CDK Constructs

​

Overview

Bedrock Chat uses AWS CDK constructs to encapsulate and reuse infrastructure patterns. Each construct represents a logical component of the application.

​

Core Constructs

​

Auth

Authentication construct using Amazon Cognito. Location: cdk/lib/constructs/auth.ts Props: Exports:

• userPool: Cognito User Pool instance
• client: Cognito User Pool Client

User Groups:

• Admin: Full administrative access
• CreatingBotAllowed: Can create and manage bots
• PublishAllowed: Can publish bot APIs

Features:

• Email domain validation via Lambda trigger
• Auto-join groups via post-confirmation trigger
• Support for Google and custom OIDC providers
• Optional WAF protection

---

​

Api

Backend REST API construct using API Gateway and Lambda. Location: cdk/lib/constructs/api.ts Props: Exports:

• api: HTTP API Gateway instance
• handler: Lambda function handling requests

Lambda Configuration:

• Runtime: Python 3.13 with Lambda Web Adapter
• Memory: 1024 MB
• Timeout: 15 minutes
• Architecture: x86_64
• Handler: FastAPI application via run.sh

IAM Permissions:

• Bedrock API access (bedrock:*)
• DynamoDB table access via assume role
• CodeBuild project start for bot/API creation
• CloudFormation stack operations
• Athena queries for usage analysis
• Cognito user management
• OpenSearch Serverless access

---

​

WebSocket

WebSocket API construct for streaming responses. Location: cdk/lib/constructs/websocket.ts Props: Exports:

• webSocketApi: WebSocket API instance
• handler: Lambda function for WebSocket events
• apiEndpoint: Full WebSocket endpoint URL

Lambda Configuration:

• Runtime: Python 3.13
• Memory: 1024 MB (optimized for streaming)
• Timeout: 15 minutes
• Entry Point: app/websocket.py

Features:

• Message concatenation for inputs >32KB
• Large payload support via S3
• Session management with DynamoDB
• Streaming response from Bedrock

---

​

Database

DynamoDB tables for data persistence. Location: cdk/lib/constructs/database.ts Props: Exports:

• conversationTable: Conversation storage
• botTable: Bot configurations
• tableAccessRole: IAM role for row-level security
• websocketSessionTable: WebSocket session data
• auditLogTable: User action audit trail
• costAllocationTable: Usage cost tracking
• botAnalyticsTable: Bot usage metrics

Table Schemas:

​

ConversationTable

• PK: UserId
• SK: ConversationId
• GSI: SKIndex (for fetching by conversation ID)
• Features: DynamoDB Streams, PITR (configurable)

​

BotTable

• PK: UserId
• SK: ItemType
• LSI-1: StarredIndex (IsStarred)
• LSI-2: LastUsedTimeIndex (LastUsedTime)
• GSI-1: BotIdIndex (BotId)
• GSI-2: SharedScopeIndex (SharedScope, SharedStatus)
• GSI-3: ItemTypeIndex (ItemType)
• GSI-4: SyncStatusIndex (SyncStatus)
• Features: DynamoDB Streams, PITR (always enabled)

​

AuditLogTable

• PK: USER#
• SK: TIMESTAMP##ACTION#
• GSI-1: ActionTypeGSIIndex
• GSI-2: ResourceGSIIndex
• Features: TTL attribute

​

CostAllocationTable

• PK: PERIOD#
• SK: USER##BOT#
• GSI-1: UserIndex (UserId, PK)
• GSI-2: BotIndex (BotId, PK)

​

BotAnalyticsTable

• PK: BOT# or BOT##QUERIES
• SK: DATE# or TIMESTAMP#
• Features: TTL attribute

---

​

Frontend

CloudFront distribution and S3 hosting for React app. Location: cdk/lib/constructs/frontend.ts Props: Exports:

• cloudFrontWebDistribution: CloudFront distribution
• assetBucket: S3 bucket with website files
• getOrigin(): Returns frontend URL (custom domain or CloudFront)

Features:

• Vite build integration via deploy-time-build
• SPA routing with error page redirects
• Optional ACM certificate for custom domains
• Route53 A/AAAA record creation
• Geo-restriction support

---

​

Embedding

Step Functions state machine for RAG document processing. Location: cdk/lib/constructs/embedding.ts Props: Exports:

• stateMachine: Step Functions state machine
• removalHandler: Lambda triggered on bot deletion

State Machine Flow:

1. Bootstrap: Load queued bots and shared KBs from DynamoDB
2. Shared KB Sync (conditional):
   • Acquire distributed lock
   • Deploy/update shared KB stack via CodeBuild
   • Finalize: Extract KB IDs from CloudFormation outputs
   • Ingest: Start data source ingestion jobs
   • Release lock
3. Custom Bot Processing (parallel):
   • Acquire bot-specific lock
   • Deploy custom bot stack via CodeBuild
   • Finalize: Extract KB/Guardrail IDs
   • Ingest: Process file diffs
   • Update sync status
   • Release lock

Lambda Handlers:

• UpdateSyncStatusHandler: Updates bot sync status in DynamoDB
• BootstrapStateMachineHandler: Prepares execution context
• FinalizeCustomBotBuildHandler: Extracts custom bot outputs
• FinalizeSharedKnowledgeBasesBuildHandler: Extracts shared KB outputs
• SynchronizeDataSourceHandler: Manages ingestion jobs
• LockHandler: Distributed locking via S3

---

​

BotStore

OpenSearch Serverless collection for bot discovery. Location: cdk/lib/constructs/bot-store.ts Props: Exports:

• openSearchEndpoint: Collection endpoint URL
• addDataAccessPolicy(): Method to grant access

Supported Languages: en, de, fr, es, ja, ko, zhhans, zhhant, it, nb, th, id, ms

---

​

Helper Constructs

​

UsageAnalysis

Athena and Glue integration for usage analytics. Location: cdk/lib/constructs/usage-analysis.ts Features:

• DynamoDB export to S3
• Glue Data Catalog tables
• Athena workgroup for queries
• Query result bucket

​

ApiPublishCodebuild

CodeBuild project for deploying published API stacks. Location: cdk/lib/constructs/api-publish-codebuild.ts

​

BedrockCustomBotCodebuild

CodeBuild project for deploying custom bot stacks. Location: cdk/lib/constructs/bedrock-custom-bot-codebuild.ts

​

BedrockSharedKnowledgeBasesCodebuild

CodeBuild project for deploying shared Knowledge Base stacks. Location: cdk/lib/constructs/bedrock-shared-knowledge-bases-codebuild.ts

​

WebAclForCognito

Regional Web ACL for Cognito User Pool protection. Location: cdk/lib/constructs/webacl-for-cognito.ts

​

WebAclForPublishedApi

Regional Web ACL for published REST APIs. Location: cdk/lib/constructs/webacl-for-published-api.ts