Update for Q Business CLI tutorial

Author: yanjieniu

tuts/040-qbusiness-ica/README.md

@@ -3,3 +3,15 @@
 This tutorial guides you through creating an Amazon Q Business application with Identity Center Authentication (ICA) using the AWS CLI. Amazon Q Business is a generative AI-powered assistant that helps your employees find information and complete tasks within your organization. The tutorial covers setting up AWS IAM Identity Center, creating necessary IAM roles and policies, configuring user access, and optionally creating a web experience for browser-based access.
 
 You can either run the automated shell script `qbusiness-ica.sh` to create all the resources at once, or follow the step-by-step instructions in the `qbusiness-ica.md` tutorial to understand each component in detail. The tutorial includes cleanup steps to avoid ongoing charges and best practices for production deployments.
+
+## Resources Created
+
+The script creates the following AWS resources in order:
+
+• IAM role for Amazon Q Business application (with CloudWatch and logging permissions)
+• IAM policy with necessary permissions for the application role
+• Amazon Q Business application
+• User assignment to the application
+• User subscription for the application
+
+The script prompts you to clean up resources when you run it, including if there's an error part way through. If you need to clean up resources later, you can use the script log as a reference point for which resources were created.

tuts/040-qbusiness-ica/qbusiness-ica.sh

@@ -169,11 +169,20 @@ cat > qbusiness-trust-policy.json << EOF
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "AmazonQApplicationPermission",
       "Effect": "Allow",
       "Principal": {
         "Service": "qbusiness.amazonaws.com"
       },
-      "Action": "sts:AssumeRole"
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceAccount": "$AWS_ACCOUNT_ID"
+        },
+        "ArnLike": {
+          "aws:SourceArn": "arn:aws:qbusiness:$AWS_REGION:$AWS_ACCOUNT_ID:application/*"
+        }
+      }
     }
   ]
 }
@@ -185,57 +194,47 @@ cat > qbusiness-permissions-policy.json << EOF
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "AmazonQApplicationPutMetricDataPermission",
       "Effect": "Allow",
       "Action": [
-        "qbusiness:CreateApplication",
-        "qbusiness:GetApplication",
-        "qbusiness:DeleteApplication",
-        "qbusiness:CreateSubscription",
-        "qbusiness:ListSubscriptions",
-        "qbusiness:CreateWebExperience",
-        "qbusiness:GetWebExperience",
-        "qbusiness:ListWebExperiences",
-        "qbusiness:DeleteWebExperience"
+        "cloudwatch:PutMetricData"
       ],
-      "Resource": "*"
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "cloudwatch:namespace": "AWS/QBusiness"
+        }
+      }
     },
     {
+      "Sid": "AmazonQApplicationDescribeLogGroupsPermission",
       "Effect": "Allow",
       "Action": [
-        "sso:DescribeApplication",
-        "sso:DescribeInstance",
-        "sso:CreateApplication",
-        "sso:PutApplicationAssignmentConfiguration",
-        "sso:PutApplicationAuthenticationMethod",
-        "sso:PutApplicationGrant",
-        "sso:PutApplicationAccessScope"
+        "logs:DescribeLogGroups"
       ],
-      "Resource": [
-        "${IDENTITY_CENTER_ARN}",
-        "${IDENTITY_CENTER_ARN}/*"
-      ]
+      "Resource": "*"
     },
     {
+      "Sid": "AmazonQApplicationCreateLogGroupPermission",
       "Effect": "Allow",
       "Action": [
-        "sso-admin:CreateApplicationAssignment",
-        "sso-admin:DeleteApplicationAssignment",
-        "sso-admin:ListApplicationAssignments"
+        "logs:CreateLogGroup"
       ],
       "Resource": [
-        "${IDENTITY_CENTER_ARN}",
-        "${IDENTITY_CENTER_ARN}/*"
+        "arn:aws:logs:$AWS_REGION:$AWS_ACCOUNT_ID:log-group:/aws/qbusiness/*"
       ]
     },
     {
+      "Sid": "AmazonQApplicationLogStreamPermission",
       "Effect": "Allow",
       "Action": [
-        "identitystore:DescribeUser",
-        "identitystore:DescribeGroup",
-        "identitystore:ListUsers",
-        "identitystore:ListGroups"
+        "logs:DescribeLogStreams",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
       ],
-      "Resource": "*"
+      "Resource": [
+        "arn:aws:logs:$AWS_REGION:$AWS_ACCOUNT_ID:log-group:/aws/qbusiness/*:log-stream:*"
+      ]
     }
   ]
 }
@@ -394,7 +393,22 @@ echo "User subscription created with ID: $USER_SUBSCRIPTION_ID" | tee -a "$LOG_F
 
 echo "" | tee -a "$LOG_FILE"
 echo "===========================================================" | tee -a "$LOG_FILE"
-echo "STEP 8: Verify Resources" | tee -a "$LOG_FILE"
+echo "STEP 8: Enable Creator Mode (LLM Direct Chat)" | tee -a "$LOG_FILE"
+echo "===========================================================" | tee -a "$LOG_FILE"
+
+echo "Enabling creator mode to allow direct chat with LLM" | tee -a "$LOG_FILE"
+CREATOR_MODE_RESULT=$(log_cmd "aws qbusiness update-chat-controls-configuration --region $AWS_REGION \
+  --application-id \"$APP_ID\" \
+  --creator-mode-configuration '{\"creatorModeControl\": \"ENABLED\"}' \
+  --query 'creatorModeConfiguration.creatorModeControl' --output text")
+check_error $?
+
+echo "Creator mode enabled: $CREATOR_MODE_RESULT" | tee -a "$LOG_FILE"
+CREATED_RESOURCES+=("Creator Mode Configuration: ENABLED")
+
+echo "" | tee -a "$LOG_FILE"
+echo "===========================================================" | tee -a "$LOG_FILE"
+echo "STEP 9: Verify Resources" | tee -a "$LOG_FILE"
 echo "===========================================================" | tee -a "$LOG_FILE"
 
 echo "Verifying application" | tee -a "$LOG_FILE"

tuts/README.md

@@ -39,6 +39,7 @@ This directory contains a collection of AWS CLI tutorials and scripts for variou
 | [037](037-emr-gs/) | Amazon EMR | [Getting Started](037-emr-gs/) | Get started with Amazon EMR for big data processing |
 | [038](038-redshift-serverless/) | Amazon Redshift | [Serverless](038-redshift-serverless/) | Set up and use Amazon Redshift Serverless |
 | [039](039-redshift-provisioned/) | Amazon Redshift | [Provisioned](039-redshift-provisioned/) | Set up Amazon Redshift provisioned clusters |
+| [040](040-qbusiness-ica/) | Amazon Q Business | [Identity Center Authentication](040-qbusiness-ica/) | Set up Amazon Q Business with IAM Identity Center authentication |
 | [042](042-qbusiness-anon/) | Amazon Q Business | [Anonymous Access](042-qbusiness-anon/) | Configure anonymous access for Amazon Q Business |
 | [043](043-amazon-mq-gs/) | Amazon MQ | [Getting Started](043-amazon-mq-gs/) | Comprehensive introduction to Amazon MQ message brokers |
 | [044](044-amazon-managed-grafana-gs/) | Amazon Managed Grafana | [Getting Started](044-amazon-managed-grafana-gs/) | Introduction to Amazon Managed Grafana |
@@ -126,7 +127,7 @@ The tutorials are organized by AWS service categories:
 - Chime SDK (007), Connect (027), Elemental MediaConnect (081)
 
 **Developer Tools & Services**
-- Q Business (042), End User Messaging (049), Marketplace (030), ECR (078)
+- Q Business (040, 042), End User Messaging (049), Marketplace (030), ECR (078)
 
 **Other Services**
 - WorkSpaces (035), Managed Grafana (044), Fault Injection Service (069), Database Migration Service (075), OpenSearch Service (016)