Merge branch 'v3' into refactor-strands

Yukinobu-Mine · Yukinobu-Mine · commit 1263fa24c12d · 2025-09-19T12:16:39.000+09:00
diff --git a/README.md b/README.md
@@ -500,6 +500,26 @@ By default, this sample does not restrict the domains for sign-up email addresse
 
 This sample supports external identity provider. Currently we support [Google](./docs/idp/SET_UP_GOOGLE.md) and [custom OIDC provider](./docs/idp/SET_UP_CUSTOM_OIDC.md).
 
+### Optional Frontend WAF
+
+For CloudFront distributions, AWS WAF WebACLs must be created in the us-east-1 region. In some organizations, creating resources outside the primary region is restricted by policy. In such environments, CDK deployment can fail when attempting to provision the Frontend WAF in us-east-1.
+
+To accommodate these restrictions, the Frontend WAF stack is optional. When disabled, the CloudFront distribution is deployed without a WebACL. This means you won’t have IP allow/deny controls at the frontend edge. Authentication and all other application controls continue to work as usual. Note that this setting only affects the Frontend WAF (CloudFront scope); the Published API WAF (regional) remains unaffected.
+
+To disable the Frontend WAF set the following in `parameter.ts` (Recommended Type-Safe Method):
+
+```ts
+bedrockChatParams.set("default", {
+  enableFrontendWaf: false
+});
+```
+
+Or if using the legacy `cdk/cdk.json` set the following:
+
+```json
+"enableFrontendWaf": false
+``` 
+
 ### Add new users to groups automatically
 
 This sample has the following groups to give permissions to users:
@@ -609,6 +629,18 @@ bedrockChatParams.set("default", {
 });
 ```
 
+### Disable IPv6 support
+
+The frontend gets both IP and IPv6 addresses by default. In some rare
+circumstances, you may need to disable IPv6 support explicitly. To do this, set
+the following parameter in [parameter.ts](./cdk/parameter.ts) or similarly in [cdk.json](./cdk/cdk.json):
+
+```ts
+"enableFrontendIpv6": false
+```
+
+If left unset the IPv6 support will be enabled by default.
+
 ### Local Development
 
 See [LOCAL DEVELOPMENT](./docs/LOCAL_DEVELOPMENT.md).
diff --git a/cdk/bin/bedrock-chat.ts b/cdk/bin/bedrock-chat.ts
@@ -28,22 +28,28 @@ const params = getBedrockChatParameters(
 
 const sepHyphen = params.envPrefix ? "-" : "";
 
-// WAF for frontend
-// 2023/9: Currently, the WAF for CloudFront needs to be created in the North America region (us-east-1), so the stacks are separated
-// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
-const waf = new FrontendWafStack(
-  app,
-  `${params.envPrefix}${sepHyphen}FrontendWafStack`,
-  {
-    env: {
-      // account: process.env.CDK_DEFAULT_ACCOUNT,
-      region: "us-east-1",
-    },
-    envPrefix: params.envPrefix,
-    allowedIpV4AddressRanges: params.allowedIpV4AddressRanges,
-    allowedIpV6AddressRanges: params.allowedIpV6AddressRanges,
-  }
-);
+// Enable or disable creating the Frontend WAF via context 'enableFrontendWaf' (defaults to true)
+const enableFrontendWaf = (app.node.tryGetContext("enableFrontendWaf") as boolean | undefined) ?? true;
+
+let waf: FrontendWafStack | undefined;
+if (enableFrontendWaf) {
+  // WAF for frontend
+  // 2023/9: Currently, the WAF for CloudFront needs to be created in the North America region (us-east-1), so the stacks are separated
+  // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
+  waf = new FrontendWafStack(
+    app,
+    `${params.envPrefix}${sepHyphen}FrontendWafStack`,
+    {
+      env: {
+        // account: process.env.CDK_DEFAULT_ACCOUNT,
+        region: "us-east-1",
+      },
+      envPrefix: params.envPrefix,
+      allowedIpV4AddressRanges: params.allowedIpV4AddressRanges,
+      allowedIpV6AddressRanges: params.allowedIpV6AddressRanges,
+    }
+  );
+}
 
 // The region of the LLM model called by the converse API and the region of Guardrail must be in the same region.
 // CustomBotStack contains Knowledge Bases is deployed in the same region as the LLM model, and source bucket must be in the same region as Knowledge Bases.
@@ -73,8 +79,8 @@ const chat = new BedrockChatStack(
     envPrefix: params.envPrefix,
     crossRegionReferences: true,
     bedrockRegion: params.bedrockRegion,
-    webAclId: waf.webAclArn.value,
-    enableIpV6: waf.ipV6Enabled,
+    webAclId: waf ? waf.webAclArn.value : '',
+    enableIpV6: params.enableFrontendIpv6 && params.allowedIpV6AddressRanges.length > 0,
     identityProviders: params.identityProviders,
     userPoolDomainPrefix: params.userPoolDomainPrefix,
     publishedApiAllowedIpV4AddressRanges:
@@ -101,7 +107,9 @@ const chat = new BedrockChatStack(
     allowedCountries: params.allowedCountries,
   }
 );
-chat.addDependency(waf);
+if (waf) {
+  chat.addDependency(waf);
+}
 chat.addDependency(bedrockRegionResources);
 
 cdk.Aspects.of(chat).add(new LogRetentionChecker());
diff --git a/cdk/cdk.json b/cdk/cdk.json
@@ -52,6 +52,8 @@
     "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
     "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
     "bedrockRegion": "us-east-1",
+    "enableFrontendIpv6": true,
+    "enableFrontendWaf": true,
     "allowedIpV4AddressRanges": ["0.0.0.0/1", "128.0.0.0/1"],
     "allowedIpV6AddressRanges": [
       "0000:0000:0000:0000:0000:0000:0000:0000/1",
diff --git a/cdk/lib/constructs/frontend.ts b/cdk/lib/constructs/frontend.ts
@@ -22,7 +22,7 @@ import * as targets from "aws-cdk-lib/aws-route53-targets";
 import * as acm from "aws-cdk-lib/aws-certificatemanager";
 
 export interface FrontendProps {
-  readonly webAclId: string;
+  readonly webAclId?: string;
   readonly accessLogBucket?: IBucket;
   readonly enableIpV6: boolean;
   /** 
@@ -115,7 +115,7 @@ export class Frontend extends Construct {
         logBucket: props.accessLogBucket,
         logFilePrefix: "Frontend/",
       }),
-      webAclId: props.webAclId,
+      ...(props.webAclId ? { webAclId: props.webAclId } : {}),
       enableIpv6: props.enableIpV6,
     });
 
diff --git a/cdk/lib/frontend-waf-stack.ts b/cdk/lib/frontend-waf-stack.ts
@@ -18,18 +18,13 @@ export class FrontendWafStack extends Stack {
    */
   public readonly webAclArn: CfnOutput;
 
-  /**
-   * Whether IPv6 is used or not
-   */
-  public readonly ipV6Enabled: boolean;
-
   constructor(scope: Construct, id: string, props: FrontendWafStackProps) {
     super(scope, id, props);
 
     const sepHyphen = props.envPrefix ? "-" : "";
     const rules: wafv2.CfnWebACL.RuleProperty[] = [];
 
-    // create Ipset for ACL
+    // Prepare IPv4 ACL
     if (props.allowedIpV4AddressRanges.length > 0) {
       const ipV4SetReferenceStatement = new wafv2.CfnIPSet(
         this,
@@ -54,6 +49,8 @@ export class FrontendWafStack extends Stack {
         },
       });
     }
+
+    // Prepare IPv6 ACL
     if (props.allowedIpV6AddressRanges.length > 0) {
       const ipV6SetReferenceStatement = new wafv2.CfnIPSet(
         this,
@@ -77,11 +74,9 @@ export class FrontendWafStack extends Stack {
           ipSetReferenceStatement: { arn: ipV6SetReferenceStatement.attrArn },
         },
       });
-      this.ipV6Enabled = true;
-    } else {
-      this.ipV6Enabled = false;
     }
 
+    // Attach the IP-based ACL rules
     if (rules.length > 0) {
       const webAcl = new wafv2.CfnWebACL(this, "WebAcl", {
         defaultAction: { block: {} },
diff --git a/cdk/lib/utils/parameter-models.ts b/cdk/lib/utils/parameter-models.ts
@@ -51,7 +51,14 @@ function getEnvVar(name: string, defaultValue?: string): string | undefined {
  */
 const BedrockChatParametersSchema = BaseParametersSchema.extend({
 
-  // IP address restrictions
+  // Frontend WAF toggle (CloudFront scope)
+  // Set to 'false' if you're unable to deploy resources in us-east-1
+  enableFrontendWaf: z.boolean().default(true),
+
+  // Frontend (CloudFront) IPv6 toggle
+  enableFrontendIpv6: z.boolean().default(true),
+
+  // IP address restrictions - enforced by WAF if enabled
   allowedIpV4AddressRanges: z
     .array(z.string())
     .default(["0.0.0.0/1", "128.0.0.0/1"]),
@@ -202,6 +209,8 @@ export function resolveBedrockChatParameters(
     envName,
     envPrefix,
     bedrockRegion: app.node.tryGetContext("bedrockRegion"),
+    enableFrontendWaf: app.node.tryGetContext("enableFrontendWaf"),
+    enableFrontendIpv6: app.node.tryGetContext("enableFrontendIpv6"),
     allowedIpV4AddressRanges: app.node.tryGetContext(
       "allowedIpV4AddressRanges"
     ),
diff --git a/cdk/test/cdk.test.ts b/cdk/test/cdk.test.ts
@@ -358,6 +358,105 @@ describe("Bedrock Chat Stack Test", () => {
     });
   });
 
+  test("Frontend WAF disabled => no WebACLId on CloudFront", () => {
+    const app = new cdk.App();
+
+    const bedrockRegionResourcesStack = new BedrockRegionResourcesStack(
+      app,
+      "BedrockRegionResourcesStackNoWaf",
+      {
+        env: { region: "us-east-1" },
+        crossRegionReferences: true,
+      }
+    );
+
+    const stack = new BedrockChatStack(app, "NoWafStack", {
+      env: { region: "us-west-2" },
+      envName: "test",
+      envPrefix: "test-",
+      bedrockRegion: "us-east-1",
+      crossRegionReferences: true,
+      // Simulate WAF disabled: no ARN provided from bin
+      webAclId: "",
+      identityProviders: [],
+      userPoolDomainPrefix: "",
+      publishedApiAllowedIpV4AddressRanges: [""],
+      publishedApiAllowedIpV6AddressRanges: [""],
+      allowedIpV4AddressRanges: [""],
+      allowedIpV6AddressRanges: [""],
+      allowedSignUpEmailDomains: [],
+      autoJoinUserGroups: [],
+      selfSignUpEnabled: true,
+      enableIpV6: true,
+      documentBucket: bedrockRegionResourcesStack.documentBucket,
+      enableRagReplicas: false,
+      enableBedrockCrossRegionInference: false,
+      enableLambdaSnapStart: true,
+      enableBotStore: true,
+      enableBotStoreReplicas: false,
+      botStoreLanguage: "en",
+      tokenValidMinutes: 60,
+    });
+
+    const template = Template.fromStack(stack);
+
+    template.hasResourceProperties("AWS::CloudFront::Distribution", {
+      DistributionConfig: {
+        WebACLId: Match.absent(),
+      },
+    });
+  });
+
+  test("Frontend WAF enabled => WebACLId set on CloudFront", () => {
+    const app = new cdk.App();
+
+    const bedrockRegionResourcesStack = new BedrockRegionResourcesStack(
+      app,
+      "BedrockRegionResourcesStackWaf",
+      {
+        env: { region: "us-east-1" },
+        crossRegionReferences: true,
+      }
+    );
+
+    const wafArn = "arn:aws:wafv2:us-east-1:123456789012:global/webacl/test/uuid";
+
+    const stack = new BedrockChatStack(app, "WithWafStack", {
+      env: { region: "us-west-2" },
+      envName: "test",
+      envPrefix: "test-",
+      bedrockRegion: "us-east-1",
+      crossRegionReferences: true,
+      webAclId: wafArn,
+      identityProviders: [],
+      userPoolDomainPrefix: "",
+      publishedApiAllowedIpV4AddressRanges: [""],
+      publishedApiAllowedIpV6AddressRanges: [""],
+      allowedIpV4AddressRanges: [""],
+      allowedIpV6AddressRanges: [""],
+      allowedSignUpEmailDomains: [],
+      autoJoinUserGroups: [],
+      selfSignUpEnabled: true,
+      enableIpV6: true,
+      documentBucket: bedrockRegionResourcesStack.documentBucket,
+      enableRagReplicas: false,
+      enableBedrockCrossRegionInference: false,
+      enableLambdaSnapStart: true,
+      enableBotStore: true,
+      enableBotStoreReplicas: false,
+      botStoreLanguage: "en",
+      tokenValidMinutes: 60,
+    });
+
+    const template = Template.fromStack(stack);
+
+    template.hasResourceProperties("AWS::CloudFront::Distribution", {
+      DistributionConfig: {
+        WebACLId: wafArn,
+      },
+    });
+  });
+
   test("custom domain configuration", () => {
     const app = new cdk.App();
 
diff --git a/cdk/test/utils/parameter-models.test.ts b/cdk/test/utils/parameter-models.test.ts
@@ -157,6 +157,7 @@ describe("resolveBedrockChatParameters", () => {
         "0.0.0.0/1",
         "128.0.0.0/1",
       ]); // default value
+      expect(result.enableFrontendIpv6).toBe(true); // default value
     });
 
     test("should correctly parse all parameters when specified", () => {
@@ -166,6 +167,7 @@ describe("resolveBedrockChatParameters", () => {
         bedrockRegion: "us-west-2",
         allowedIpV4AddressRanges: ["192.168.0.0/16"],
         allowedIpV6AddressRanges: ["2001:db8::/32"],
+        enableFrontendIpv6: false,
         identityProviders: [{ service: "google", secretName: "GoogleSecret" }],
         userPoolDomainPrefix: "my-app",
         allowedSignUpEmailDomains: ["example.com"],
@@ -188,6 +190,7 @@ describe("resolveBedrockChatParameters", () => {
       expect(result.bedrockRegion).toBe("us-west-2");
       expect(result.allowedIpV4AddressRanges).toEqual(["192.168.0.0/16"]);
       expect(result.allowedIpV6AddressRanges).toEqual(["2001:db8::/32"]);
+      expect(result.enableFrontendIpv6).toBe(false);
       expect(result.identityProviders).toEqual([
         { service: "google", secretName: "GoogleSecret" },
       ]);
@@ -346,6 +349,7 @@ describe("resolveBedrockChatParameters", () => {
         "0000:0000:0000:0000:0000:0000:0000:0000/1",
         "8000:0000:0000:0000:0000:0000:0000:0000/1",
       ],
+      enableFrontendIpv6: false,
       identityProviders: [],
       userPoolDomainPrefix: "",
       allowedSignUpEmailDomains: [],
@@ -377,6 +381,7 @@ describe("resolveBedrockChatParameters", () => {
       "0000:0000:0000:0000:0000:0000:0000:0000/1",
       "8000:0000:0000:0000:0000:0000:0000:0000/1",
     ]);
+    expect(result.enableFrontendIpv6).toBe(false);
     expect(result.identityProviders).toEqual([]);
     expect(result.userPoolDomainPrefix).toBe("");
     expect(result.allowedSignUpEmailDomains).toEqual([]);
diff --git a/frontend/src/hooks/xstates/streaming.ts b/frontend/src/hooks/xstates/streaming.ts
@@ -58,6 +58,7 @@ export const streamingStateMachine = setup({
   actions: {
     reset: assign({
       reasoning: '',
+      text: '',
       tools: [],
       relatedDocuments: [],
     }),
