aws-solutions-library-samples
diff --git a/‎CHANGELOG.md‎
Lines changed: 21 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docs/README.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/circuit-breaker.md‎
Lines changed: 212 additions & 0 deletions b/‎docs/circuit-breaker.md‎
Lines changed: 212 additions & 0 deletions
@@ -5,6 +5,27 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
+### Added
+
+- **Bedrock circuit breaker** — a CFN-parameterized circuit breaker that pauses new workflow starts when Bedrock is unhealthy and auto-recovers once the service comes back, so transient Bedrock outages no longer burn through SQS retries or leave documents half-processed. Off by default for full backward compatibility.
+  - New `circuit_breaker_manager` Lambda (`src/lambda/circuit_breaker_manager/`) owns state transitions in the existing `ConcurrencyTable` under `counter_id = "circuit_breaker"`. Three states: `CLOSED` (normal), `OPEN` (block new workflow starts), `HALF_OPEN` (probe traffic allowed).
+  - **Triggers:** (1) CloudWatch Alarm state changes on Bedrock error metrics fan out via SNS → `circuit_breaker_manager`; (2) an EventBridge-scheduled health check promotes `OPEN → HALF_OPEN` once `RECOVERY_TIMEOUT_SECONDS` has elapsed.
+  - **Gate:** `queue_processor.check_circuit_breaker()` runs *before* the concurrency-counter increment — cheap filter first. `OPEN` → message is not deleted, SQS redelivers after visibility timeout. `HALF_OPEN` → probe traffic proceeds. DDB errors fail **open** (do not block traffic) and return state `ERROR`.
+  - **Recovery:** `workflow_tracker.notify_circuit_breaker_success()` transitions `HALF_OPEN → CLOSED` after the first successful workflow completion, conditionally on state still being `HALF_OPEN`.
+  - **Race-safe DDB writes:** all state transitions (`handle_alarm_event`, `handle_health_check`, `notify_circuit_breaker_success`) use `ConditionExpression` on the expected prior state. A concurrent alarm fan-out or a workflow-completion racing against an alarm can no longer clobber each other's state write; the loser's `ConditionalCheckFailedException` is swallowed as a no-op and side effects (SNS publish, CloudWatch metric, custom error-handler invoke) are skipped so no stale notification is emitted.
+  - **Operator hooks:** manual `{"action": "reset"}` and `{"action": "get_state"}` invocations on `circuit_breaker_manager`; optional customer Lambda invoked via `ERROR_HANDLER_ARN` when the breaker opens.
+  - **Metrics & notifications:** `CircuitBreakerOpened` / `CircuitBreakerHalfOpen` / `CircuitBreakerClosed` CloudWatch metrics under the existing `METRIC_NAMESPACE`, and state-change notifications to the existing `AlertsTopic`.
+  - **New CFN parameters** (all default to off, fully backward-compatible): `EnableCircuitBreaker`, `CircuitBreakerRecoveryTimeoutSeconds`, `CircuitBreakerErrorHandlerArn`. New env vars `CIRCUIT_BREAKER_ENABLED` / `CIRCUIT_BREAKER_ID` on `queue_processor` and `workflow_tracker`.
+  - **Unit test coverage:** `src/lambda/circuit_breaker_manager/test_index.py`, `src/lambda/queue_processor/test_check_circuit_breaker.py`, `src/lambda/workflow_tracker/test_notify_circuit_breaker.py` cover alarm ALARM/OK per prior-state branch, health-check recovery elapsed vs. not elapsed, counter preservation on OPEN→HALF_OPEN, manual reset/get_state (including `last_error` removal), disabled / item-missing / OPEN / HALF_OPEN / DDB-error gate paths, OPEN-state SQS visibility extension, HALF_OPEN→CLOSED success path, and the ConditionalCheckFailedException race-loss branch.
+  - **Outage-aware SQS retry backoff:** when the breaker is `OPEN`, `queue_processor` calls `sqs.ChangeMessageVisibility` to push the message invisibility out to `CircuitBreakerRecoveryTimeoutSeconds` (default 300 s). Keeps long Bedrock outages from burning through the source queue's `maxReceiveCount` and landing documents in the DLQ. Failures are non-fatal — messages fall back to the default 30 s visibility timeout.
+  - **Counter preservation on recovery:** `OPEN → HALF_OPEN` transitions (both alarm-cleared and recovery-timeout paths) now preserve `failure_count` instead of resetting it to 0, so operators can see the cumulative failure count across a full outage. Manual reset still zeros both counters and removes `last_error` for a clean-slate restart.
+  - **Docs:** `docs/circuit-breaker.md` and `src/lambda/circuit_breaker_manager/README.md`.
+  - **Web UI visibility & admin controls** — the document list header shows a live status badge (green CLOSED / blue HALF_OPEN / red OPEN with `lastError` tooltip) powered by an AppSync subscription. Clicking the badge opens a details panel (state, `openedAt`, `failureCount`, `recoveryAttempts`, `lastError`). Users in the **Admin** Cognito group additionally see **Pause processing**, **Resume processing**, and **Probe recovery** buttons — each requires a reason that is persisted to DynamoDB and broadcast over the existing `AlertsTopic`. All automatic transitions (alarm fan-out, scheduled health-check probe) also publish to the subscription, so the badge reflects real state within ~1 s across every connected browser. Badge and panel are hidden entirely when `CircuitBreakerEnabled=false`.
+    - New AppSync query/mutations/subscription: `getCircuitBreakerStatus`, `pauseCircuitBreaker`, `resumeCircuitBreaker`, `probeCircuitBreaker`, `onCircuitBreakerStatusChange` (backed by IAM-only `publishCircuitBreakerStatus` fan-out mutation).
+    - New resolver Lambda (`nested/appsync/src/lambda/circuit_breaker_resolver/`) handles reads directly from `ConcurrencyTable` and forwards admin mutations to `circuit_breaker_manager` as new `manual_open` / `manual_close` / `manual_probe` actions (reasons recorded in `last_error`). Admin authorization is enforced at both the AppSync schema layer (`@aws_auth(cognito_groups: ["Admin"])`) and in the resolver.
+    - `HALF_OPEN → CLOSED` recoveries fan out to the UI in real time. `workflow_tracker` async-invokes `circuit_breaker_manager` with a new `broadcast` action after it closes the breaker, so the badge flips from "Circuit: recovering" to "Circuit: closed" without a manual refresh. Previously the DDB write was correct but the UI stayed stuck on recovering because only the manager Lambda published to AppSync.
+    - Badge label distinguishes `Manual pause by <user>` entries in `last_error` ("Circuit: manually paused") from automatic alarm-triggered opens ("Circuit: Bedrock outage"). Badge is also restyled as a Cloudscape `Button` to match the other header actions and moved to the right of **Release Review**.
+
 ### Changed
 
 - **Replaced DSR with open-source SRT security scanning tool** — Migrated from deprecated internal DSR (Design Security Review) tool to the actively maintained open-source [Sample Security Review Tool (SRT)](https://github.com/aws-samples/sample-security-review-tool). Added automated security scanning in GitLab CI/CD pipeline that runs on merge requests targeting `develop` branch. Pipeline fails if security findings are detected, providing a security gate before production deployments. New Makefile targets: `make srt`, `make srt-setup`, `make srt-scan`, `make srt-fix`. Updated documentation in CLAUDE.md, CONTRIBUTING.md, and scripts/README.md.
 
@@ -71,6 +71,7 @@ This folder contains detailed documentation on various aspects of the GenAI Inte
 - [Monitoring](./monitoring.md) - Monitoring and logging capabilities
 - [Reporting Database](./reporting-database.md) - Analytics database for evaluation metrics and metering data
 - [Capacity Planning](./capacity-planning.md) - Performance optimization and resource scaling guidance
+- [Circuit Breaker](./circuit-breaker.md) - Automatic protection from cascading failures during Bedrock outages
 - [Cost Calculator](./cost-calculator.md) - Framework for estimating solution costs
 
 ## Planning & Security
 
@@ -0,0 +1,212 @@
+---
+title: "Circuit Breaker"
+---
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+
+# Circuit Breaker
+
+Protects the IDP pipeline from cascading failures when Amazon Bedrock is degraded or unavailable. When Bedrock starts returning errors at a configurable rate, the circuit breaker **opens** and new workflows stop starting. Messages stay in SQS instead of fanning out into Lambda retries that would eventually time out or burn through the Step Functions retry budget. Once Bedrock recovers, the breaker transitions through a **half-open** probe state back to **closed** and normal processing resumes.
+
+## Why it exists
+
+Without the circuit breaker, a Bedrock outage produces this chain:
+
+1. Workflows start normally.
+2. Every Bedrock call hits the in-client retry loop (up to 7 attempts, exponential backoff up to 5 minutes).
+3. Step Functions retries another 8 times on failure.
+4. Individual executions hang for up to 15 minutes before failing.
+5. Meanwhile new documents keep getting pulled from SQS and starting more doomed workflows, which waste Lambda concurrency and inflate cost.
+
+The circuit breaker short-circuits that cycle by refusing to start new workflows while Bedrock is unhealthy, so messages stay in the queue and process cleanly after recovery.
+
+## States
+
+| State | Behavior |
+|-------|----------|
+| **CLOSED** | Normal operation. All requests processed. |
+| **OPEN** | Bedrock unavailable. Queue Processor returns messages to SQS for retry. |
+| **HALF_OPEN** | Testing recovery. Limited traffic allowed through. First successful workflow closes the breaker; first new alarm reopens it. |
+
+### Transitions
+
+```
+              ┌──────────┐
+              │  CLOSED  │◄─────────── Successful workflow in HALF_OPEN
+              └────┬─────┘              OR alarm returns to OK
+                   │
+                   │ CloudWatch alarm fires
+                   ▼
+              ┌──────────┐
+              │   OPEN   │ ◄── Alarm fires during HALF_OPEN
+              └────┬─────┘
+                   │
+                   │ Recovery timeout OR alarm OK
+                   ▼
+              ┌───────────┐
+              │ HALF_OPEN │
+              └───────────┘
+```
+
+## Architecture
+
+```
+┌─────────────┐    SNS     ┌────────────────────┐    DynamoDB    ┌──────────────┐
+│ CloudWatch  │───────────►│  Circuit Breaker   │◄──────────────►│ Concurrency  │
+│   Alarm     │            │     Manager        │                │    Table     │
+└─────────────┘            └────────────────────┘                └──────────────┘
+                                   │                                    ▲
+                                   │ SNS                                │
+                                   ▼                                    │
+                           ┌──────────────┐                             │
+                           │ AlertsTopic  │                             │
+                           │ (notify ops) │                             │
+                           └──────────────┘                             │
+                                                                        │
+┌─────────────┐                                                         │
+│    SQS      │────────────►┌─────────────────┐  check state before     │
+│   Queue     │             │ Queue Processor │─────processing──────────┘
+└─────────────┘             └─────────────────┘
+                                   │
+                                   │ if CLOSED or HALF_OPEN
+                                   ▼
+                           ┌─────────────────┐
+                           │  Step Functions │
+                           │    Workflow     │
+                           └─────────────────┘
+```
+
+- **BedrockServiceOutageAlarm**: CloudWatch MetricMath alarm on Bedrock error metrics (see [Alarm threshold](#alarm-threshold)).
+- **CircuitBreakerManager**: Lambda triggered by the alarm's SNS topic and by a 5-minute EventBridge schedule. Manages state transitions and publishes notifications.
+- **ConcurrencyTable**: Existing DynamoDB table — circuit breaker state is stored on the `circuit_breaker` partition key.
+- **QueueProcessor**: Reads state before starting workflows. If OPEN, it returns without starting the Step Functions execution, leaving the message in SQS.
+- **WorkflowTracker**: On a successful workflow completion, if state is HALF_OPEN, transitions to CLOSED.
+
+## Alarm threshold
+
+The `BedrockServiceOutageAlarm` uses MetricMath to sum the Bedrock error categories you opt into and compares the total to `CircuitBreakerFailureThreshold`.
+
+Expression:
+
+```
+<SU> * FILL(m1, 0) + <Thr> * FILL(m2, 0) + <QL> * FILL(m3, 0)
+```
+
+Where each coefficient is `1` if the corresponding trigger is enabled and `0` otherwise. Metrics `m1`/`m2`/`m3` are `BedrockServiceUnavailable`, `BedrockThrottling`, and `BedrockQuotaLimit` under the stack namespace.
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `CircuitBreakerEnabled` | `false` | Master switch. Set to `true` to provision the alarm, SNS topic, manager Lambda, and traffic gate. |
+| `CircuitBreakerTriggerServiceUnavailable` | `true` | Count 503 `ServiceUnavailableException` errors toward threshold. |
+| `CircuitBreakerTriggerThrottling` | `false` | Count `ThrottlingException`, `TooManyRequestsException`, `RequestLimitExceeded`. |
+| `CircuitBreakerTriggerQuotaLimit` | `false` | Count `ServiceQuotaExceededException`. |
+| `CircuitBreakerFailureThreshold` | `3` | Combined error count per 5-minute period to breach. |
+| `CircuitBreakerEvaluationPeriods` | `1` | Consecutive periods that must breach. |
+| `CircuitBreakerRecoveryTimeoutSeconds` | `300` | Seconds before automatic OPEN → HALF_OPEN transition. |
+| `CircuitBreakerErrorHandlerArn` | (empty) | Optional Lambda ARN invoked on state changes for custom handling. |
+
+**Default behavior when enabled**: 3 or more `ServiceUnavailableException` errors in a single 5-minute window open the breaker. Throttling and quota-limit errors are not counted by default because those usually indicate client-side load issues, not a Bedrock outage. Enable additional triggers to protect against sustained throttling or quota exhaustion.
+
+## Error categories
+
+The Bedrock client in `idp_common` emits category-specific CloudWatch metrics under the stack namespace whenever it catches a retryable error:
+
+| Metric | Bedrock exception code(s) | Typical cause |
+|--------|---------------------------|---------------|
+| `BedrockServiceUnavailable` | `ServiceUnavailableException` (503) | Bedrock service degradation or regional outage |
+| `BedrockThrottling` | `ThrottlingException`, `TooManyRequestsException`, `RequestLimitExceeded` | Client-side throughput limits reached |
+| `BedrockQuotaLimit` | `ServiceQuotaExceededException` | Account quota exhausted for the model |
+
+These metrics are emitted unconditionally, independent of `CircuitBreakerEnabled`, so you can observe Bedrock error rates even when the circuit breaker is disabled.
+
+## Enabling the circuit breaker
+
+Set `CircuitBreakerEnabled=true` at deploy time:
+
+```bash
+aws cloudformation deploy \
+  --stack-name my-idp-stack \
+  --template-file template.yaml \
+  --parameter-overrides \
+    CircuitBreakerEnabled=true \
+    CircuitBreakerFailureThreshold=3 \
+    CircuitBreakerTriggerThrottling=true
+```
+
+Or via the IDP CLI / console. When `CircuitBreakerEnabled=false` (the default), none of the circuit breaker resources are provisioned — no alarm, no SNS topic, no manager Lambda — and the Queue Processor skips the state check entirely.
+
+## Tuning guidance
+
+For GovCloud or other environments experiencing intermittent Bedrock outages:
+
+```
+CircuitBreakerFailureThreshold: 3
+CircuitBreakerEvaluationPeriods: 1        # 5-minute window
+CircuitBreakerRecoveryTimeoutSeconds: 300 # 5 minutes before probing
+```
+
+For stable environments where you want the breaker as a safety net only:
+
+```
+CircuitBreakerFailureThreshold: 5
+CircuitBreakerEvaluationPeriods: 2         # 10-minute window
+CircuitBreakerRecoveryTimeoutSeconds: 600  # 10 minutes
+```
+
+## Web UI
+
+When `CircuitBreakerEnabled=true`, the document list header shows a live status badge that reflects the current breaker state via an AppSync subscription:
+
+| Badge | State | Meaning |
+|-------|-------|---------|
+| Green "Circuit: closed" | CLOSED | Normal operation |
+| Blue "Circuit: recovering" | HALF_OPEN | Probing recovery |
+| Red "Circuit: Bedrock outage" | OPEN (automatic) | Opened by `BedrockServiceOutageAlarm`; hover for `lastError` |
+| Red "Circuit: manually paused" | OPEN (manual) | Opened via the admin **Pause processing** control; hover for the reason |
+
+When `CircuitBreakerEnabled=false` the badge is hidden entirely.
+
+Click the badge to open a details panel showing `state`, `openedAt`, `lastCheckedAt`, `failureCount`, `recoveryAttempts`, and `lastError`. Users in the **Admin** Cognito group additionally see three controls:
+
+- **Pause processing** — forces OPEN (available when state is CLOSED or HALF_OPEN). Use before planned Bedrock changes or to quiesce the pipeline.
+- **Resume processing** — forces CLOSED and resets failure/recovery counters. Use to clear a stuck OPEN state.
+- **Probe recovery** — forces HALF_OPEN (available when state is OPEN). Use to test recovery before the automatic timeout.
+
+Each control requires a **reason** that is persisted to DynamoDB (`lastError` field for pause; also logged) and broadcast over the existing SNS alerts topic. All transitions — including automatic ones from CloudWatch alarms, the scheduled health check, and the `HALF_OPEN → CLOSED` transition triggered by a successful workflow completion — fan out to every connected browser in real time.
+
+Non-admins can view the panel but do not see the control buttons.
+
+## Manual operations
+
+Reset the circuit breaker (force CLOSED):
+
+```bash
+aws lambda invoke --function-name <CircuitBreakerManagerFunctionName> \
+  --payload '{"action": "reset"}' response.json
+```
+
+Check current state:
+
+```bash
+aws lambda invoke --function-name <CircuitBreakerManagerFunctionName> \
+  --payload '{"action": "get_state"}' response.json
+```
+
+Or read state directly from DynamoDB:
+
+```bash
+aws dynamodb get-item \
+  --table-name <ConcurrencyTable> \
+  --key '{"counter_id": {"S": "circuit_breaker"}}'
+```
+
+## Observability
+
+CloudWatch metrics emitted by the circuit breaker (under the stack namespace):
+
+- `CircuitBreakerOpened` — incremented each time the breaker transitions to OPEN
+- `CircuitBreakerHalfOpen` — incremented on transition to HALF_OPEN
+- `CircuitBreakerClosed` — incremented on transition to CLOSED
+
+The `AlertsTopic` receives SNS notifications on every state transition so operators can subscribe email, SMS, or PagerDuty endpoints.