss://*.amazonaws.com wss://*.appsync-realtime-api.*.amazonaws.com wss://*.execute-api.*.amazonaws.com ws://localhost:*;"

          StrictTransportSecurity:
            Override: true
            AccessControlMaxAgeSec: 31536000
            IncludeSubdomains: true
            Preload: false
          ContentTypeOptions:
            Override: true
          FrameOptions:
            Override: true
            FrameOption: SAMEORIGIN
          ReferrerPolicy:
            Override: true
            ReferrerPolicy: strict-origin-when-cross-origin

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Condition: UseCloudFrontHosting
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W70
            reason: "Minimum TLS version is determined by CloudFrontDefaultCertificate true"
    # checkov:skip=CKV_AWS_68: "WAF is optional and can be enabled by customer based on their security requirements and budget. WAF must be created in us-east-1 for CLOUDFRONT."
    # checkov:skip=CKV_AWS_174: "Minimum TLS version is determined by CloudFrontDefaultCertificate true"
    Properties:
      DistributionConfig:
        Comment: !Sub "Web app cloudfront distribution ${AWS::StackName}"
        ViewerCertificate:
          CloudFrontDefaultCertificate: true
          MinimumProtocolVersion: TLSv1.2_2021
        Logging:
          Bucket: !Sub "${LoggingBucket}.s3.${AWS::URLSuffix}"
          Prefix: "cloudfront-logs"
          IncludeCookies: true
        CustomErrorResponses:
          # Send errors to index file
          - ErrorCachingMinTTL: 300
            ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /index.html
          - ErrorCachingMinTTL: 300
            ErrorCode: 404
            ResponseCode: 200
            ResponsePagePath: /index.html
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          Compress: true
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          TargetOriginId: webapp-s3-bucket
          ViewerProtocolPolicy: redirect-to-https
          DefaultTTL: 600
          MinTTL: 300
          MaxTTL: 900
          ResponseHeadersPolicyId: !Ref SecurityHeadersPolicy
        DefaultRootObject: index.html
        Enabled: true
        HttpVersion: http2
        IPV6Enabled: true
        Origins:
          - Id: webapp-s3-bucket
            DomainName: !GetAtt WebUIBucket.RegionalDomainName
            S3OriginConfig:
              OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
        PriceClass: !Ref CloudFrontPriceClass
        Restrictions: !If
          - ShouldEnableGeoRestriction
          - GeoRestriction:
              RestrictionType: whitelist
              Locations: !Split [ ",", !Ref CloudFrontAllowedGeos ]
          - GeoRestriction:
              RestrictionType: none

  ##########################################################################
  # ALB Hosting (alternative to CloudFront for GovCloud / private networks)
  ##########################################################################

  ALBHOSTINGSTACK:
    Type: AWS::CloudFormation::Stack
    Condition: UseALBHosting
    Properties:
      TemplateURL: ./nested/alb-hosting/.aws-sam/packaged.yaml
      Parameters:
        VpcId: !Ref ALBVpcId
        SubnetIds: !Join [",", !Ref ALBSubnetIds]
        CertificateArn: !Ref ALBCertificateArn
        ALBScheme: !Ref ALBScheme
        ALBAllowedCIDRs: !Ref ALBAllowedCIDRs
        WebUIBucketName: !Ref WebUIBucket
        StackName: !Ref AWS::StackName
        PermissionsBoundaryArn: !Ref PermissionsBoundaryArn
        LoggingBucketName: !Ref LoggingBucket

  UICodeBuildServiceRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: !Sub "codebuild.${AWS::URLSuffix}"
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>"
                  - !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>/*"
                Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:GetBucketAcl
                  - s3:GetBucketLocation
                  - s3:PutObject
                  - s3:ListBucket
              - Resource:
                  - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
                  - !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*:*"
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
              - Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:DeleteObject
                Resource:
                  - !Sub "arn:${AWS::Partition}:s3:::${WebUIBucket}/*"
              - !If
                - UseCloudFrontHosting
                - Effect: Allow
                  Action:
                    - cloudfront:CreateInvalidation
                  Resource:
                    - !Sub "arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}"
                - !Ref AWS::NoValue
              # Grant kms:Decrypt on the artifacts bucket KMS key when provided
              # This allows CodeBuild to read source artifacts from a KMS-encrypted bucket
              - !If
                - HasArtifactsBucketKmsKey
                - Effect: Allow
                  Action:
                    - kms:Decrypt
                    - kms:GenerateDataKey*
                    - kms:DescribeKey
                  Resource: !Ref ArtifactsBucketKmsKeyArn
                - !Ref AWS::NoValue

  UICodeBuildProject:
    Type: AWS::CodeBuild::Project
    Properties:
      Name: !Sub ${AWS::StackName}-webui-build
      Description: !Sub >-
        Web UI build for GenAIIDP stack - ${AWS::StackName}
      ServiceRole: !Ref UICodeBuildServiceRole
      EncryptionKey: alias/aws/s3
      Artifacts:
        Type: NO_ARTIFACTS
      Source:
        # Publish script substitutes the tokens in the filename here during package build
        Location: !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>/<WEBUI_ZIPFILE_TOKEN>"
        Type: S3
        BuildSpec: |
          version: 0.2
          phases:
            pre_build:
              commands:
                - echo ${SOURCE_CODE_LOCATION}
                - echo `ls -altr`
                - echo `pwd`
                - echo Installing NodeJS
                - n 22.14.0
                - npm install -g npm@11.1.0
                - echo Installing Web UI dependencies
                - npm ci
            build:
              commands:
                - echo Build started on `date`
                - cd $CODEBUILD_SRC_DIR
                - echo Building Web UI
                - npm run build
                - >
                  printf '{"RepositoryUri":"%s","ProjectName":"%s","ArtifactBucket":"%s"}'
                  $REPOSITORY_URI $PROJECT_NAME $ARTIFACT_BUCKET > build.json
            post_build:
              commands:
                - echo Build completed on `date`
                - echo Copying Web UI
                - find build -ls
                - aws s3 cp --recursive build s3://${WEBAPP_BUCKET}/
                - |
                  if [ "$WEB_UI_HOSTING" = "CloudFront" ]; then
                    echo "Invalidating CloudFront Distribution"
                    aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths '/*'
                  else
                    echo "ALB hosting mode - skipping CloudFront invalidation"
                  fi
          artifacts:
            files:
              - build.json
      Environment:
        ComputeType: BUILD_GENERAL1_MEDIUM
        Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
        Type: LINUX_CONTAINER
        PrivilegedMode: true
        EnvironmentVariables:
          - Name: AWS_DEFAULT_REGION
            Value: !Ref AWS::Region
          - Name: AWS_ACCOUNT_ID
            Value: !Ref AWS::AccountId
          - Name: SOURCE_CODE_LOCATION
            Value: !Sub "<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>"
          - Name: WEBAPP_BUCKET
            Value: !Ref WebUIBucket
          - Name: WEB_UI_HOSTING
            Value: !Ref WebUIHosting
          - Name: CLOUDFRONT_DISTRIBUTION_ID
            Value: !If
              - UseCloudFrontHosting
              - !Ref CloudFrontDistribution
              - ""
            # These VITE variables are used by the web ui in the
            # aws-exports.js Amplify config. The values are embedded in the
            # code at build time.
          - Name: VITE_SETTINGS_PARAMETER
            Value: !Ref SettingsParameter
          - Name: VITE_USER_POOL_ID
            Value: !Ref UserPool
          - Name: VITE_USER_POOL_CLIENT_ID
            Value: !Ref UserPoolClient
          - Name: VITE_IDENTITY_POOL_ID
            Value: !Ref IdentityPool
          - Name: VITE_APPSYNC_GRAPHQL_URL
            Value: !GetAtt GraphQLApi.GraphQLUrl
          - Name: VITE_AWS_REGION
            Value: !Ref AWS::Region
          - Name: VITE_SHOULD_HIDE_SIGN_UP
            Value: !If
              - ShouldAllowSignUpEmailDomain
              - "false"
              - "true"
          - Name: VITE_COGNITO_DOMAIN
            Value: !If
              - HasExternalIdP
              - !Sub "${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
              - ""
          - Name: VITE_EXTERNAL_IDP_NAME
            Value: !If
              - HasExternalIdP
              - !Ref ExternalIdPName
              - ""
          - Name: VITE_EXTERNAL_IDP_AUTO_LOGIN
            Value: !If
              - HasExternalIdP
              - !Ref ExternalIdPAutoLogin
              - "false"
          - Name: VITE_CLOUDFRONT_DOMAIN
            Value: !If
              - UseCloudFrontHosting
              - !Sub "https://${CloudFrontDistribution.DomainName}/"
              - !Sub "${ALBHOSTINGSTACK.Outputs.WebUIURL}/"
          - Name: VITE_TEST_SET_BUCKET_NAME
            Value: !Ref TestSetBucket
          - Name: VITE_INPUT_BUCKET_NAME
            Value: !Ref InputBucket
          - Name: VITE_LATENCY_OPTIONS
            Value: "[60, 120, 300, 600, 900, 1800, 3600]"
          - Name: VITE_DEFAULT_MAX_LATENCY
            Value: "60"
          - Name: VITE_DEFAULT_TOKENS_BY_STEP
            Value: '{"OCR":4000,"Classification":2000,"Extraction":8000,"Assessment":4000,"Summarization":4000,"default":4000}'
          - Name: VITE_DEFAULT_MAX_TOKENS_PER_REQUEST
            Value: "4000"
          - Name: VITE_BDA_TOKENS_PER_PAGE
            Value: "2000"
      TimeoutInMinutes: 30

  StartUICodeBuildExecutionRole:
    Type: AWS::IAM::Role
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W11
            reason: "Role requires * resource access for CloudWatch Logs and CloudFormation custom resource operations"
    # checkov:skip=CKV_AWS_111: "Write access required for CloudWatch Logs and CloudFormation custom resource operations"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - !Sub "lambda.${AWS::URLSuffix}"
            Action:
              - sts:AssumeRole
      Path: "/"
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - codebuild:StartBuild
                  - codebuild:BatchGetBuilds
                Resource:
                  - !GetAtt UICodeBuildProject.Arn
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: "*"
          # Used by custom resource helper poller
          # https://github.com/aws-cloudformation/custom-resource-helper
        - PolicyName: CustomResourcePoller
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - events:PutRule
                  - events:DeleteRule
                  - events:PutTargets
                  - events:RemoveTargets
                Resource:
                  - !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"
              - Effect: Allow
                Action:
                  - lambda:AddPermission
                  - lambda:RemovePermission
                Resource:
                  - !Sub "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*"

  StartUICodeBuild:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
          - id: W92
            reason: "Function does not require reserved concurrency as it scales based on demand"
    # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
    Properties:
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Role: !GetAtt StartUICodeBuildExecutionRole.Arn
      Runtime: python3.12
      Timeout: 60
      MemorySize: 128
      Handler: index.handler
      CodeUri: src/lambda/start_codebuild
      Description: This AWS Lambda Function kicks off a code build job.
      LoggingConfig:
        LogGroup: !Ref StartUICodeBuildLogGroup

  StartUICodeBuildLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  CodeBuildRun:
    Type: Custom::CodeBuildRun
    Properties:
      ServiceToken: !GetAtt StartUICodeBuild.Arn
      BuildProjectName: !Ref UICodeBuildProject
      SettingsParameter: !Ref SettingsParameter
      # Force codebuild to rerun when source code changes (filename will change), and to correctly roll back to
      # previous version if build fails.
      CodeLocation: !Sub "arn:${AWS::Partition}:s3:::<ARTIFACT_BUCKET_TOKEN>/<ARTIFACT_PREFIX_TOKEN>/<WEBUI_ZIPFILE_TOKEN>"

  ##########################################################################
  # HITL User Management Lambda
  ##########################################################################

  UserManagementFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  UserManagementFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (Cognito pool and group IDs)"
    Properties:
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/user_management
      Description: Lambda function for user management (create, delete, list users)
      MemorySize: 256
      Timeout: 30
      Environment:
        Variables:
          USER_POOL_ID: !Ref UserPool
          ADMIN_GROUP: !Ref AdminGroup
          AUTHOR_GROUP: !Ref AuthorGroup
          REVIEWER_GROUP: !Ref ReviewerGroup
          VIEWER_GROUP: !Ref ViewerGroup
          USERS_TABLE_NAME: !Ref UsersTable
          ALLOWED_SIGNUP_EMAIL_DOMAINS: !Ref AllowedSignUpEmailDomain
      LoggingConfig:
        LogGroup: !Ref UserManagementFunctionLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref UsersTable
        - Statement:
            - Effect: Allow
              Action:
                - cognito-idp:AdminCreateUser
                - cognito-idp:AdminDeleteUser
                - cognito-idp:AdminAddUserToGroup
                - cognito-idp:AdminRemoveUserFromGroup
                - cognito-idp:AdminListGroupsForUser
                - cognito-idp:ListUsers
                - cognito-idp:ListUsersInGroup
              Resource: !GetAtt UserPool.Arn
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  UserSyncFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  UserSyncFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required for DynamoDB stream processing"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (Cognito pool and group IDs)"
    Properties:
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/user_sync
      Description: Lambda function to sync DynamoDB user changes to Cognito
      MemorySize: 256
      Timeout: 30
      Environment:
        Variables:
          USER_POOL_ID: !Ref UserPool
          ADMIN_GROUP: !Ref AdminGroup
          REVIEWER_GROUP: !Ref ReviewerGroup
      LoggingConfig:
        LogGroup: !Ref UserSyncFunctionLogGroup
      Policies:
        - Statement:
            - Effect: Allow
              Action:
                - cognito-idp:AdminCreateUser
                - cognito-idp:AdminDeleteUser
                - cognito-idp:AdminAddUserToGroup
                - cognito-idp:AdminRemoveUserFromGroup
              Resource: !GetAtt UserPool.Arn
      Events:
        DynamoDBStream:
          Type: DynamoDB
          Properties:
            Stream: !GetAtt UsersTable.StreamArn
            StartingPosition: TRIM_HORIZON
            BatchSize: 10
            MaximumBatchingWindowInSeconds: 5

  CompleteSectionReviewFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  CompleteSectionReviewFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (DynamoDB table name)"
    Properties:
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Handler: index.handler
      Runtime: python3.12
      CodeUri: ./src/lambda/complete_section_review
      Description: Lambda function to mark HITL section review as complete
      MemorySize: 512
      Timeout: 60
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          TRACKING_TABLE_NAME: !Ref TrackingTable
          TRACKING_TABLE: !Ref TrackingTable
          OUTPUT_BUCKET: !Ref OutputBucket
          INPUT_BUCKET: !Ref InputBucket
          WORKING_BUCKET: !Ref WorkingBucket
          QUEUE_URL: !Ref DocumentQueue
      LoggingConfig:
        LogGroup: !Ref CompleteSectionReviewFunctionLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3CrudPolicy:
            BucketName: !Ref OutputBucket
        - S3CrudPolicy:
            BucketName: !Ref WorkingBucket
        - SQSSendMessagePolicy:
            QueueName: !GetAtt DocumentQueue.QueueName
        - Statement:
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  HITLAppSyncServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "appsync.${AWS::URLSuffix}"
            Action: sts:AssumeRole
      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Policies:
        - PolicyName: HITLLambdaInvoke
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource:
                  - !GetAtt UserManagementFunction.Arn
                  - !GetAtt CompleteSectionReviewFunction.Arn
                  - !GetAtt CalculateCapacityResolverFunction.Arn
                  - !GetAtt FinetuningJobsResolverFunction.Arn

  UserManagementDataSource:
    Type: AWS::AppSync::DataSource
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      Name: UserManagementDataSource
      Type: AWS_LAMBDA
      ServiceRoleArn: !GetAtt HITLAppSyncServiceRole.Arn
      LambdaConfig:
        LambdaFunctionArn: !GetAtt UserManagementFunction.Arn

  CreateUserResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt UserManagementDataSource.Name
      TypeName: Mutation
      FieldName: createUser

  DeleteUserResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt UserManagementDataSource.Name
      TypeName: Mutation
      FieldName: deleteUser

  ListUsersResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt UserManagementDataSource.Name
      TypeName: Query
      FieldName: listUsers

  UpdateUserResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt UserManagementDataSource.Name
      TypeName: Mutation
      FieldName: updateUser

  GetMyProfileResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt UserManagementDataSource.Name
      TypeName: Query
      FieldName: getMyProfile

  CompleteSectionReviewDataSource:
    Type: AWS::AppSync::DataSource
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      Name: CompleteSectionReviewDataSource
      Type: AWS_LAMBDA
      ServiceRoleArn: !GetAtt HITLAppSyncServiceRole.Arn
      LambdaConfig:
        LambdaFunctionArn: !GetAtt CompleteSectionReviewFunction.Arn

  CompleteSectionReviewResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt CompleteSectionReviewDataSource.Name
      TypeName: Mutation
      FieldName: completeSectionReview

  ##########################################################################
  # Custom Model Fine-Tuning Resources
  ##########################################################################

  # S3 Bucket for Fine-Tuning Training Data
  FinetuningDataBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: Retain
    DeletionPolicy: RetainExceptOnCreate
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref CustomerManagedEncryptionKey
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucket
        LogFilePrefix: finetuning-data-bucket-logs/
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfterNDays
            Status: Enabled
            ExpirationInDays: !Ref DataRetentionInDays
            AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 1

  FinetuningDataBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref FinetuningDataBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EnforceSSLOnly
            Effect: Deny
            Principal: "*"
            Action: "s3:*"
            Resource:
              - !Sub "${FinetuningDataBucket.Arn}/*"
              - !Sub "${FinetuningDataBucket.Arn}"
            Condition:
              Bool:
                "aws:SecureTransport": false
          - Sid: AllowBedrockAccess
            Effect: Allow
            Principal:
              Service: !Sub "bedrock.${AWS::URLSuffix}"
            Action:
              - s3:GetObject
              - s3:ListBucket
            Resource:
              - !Sub "${FinetuningDataBucket.Arn}/*"
              - !Sub "${FinetuningDataBucket.Arn}"
            Condition:
              StringEquals:
                "aws:SourceAccount": !Ref AWS::AccountId

  # IAM Role for Bedrock Fine-Tuning Jobs
  BedrockFinetuningRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-BedrockFinetuningRole"
      Description: IAM role for Bedrock model fine-tuning jobs
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "bedrock.${AWS::URLSuffix}"
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
      PermissionsBoundary:
        !If [
          HasPermissionsBoundary,
          !Ref PermissionsBoundaryArn,
          !Ref AWS::NoValue,
        ]
      Policies:
        - PolicyName: FinetuningS3Access
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !GetAtt FinetuningDataBucket.Arn
                  - !Sub "${FinetuningDataBucket.Arn}/*"
              - Effect: Allow
                Action:
                  - s3:PutObject
                Resource:
                  - !Sub "${FinetuningDataBucket.Arn}/*"
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - kms:GenerateDataKey
                Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning List Documents Lambda (for Distributed Map)
  FinetuningListDocumentsLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningListDocumentsFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningListDocuments"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_list_documents/
      Timeout: 300
      MemorySize: 512
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          TEST_SET_BUCKET: !Ref TestSetBucket
          FINETUNING_DATA_BUCKET: !Ref FinetuningDataBucket
      LoggingConfig:
        LogGroup: !Ref FinetuningListDocumentsLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3ReadPolicy:
            BucketName: !Ref TestSetBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Process Document Lambda (for Distributed Map parallel processing)
  FinetuningProcessDocumentLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningProcessDocumentFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningProcessDocument"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_process_document/
      Timeout: 300
      MemorySize: 2048
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TEST_SET_BUCKET: !Ref TestSetBucket
          FINETUNING_DATA_BUCKET: !Ref FinetuningDataBucket
      LoggingConfig:
        LogGroup: !Ref FinetuningProcessDocumentLogGroup
      Policies:
        - S3ReadPolicy:
            BucketName: !Ref TestSetBucket
        - S3CrudPolicy:
            BucketName: !Ref FinetuningDataBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Merge Data Lambda (combines parallel results)
  FinetuningMergeDataLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningMergeDataFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningMergeData"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_merge_data/
      Timeout: 900
      MemorySize: 3072  # Right-sized for I/O-bound JSONL merge operation (reduced from 10240)
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          FINETUNING_DATA_BUCKET: !Ref FinetuningDataBucket
      LoggingConfig:
        LogGroup: !Ref FinetuningMergeDataLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - S3CrudPolicy:
            BucketName: !Ref FinetuningDataBucket
        - Statement:
            - Effect: Allow
              Action:
                - kms:Encrypt
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Job Creator Lambda
  FinetuningJobCreatorLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningJobCreatorFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningJobCreator"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_job_creator/
      Timeout: 60
      MemorySize: 256
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          FINETUNING_DATA_BUCKET: !Ref FinetuningDataBucket
          BEDROCK_FINETUNING_ROLE_ARN: !GetAtt BedrockFinetuningRole.Arn
      LoggingConfig:
        LogGroup: !Ref FinetuningJobCreatorLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - bedrock:CreateModelCustomizationJob
                - bedrock:TagResource
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}::foundation-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:model-customization-job/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model/*"
            - Effect: Allow
              Action:
                - iam:PassRole
              Resource: !GetAtt BedrockFinetuningRole.Arn
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Job Status Checker Lambda
  FinetuningJobStatusCheckerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningJobStatusCheckerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningJobStatusChecker"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_job_status_checker/
      Timeout: 60
      MemorySize: 256
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
      LoggingConfig:
        LogGroup: !Ref FinetuningJobStatusCheckerLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - Statement:
            - Effect: Allow
              Action:
                - bedrock:GetModelCustomizationJob
                - bedrock:GetCustomModel
                - bedrock:GetCustomModelDeployment
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:model-customization-job/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model-deployment/*"
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Deployment Handler Lambda
  FinetuningDeploymentHandlerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningDeploymentHandlerFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required - Step Functions handles retries"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningDeploymentHandler"
      Handler: index.handler
      Runtime: python3.12
      CodeUri: src/lambda/finetuning_deployment_handler/
      Timeout: 120
      MemorySize: 256
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          CONFIGURATION_TABLE_NAME: !Ref ConfigurationTable
      LoggingConfig:
        LogGroup: !Ref FinetuningDeploymentHandlerLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - DynamoDBCrudPolicy:
            TableName: !Ref ConfigurationTable
        - Statement:
            - Effect: Allow
              Action:
                - bedrock:CreateCustomModelDeployment
                - bedrock:GetCustomModelDeployment
                - bedrock:DeleteCustomModelDeployment
                - bedrock:ListCustomModelDeployments
                - bedrock:TagResource
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model-deployment/*"
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning State Machine IAM Role
  FinetuningStateMachineRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub "states.${AWS::URLSuffix}"
            Action: sts:AssumeRole
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      Policies:
        - PolicyName: FinetuningStateMachinePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: lambda:InvokeFunction
                Resource:
                  - !GetAtt FinetuningListDocumentsFunction.Arn
                  - !GetAtt FinetuningProcessDocumentFunction.Arn
                  - !GetAtt FinetuningMergeDataFunction.Arn
                  - !GetAtt FinetuningJobCreatorFunction.Arn
                  - !GetAtt FinetuningJobStatusCheckerFunction.Arn
                  - !GetAtt FinetuningDeploymentHandlerFunction.Arn
              # CloudWatch Logs actions for Step Functions logging require Resource: "*"
              # because these APIs do not support resource-level permissions.
              # See: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
              - Effect: Allow
                Action:
                  - logs:CreateLogDelivery
                  - logs:GetLogDelivery
                  - logs:UpdateLogDelivery
                  - logs:DeleteLogDelivery
                  - logs:ListLogDeliveries
                  - logs:PutResourcePolicy
                  - logs:DescribeResourcePolicies
                  - logs:DescribeLogGroups
                Resource: "*"
              - Effect: Allow
                Action:
                  - dynamodb:UpdateItem
                  - dynamodb:GetItem
                  - dynamodb:PutItem
                Resource: !GetAtt TrackingTable.Arn
              - Effect: Allow
                Action:
                  - kms:Encrypt
                  - kms:Decrypt
                  - kms:GenerateDataKey*
                Resource: !GetAtt CustomerManagedEncryptionKey.Arn
              - Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !GetAtt FinetuningDataBucket.Arn
                  - !Sub "${FinetuningDataBucket.Arn}/*"
              # Distributed Map requires permission to start child executions
              - Effect: Allow
                Action:
                  - states:StartExecution
                Resource: !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${AWS::StackName}-FinetuningStateMachine"
              - Effect: Allow
                Action:
                  - states:DescribeExecution
                  - states:StopExecution
                Resource: !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}-FinetuningStateMachine:*"
              - Effect: Allow
                Action:
                  - states:RedriveExecution
                Resource: !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${AWS::StackName}-FinetuningStateMachine:*:*"

  # Fine-Tuning State Machine Log Group
  FinetuningStateMachineLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/aws/vendedlogs/states/${AWS::StackName}-FinetuningStateMachine"
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  # Fine-Tuning State Machine
  FinetuningStateMachine:
    Type: AWS::Serverless::StateMachine
    Properties:
      Name: !Sub "${AWS::StackName}-FinetuningStateMachine"
      DefinitionUri: src/lambda/finetuning_state_machine/definition.json
      DefinitionSubstitutions:
        FinetuningListDocumentsArn: !GetAtt FinetuningListDocumentsFunction.Arn
        FinetuningProcessDocumentArn: !GetAtt FinetuningProcessDocumentFunction.Arn
        FinetuningMergeDataArn: !GetAtt FinetuningMergeDataFunction.Arn
        FinetuningJobCreatorArn: !GetAtt FinetuningJobCreatorFunction.Arn
        FinetuningJobStatusCheckerArn: !GetAtt FinetuningJobStatusCheckerFunction.Arn
        FinetuningDeploymentHandlerArn: !GetAtt FinetuningDeploymentHandlerFunction.Arn
        TrackingTableName: !Ref TrackingTable
        FinetuningDataBucket: !Ref FinetuningDataBucket
      Role: !GetAtt FinetuningStateMachineRole.Arn
      Logging:
        Destinations:
          - CloudWatchLogsLogGroup:
              LogGroupArn: !GetAtt FinetuningStateMachineLogGroup.Arn
        IncludeExecutionData: true
        Level: ALL
      Tracing:
        Enabled: !If [EnableXRayTracingCondition, true, false]
      Tags:
        Name: !Sub "${AWS::StackName}-FinetuningStateMachine"

  # Fine-Tuning Jobs Resolver Lambda
  FinetuningJobsResolverLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
      RetentionInDays: !Ref LogRetentionDays

  FinetuningJobsResolverFunction:
    Type: AWS::Serverless::Function
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W89
            reason: "Function does not require VPC access"
          - id: W92
            reason: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver"
    # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration"
    Properties:
      PermissionsBoundary:
        !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
      FunctionName: !Sub "${AWS::StackName}-FinetuningJobsResolver"
      Handler: index.lambda_handler
      Runtime: python3.12
      CodeUri: nested/appsync/src/lambda/finetuning_jobs_resolver/
      Timeout: 60
      MemorySize: 512
      Layers:
        - !Ref IDPCommonBaseLayer
      Environment:
        Variables:
          LOG_LEVEL: !Ref LogLevel
          TRACKING_TABLE: !Ref TrackingTable
          FINETUNING_STATE_MACHINE_ARN: !Ref FinetuningStateMachine
          FINETUNING_DATA_BUCKET: !Ref FinetuningDataBucket
      LoggingConfig:
        LogGroup: !Ref FinetuningJobsResolverLogGroup
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref TrackingTable
        - StepFunctionsExecutionPolicy:
            StateMachineName: !GetAtt FinetuningStateMachine.Name
        - Statement:
            - Effect: Allow
              Action:
                - bedrock:GetCustomModel
                - bedrock:ListCustomModels
                - bedrock:GetCustomModelDeployment
                - bedrock:ListCustomModelDeployments
                - bedrock:DeleteCustomModelDeployment
                - bedrock:DeleteCustomModel
              Resource:
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model/*"
                - !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}:${AWS::AccountId}:custom-model-deployment/*"
            - Effect: Allow
              Action:
                - bedrock:ListCustomModels
                - bedrock:ListCustomModelDeployments
              Resource: "*"
            - Effect: Allow
              Action:
                - kms:Decrypt
                - kms:GenerateDataKey*
                - kms:DescribeKey
              Resource: !GetAtt CustomerManagedEncryptionKey.Arn

  # Fine-Tuning Jobs AppSync Data Source
  FinetuningJobsDataSource:
    Type: AWS::AppSync::DataSource
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      Name: FinetuningJobsDataSource
      Description: Lambda function for fine-tuning job operations
      Type: AWS_LAMBDA
      ServiceRoleArn: !GetAtt HITLAppSyncServiceRole.Arn
      LambdaConfig:
        LambdaFunctionArn: !GetAtt FinetuningJobsResolverFunction.Arn

  # Update HITLAppSyncServiceRole to include fine-tuning resolver
  # (This is handled by adding the function ARN to the existing role's policy)

  # Fine-Tuning AppSync Resolvers
  CreateFinetuningJobResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Mutation
      FieldName: createFinetuningJob

  DeleteFinetuningJobResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Mutation
      FieldName: deleteFinetuningJob

  UpdateFinetuningJobStatusResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Mutation
      FieldName: updateFinetuningJobStatus

  GetFinetuningJobResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Query
      FieldName: getFinetuningJob

  ListFinetuningJobsResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Query
      FieldName: listFinetuningJobs

  ValidateTestSetForFinetuningResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Query
      FieldName: validateTestSetForFinetuning

  ListAvailableModelsResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt FinetuningJobsDataSource.Name
      TypeName: Query
      FieldName: listAvailableModels

  SkipAllSectionsReviewResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt CompleteSectionReviewDataSource.Name
      TypeName: Mutation
      FieldName: skipAllSectionsReview

  ClaimReviewResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt CompleteSectionReviewDataSource.Name
      TypeName: Mutation
      FieldName: claimReview

  ReleaseReviewResolver:
    Type: AWS::AppSync::Resolver
    DependsOn: APPSYNCSTACK
    Properties:
      ApiId: !GetAtt GraphQLApi.ApiId
      DataSourceName: !GetAtt CompleteSectionReviewDataSource.Name
      TypeName: Mutation
      FieldName: releaseReview

Outputs:
  CustomerManagedEncryptionKeyArn:
    Description: ARN of the customer-managed KMS encryption key used for S3 buckets. Needed when deploying Lambda Hook functions that read from the working bucket.
    Value: !GetAtt CustomerManagedEncryptionKey.Arn
  ApplicationWebURL:
    Description: Application Web URL
    Value: !If
      - UseCloudFrontHosting
      - !Sub "https://${CloudFrontDistribution.DomainName}/"
      - !GetAtt ALBHOSTINGSTACK.Outputs.WebUIURL
  S3InstallBucket:
    Description: Install S3 bucket name
    Value: !Ref InputBucket
  S3LoggingBucket:
    Description: Logging S3 bucket name
    Value: !Ref LoggingBucket
  S3WebUIBucket:
    Description: WebUI S3 bucket name
    Value: !Ref WebUIBucket
  S3InputBucketName:
    Description: Input S3 bucket name
    Value: !Ref InputBucket
  S3DiscoveryBucketName:
    Description: Discovery S3 bucket name
    Value: !Ref DiscoveryBucket
  S3InputBucketConsoleURL:
    Description: Input S3 bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${InputBucket}
  S3DiscoveryBucketConsoleURL:
    Description: Discovery S3 bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${DiscoveryBucket}
  S3OutputBucketName:
    Description: Output S3 bucket name
    Value: !Ref OutputBucket
  S3OutputBucketConsoleURL:
    Description: Output S3 bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${OutputBucket}
  S3ReportingBucketName:
    Description: Reporting S3 bucket name
    Value: !If
      - ShouldCreateReportingBucket
      - !Ref ReportingBucket
      - !Ref ReportingBucketName
  S3ReportingBucketConsoleURL:
    Description: Reporting S3 bucket console URL
    Value: !Sub
      - https://s3.console.aws.amazon.com/s3/buckets/${Bucket}
      - Bucket: !If
          - ShouldCreateReportingBucket
          - !Ref ReportingBucket
          - !Ref ReportingBucketName
  ReportingDatabase:
    Description: "AWS Glue database containing evaluation metrics tables (document_evaluations, section_evaluations, attribute_evaluations) that can be queried with Amazon Athena for analytics and reporting"
    Value: !Ref ReportingDatabase
  S3EvaluationBaselineBucketName:
    Description: Evaluation Baseline S3 bucket name
    Value: !If
      - ShouldCreateEvaluationBaselineBucket
      - !Ref EvaluationBaselineBucket
      - !Ref EvaluationBaselineBucketName
  S3EvaluationBaselineBucketConsoleURL:
    Description: Evaluation Baseline S3 bucket console URL
    Value: !Sub
      - https://s3.console.aws.amazon.com/s3/buckets/${Bucket}
      - Bucket: !If
          - ShouldCreateEvaluationBaselineBucket
          - !Ref EvaluationBaselineBucket
          - !Ref EvaluationBaselineBucketName
  S3ConfigurationBucketName:
    Description: Configuration S3 bucket name
    Value: !Ref ConfigurationBucket
  S3ConfigurationBucketConsoleURL:
    Description: Configuration S3 bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${ConfigurationBucket}
  S3TestSetBucketName:
    Description: Test Set S3 bucket name
    Value: !Ref TestSetBucket
  S3TestSetBucketConsoleURL:
    Description: Test Set S3 bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${TestSetBucket}
  StateMachineArn:
    Description: Step Functions State machine ARN
    Value: !GetAtt PATTERNSTACK.Outputs.StateMachineArn
  StateMachineConsoleURL:
    Description: Step Functions State machine console URL
    Value: !Sub
      - https://${AWS::Region}.console.aws.amazon.com/states/home?region=${AWS::Region}#/statemachines/view/${StateMachineArn}
      - StateMachineArn: !GetAtt PATTERNSTACK.Outputs.StateMachineArn

  CWDashboardConsoleName:
    Description: Name of the merged CloudWatch dashboard
    Value: !GetAtt MergedDashboard.DashboardName
  CWDashboardConsoleURL:
    Description: URL of the merged CloudWatch dashboard
    Value: !Sub "https://${AWS::Region}.console.aws.amazon.com/cloudwatch/home?region=${AWS::Region}#dashboards:name=${MergedDashboard.DashboardName}"
  SNSAlertsTopicARN:
    Description: SNS Topic ARN for alerts
    Value: !Ref AlertsTopic
  SNSAlertsTopicConsoleURL:
    Description: SNS Topic console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/sns/v3/home?region=${AWS::Region}#/topic/${AlertsTopic}
  DynamoDBTrackingTableConsoleURL:
    Description: DynamoDB table console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/dynamodbv2/home?region=${AWS::Region}#item-explorer?maximize=true&operation=QUERY&table=${TrackingTable}
  DynamoDBConcurrencyTableConsoleURL:
    Description: DynamoDB table console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/dynamodbv2/home?region=${AWS::Region}#item-explorer?maximize=true&operation=QUERY&table=${ConcurrencyTable}
  DynamoDBConfigurationTableConsoleURL:
    Description: DynamoDB table console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/dynamodbv2/home?region=${AWS::Region}#item-explorer?maximize=true&operation=QUERY&table=${ConfigurationTable}
  DynamoDBAgentTableName:
    Description: Name of the DynamoDB table for agent job tracking
    Value: !Ref AgentTable
  DynamoDBAgentTableConsoleURL:
    Description: DynamoDB table console URL for agent job tracking
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/dynamodbv2/home?region=${AWS::Region}#item-explorer?maximize=true&operation=QUERY&table=${AgentTable}
  LambdaLookupFunctionName:
    Description: Name of the Lookup function
    Value: !Ref LookupFunction
  LambdaLookupFunctionConsoleURL:
    Description: Lambda function console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/lambda/home?region=${AWS::Region}#/functions/${LookupFunction}
  SQSDocumentQueueUrl:
    Description: SQS Queue URL
    Value: !Ref DocumentQueue
  SQSDocumentQueueConsoleURL:
    Description: SQS Queue console URL
    Value: !Sub https://${AWS::Region}.console.aws.amazon.com/sqs/v2/home?region=${AWS::Region}#/queues/${DocumentQueue}
  # NOTE: Federation VITE_ vars below will be empty when ExternalIdPName is not set.
  # This is expected — !Sub blocks cannot conditionally omit lines. Empty values are
  # harmless in .env files. The CodeBuild section uses !If for build-time optimization.
  WebUITestEnvFile:
    Description: Copy to create .env file for local UI testing
    Value: !Join
      - "\n"
      - - !Sub "VITE_USER_POOL_ID=${UserPool}"
        - !Sub "VITE_USER_POOL_CLIENT_ID=${UserPoolClient}"
        - !Sub "VITE_IDENTITY_POOL_ID=${IdentityPool}"
        - !Sub "VITE_APPSYNC_GRAPHQL_URL=${GraphQLApi.GraphQLUrl}"
        - !Sub "VITE_AWS_REGION=${AWS::Region}"
        - !Sub "VITE_SETTINGS_PARAMETER=${SettingsParameter}"
        - !If
          - HasExternalIdP
          - !Sub "VITE_COGNITO_DOMAIN=${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
          - ""
        - !If
          - HasExternalIdP
          - !Sub "VITE_EXTERNAL_IDP_NAME=${ExternalIdPName}"
          - ""
        - !If
          - HasExternalIdP
          - !Sub "VITE_EXTERNAL_IDP_AUTO_LOGIN=${ExternalIdPAutoLogin}"
          - ""
        - !Sub "VITE_TEST_SET_BUCKET_NAME=${TestSetBucket}"
        - !Sub "VITE_INPUT_BUCKET_NAME=${InputBucket}"
        - "VITE_LATENCY_OPTIONS=[60, 120, 300, 600, 900, 1800, 3600]"
        - "VITE_DEFAULT_MAX_LATENCY=60"
        - 'VITE_DEFAULT_TOKENS_BY_STEP={"OCR":4000,"Classification":2000,"Extraction":8000,"Assessment":4000,"Summarization":4000,"default":4000}'
        - "VITE_DEFAULT_MAX_TOKENS_PER_REQUEST=4000"
        - "VITE_BDA_TOKENS_PER_PAGE=2000"
  ExternalMCPAgentsSecretConsoleURL:
    Description: External MCP Agents secret console URL - configure MCP server credentials here (JSON array format)
    Value: !Sub "https://${AWS::Region}.console.aws.amazon.com/secretsmanager/secret?name=${AWS::StackName}/external-mcp-agents/credentials&region=${AWS::Region}"
  IDPCommonBaseLayerArn:
    Description: ARN of IDP Common Base Layer
    Value: !Ref IDPCommonBaseLayer
  
  IDPCommonReportingLayerArn:
    Description: ARN of IDP Common Reporting Layer
    Value: !Ref IDPCommonReportingLayer
  
  IDPCommonAgentsLayerArn:
    Description: ARN of IDP Common Agents Layer
    Value: !Ref IDPCommonAgentsLayer
  
  MCPServerEndpoint:
    Condition: CreateAgentCoreLambda
    Description: MCP Server Endpoint
    Value: !GetAtt AgentCoreGateway.GatewayUrl
  MCPClientId:
    Condition: CreateAgentCoreLambda
    Description: Cognito client ID for user-based authentication with the IDP MCP server. Used by external applications like Amazon QuickSight that require user password authentication.
    Value: !Ref ExternalAppClient
  MCPClientSecret:
    Condition: CreateAgentCoreLambda
    Description: Cognito client secret for user-based authentication with the IDP MCP server. Used by external applications like Amazon QuickSight that require user password authentication.
    Value: !GetAtt ExternalAppClient.ClientSecret
  MCPUserPool:
    Condition: CreateAgentCoreLambda
    Description: MCP User Pool ID
    Value: !Ref UserPool
  MCPTokenURL:
    Condition: CreateAgentCoreLambda
    Description: MCP Token URL
    Value: !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com/oauth2/token"
  MCPAuthorizationURL:
    Condition: CreateAgentCoreLambda
    Description: MCP Authorization URL
    Value: !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com/oauth2/authorize"
  ApiGatewayEndpoint:
    Condition: DeployApiGateway
    Description: Jobs API endpoint URL
    Value: !Sub "https://${ApiGateway}.execute-api.${AWS::Region}.${AWS::URLSuffix}/${ApiStageName}"
  ApiClientId:
    Condition: DeployApiGateway
    Description: App client ID for API authentication
    Value: !Ref ApiAppClient
  MCPConnectorClientId:
    Condition: CreateAgentCoreLambda
    Description: Cognito client ID used by the MCP Connector for machine-to-machine (M2M) authentication with the IDP system
    Value: !Ref MCPConnectorClient
  MCPConnectorClientSecret:
    Condition: CreateAgentCoreLambda
    Description: Cognito client secret used by the MCP Connector for machine-to-machine (M2M) authentication with the IDP system
    Value: !GetAtt MCPConnectorClient.ClientSecret
  MCPContentBucketConsoleURL:
    Description: MCP server content bucket console URL
    Value: !Sub https://s3.console.aws.amazon.com/s3/buckets/${MCPContentBucket}
  LambdaVpcSecurityGroupId:
    Condition: UsePrivateAppSync
    Description: >-
      Security Group ID for Lambda functions in private AppSync mode.
      The networking team must allow inbound HTTPS (port 443) from this
      security group on all VPC Interface Endpoints they create for this stack.
      See scripts/vpc-endpoints.yaml for the endpoint template.
    Value: !GetAtt LambdaVpcSecurityGroup.GroupId