This repository provides AWS CloudFormation configs that streamline the process of creating application resources on AWS that we commonly use in our applications. For instance, it is best practice to create a unique IAM user per app and follow the Principle of Least Privilege, meaning that user's permissions should be limited to only what is needed for the app.
There are currently two configurations and instructions below.
These configurations require the AWS CLI. Follow these instructions to get started
Our apps use S3 to store user-uploaded files and other static media. Use this cloud formaiton to quickly spin up a Bucket, IAM User, and secure Bucket Policies.
Please note if you have multiple aws accounts configured you will need to pass the profile key and if a region is not set the region key
aws <command> --profile <profile-name> --region <aws-region>Things to consider:
For this to work, you will need to download the YAML file or clone this repository.
If you are setting this up on an aws account that does not have the file stored in its own S3 you will need to use the local file.
aws cloudformation create-stack --stack-name <STACK-NAME> --template-body file://<FILE-PATH> --region us-east-1 --parameters ParameterKey=BucketNameParameter,ParameterValue=<BUCKET-NAME> --capabilities CAPABILITY_NAMED_IAMFor convenience, the configs are also available on a public S3 bucket, so that you do not need to download them.
aws cloudformation create-stack --stack-name <STACK-NAME> --template-url 'https://tn-s3-cloud-formation.s3.amazonaws.com/aws-s3-cloud-formation.yaml' --region us-east-1 --parameters ParameterKey=BucketNameParameter,ParameterValue=<BUCKET-NAME> --capabilities CAPABILITY_NAMED_IAMThe following arguments are required:
--stack-name <STACK-NAME> this must be unique--parameters ParameterKey=BucketNameParameter,ParameterValue=<BUCKET-NAME> BUCKET-NAME must be unique and lowercased--capabilities CAPABILITY_NAMED_IAM--template-body file://<FILE-PATH> path should start with file:// one of --template-body or --template-url--template-url <FILE-URL> one of --template-body or --template-urlYou can also run the "stack" from the AWS Console:
When the cloud formation is done you can get the Access Key ID, Secret, and Bucket name from the outputs
aws cloudformation describe-stacks --stack-name <STACK-NAME> from the previously create command
This will return a json object to retrieve the variables tab down to the Outputs key
Visit the CloudFormation Dashboard, click into the new stack you created and then tap the Outputs Tab
If you do not want to use the cloud formation here are instructions for manually creating the appropriate resources
Our apps use AWS Bedrock for fast and low-cost LLM features. An IAM User with the proper permissions is required.
First, an AWS Administrator will need to enable Amazon Bedrock organization-wide. They will have to request access to the models we want to use. To do this: Go to AWS Bedrock in the console and follow the instructions there. We have already done this for ThinkNimble's AWS accounts in us-east-1.
aws cloudformation create-stack --stack-name <STACK-NAME> --template-body file://bedrock-user-permissions.yaml --region us-east-1 --parameters ParameterKey=ProjectName,ParameterValue=<PROJECTNAME> ParameterKey=AllowedModels,ParameterValue=<SOME_MODEL_ARN_OR_*_FOR_DEFAULT_ALL> --capabilities CAPABILITY_NAMED_IAMaws cloudformation create-stack --stack-name <STACK-NAME> --template-url 'https://tn-s3-cloud-formation.s3.amazonaws.com/bedrock-user-permissions.yaml' --region us-east-1 --parameters ParameterKey=ProjectName,ParameterValue=<PROJECTNAME> ParameterKey=AllowedModels,ParameterValue=<SOME_MODEL_ARN_OR_*_FOR_DEFAULT_ALL> --capabilities CAPABILITY_NAMED_IAMaws cloudformation describe-stacks --stack-name <STACK-NAME>