docs: add documentation with an architecture diagram

Author: satyatulasijalandharch

python/amazon-verified-permissions-rest-api/README.md

@@ -1,58 +1,107 @@
 
-# Welcome to your CDK Python project!
+# Amazon Verified Permissions REST API (AWS CDK Python)
 
-This is a blank project for CDK development with Python.
+This example deploys a REST API secured by Amazon Verified Permissions (AVP) and Amazon Cognito. The stack demonstrates how to combine a Cedar policy store with an API Gateway Request Authorizer so that only members of the appropriate Cognito group can invoke protected routes.
 
-The `cdk.json` file tells the CDK Toolkit how to execute your app.
+> :information_source: Detailed guides live in the `docs/` directory:
+> - [`docs/architecture.md`](docs/architecture.md) – system design and authorization model
+> - [`docs/deployment.md`](docs/deployment.md) – environment setup and deployment steps
+> - [`docs/operations.md`](docs/operations.md) – testing, troubleshooting, and cleanup
 
-This project is set up like a standard Python project.  The initialization
-process also creates a virtualenv within this project, stored under the `.venv`
-directory.  To create the virtualenv it assumes that there is a `python3`
-(or `python` for Windows) executable in your path with access to the `venv`
-package. If for any reason the automatic creation of the virtualenv fails,
-you can create the virtualenv manually.
+## Solution Highlights
 
-To manually create a virtualenv on MacOS and Linux:
+- **End-to-end RBAC** – Cognito users receive access tokens that are evaluated by AVP before API Gateway invokes your Lambda handlers.
+- **Cedar-first design** – The Cedar schema and policies are provisioned with the `cdklabs.cdk_verified_permissions` library for repeatable deployments.
+- **Composable infrastructure** – Cognito, Verified Permissions, and API Gateway live in dedicated nested stacks to make future customization straightforward.
+- **Language mix** – The authorizer runs on Node.js (to use the AWS SDK for AVP), while the demo business logic stays in simple Python Lambda handlers.
 
-```
-$ python3 -m venv .venv
-```
+| Resource | Description |
+|----------|-------------|
+| Cognito User Pool & Client | Provides user management and issues JWT access tokens. Adds `admin` and `user` groups. |
+| Verified Permissions Policy Store | Hosts the Cedar schema and static policies mapping Cognito groups to REST actions. |
+| API Gateway REST API | Exposes `/`, `/user`, and `/admin` endpoints secured by a custom Request Authorizer. |
+| Lambda Functions | Node.js authorizer for AVP calls plus Python handlers that simulate protected resources. |
 
-After the init process completes and the virtualenv is created, you can use the following
-step to activate your virtualenv.
+## Quick Start
 
-```
-$ source .venv/bin/activate
+### 1. Set Up the Environment
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
 ```
 
-If you are a Windows platform, you would activate the virtualenv like this:
+Install or upgrade the AWS CDK Toolkit if needed:
 
-```
-% .venv\Scripts\activate.bat
+```bash
+npm install -g aws-cdk@latest
 ```
 
-Once the virtualenv is activated, you can install the required dependencies.
+Bootstrap the target account and region the first time you deploy CDK there:
 
+```bash
+cdk bootstrap aws://<ACCOUNT_ID>/<REGION>
 ```
-$ pip install -r requirements.txt
+
+### 2. Deploy the Stack
+
+```bash
+cdk deploy
 ```
 
-At this point you can now synthesize the CloudFormation template for this code.
+Note the `ApiEndpoint` output once the deployment completes.
+
+For additional deployment options, refer to [`docs/deployment.md`](docs/deployment.md).
+
+## Trying the API
+
+1. Create or confirm a Cognito user and add them to the `user` and/or `admin` groups. The implementation guide provides ready-to-run CLI snippets.
+2. Authenticate against the user pool (for example, with `aws cognito-idp initiate-auth`) and capture the access token.
+3. Call the API with the bearer token:
+
+	 ```bash
+	 curl -i \
+		 -H "Authorization: Bearer $ACCESS_TOKEN" \
+		 "$API_URL/user"
+	 ```
+
+	 - Members of the `user` group receive `Hello from User!`.
+	 - Only `admin` members may call `/admin`.
+
+## Project Layout
 
 ```
-$ cdk synth
+├── app.py                       # CDK entry point
+├── stack/
+│   ├── main.py                  # Root stack wiring together nested stacks
+│   ├── apigw/                   # REST API, Lambda integrations, authorizer
+│   ├── cognito/                 # Cognito user pool, client, and groups
+│   ├── verified_permissions/    # Cedar schema and policies
+│   └── lambdas/                 # Authorizer (Node.js) and demo handlers (Python)
+└── docs/implementation-guide.md # In-depth deployment and operations guide
 ```
 
-To add additional dependencies, for example other CDK libraries, just add
-them to your `setup.py` file and rerun the `pip install -r requirements.txt`
-command.
+## Customizing Verified Permissions
+
+1. Update `stack/verified_permissions/schema.py` with new entity types or actions.
+2. Modify or add policy definitions under `stack/verified_permissions/policy/`.
+3. Redeploy with `cdk deploy` to publish the schema and policies.
 
-## Useful commands
+Consider migrating to policy templates if you need per-tenant or per-resource authorization decisions.
+
+## Cleanup
+
+Destroy the stack when you are finished to avoid unexpected charges:
+
+```bash
+cdk destroy
+```
 
- * `cdk ls`          list all stacks in the app
- * `cdk synth`       emits the synthesized CloudFormation template
- * `cdk deploy`      deploy this stack to your default AWS account/region
- * `cdk diff`        compare deployed stack with current state
- * `cdk docs`        open CDK documentation
+## Additional Reading
 
-Enjoy!
+- [`docs/architecture.md`](docs/architecture.md) – architecture diagrams, component breakdown, and Cedar policy model.
+- [`docs/deployment.md`](docs/deployment.md) – prerequisites, bootstrapping, and deployment workflows.
+- [`docs/operations.md`](docs/operations.md) – post-deployment tasks, troubleshooting tips, and sample CLI commands.
+- [Amazon Verified Permissions User Guide](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/)
+- [Cedar policy language](https://www.cedarpolicy.com/)

python/amazon-verified-permissions-rest-api/docs/architecture.md

@@ -0,0 +1,61 @@
+# Architecture Overview
+
+## Solution Summary
+
+This project deploys a reference REST API that protects endpoints with [Amazon Verified Permissions (AVP)](https://aws.amazon.com/verified-permissions/) and Amazon Cognito. It demonstrates how to combine a Cedar policy store with an API Gateway Request Authorizer so that only members of the appropriate Cognito group can invoke protected routes.
+
+## High-Level Diagram
+
+![High-level architecture diagram](diagram.svg)
+
+## Core Components
+
+| Component | Purpose | Source Reference |
+|-----------|---------|------------------|
+| Amazon Cognito User Pool | Manages users and issues JWT access tokens. Provides `admin` and `user` groups for RBAC. | `stack/cognito/main.py` |
+| Amazon Verified Permissions | Stores the Cedar schema and group-based policies. | `stack/verified_permissions/` |
+| Amazon API Gateway REST API | Provides `/`, `/user`, and `/admin` resources secured by the custom authorizer. | `stack/apigw/main.py` |
+| Request Authorizer Lambda (Node.js) | Exchanges the bearer token and request context for an AVP decision via `isAuthorizedWithToken`. | `stack/lambdas/authorizer/main.js` |
+| Demo Business Lambdas (Python) | Return simple payloads to illustrate RBAC outcomes. | `stack/lambdas/{user,admin}/main.py` |
+
+## Request Authorization Flow
+
+1. A client authenticates against the Cognito User Pool to obtain an access token.
+2. The client calls the API Gateway endpoint, sending the JWT in the `Authorization` header.
+3. API Gateway forwards the request to the custom Request Authorizer Lambda.
+4. The authorizer extracts the bearer token, request path, and method, then calls `VerifiedPermissions.isAuthorizedWithToken`.
+5. Verified Permissions evaluates the Cedar policies against the supplied action and principal:
+   - Members of the `admin` group can invoke all routes.
+   - Members of the `user` group can invoke `/` and `/user` only.
+6. API Gateway allows or denies the original request based on the evaluation result.
+
+## Authorization Model
+
+### Namespace and Entities
+
+The Cedar namespace is `amazonverified`. It defines:
+
+- `User`: Represents a Cognito user.
+- `UserGroup`: Represents Cognito groups (`admin`, `user`).
+- `Application`: Represents the protected API surface.
+
+Actions map one-to-one with the REST routes: `get /`, `get /user`, and `get /admin`.
+
+### Schema Reference
+
+The Cedar schema is defined in `stack/verified_permissions/schema.py` and supplied to the `PolicyStore` during stack synthesis. The schema is serialized to JSON through `cedar_schema = {"cedar_json": json.dumps(cedar_json_schema)}`.
+
+### Policies
+
+Policies are provided via `StaticPolicyDefinitionProperty` constructs:
+
+- `stack/verified_permissions/policy/admin.py` grants the `admin` group access to every action.
+- `stack/verified_permissions/policy/user.py` grants the `user` group access to `get /` and `get /user`.
+
+Because policies refer to Cognito groups using the pattern `"<userPoolId>|<groupName>"`, redeploying to a new environment automatically scopes the policy to the correct pool.
+
+### Extending the Model
+
+1. Update `cedar_json_schema` with new actions or entity types.
+2. Add or modify policy definitions. You can compose static policies or migrate to policy templates for dynamic authorizations.
+3. Re-deploy the stack to publish the new schema and policies.

python/amazon-verified-permissions-rest-api/docs/deployment.md

@@ -0,0 +1,47 @@
+# Deployment Guide
+
+> Verified Permissions is available in specific AWS regions. Choose a supported region (for example, `ap-south-1`) before deploying.
+
+## Prerequisites
+
+- AWS account with permissions to create IAM, Cognito, Lambda, API Gateway, and Verified Permissions resources.
+- AWS CLI configured with credentials for the target account and region.
+- Node.js v22.20.0 or lts (required for the AWS CDK Toolkit and Lambda bundling).
+- Python 3.13 or later.
+- AWS CDK Toolkit (`npm install -g aws-cdk@latest`).
+
+## Set Up the Project Environment
+
+```bash
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+```
+
+If the virtual environment fails to create automatically, create it manually with the same commands.
+
+## Bootstrap the Environment (First Deployment Only)
+
+```bash
+cdk bootstrap aws://<ACCOUNT_ID>/<REGION>
+```
+
+Replace `<ACCOUNT_ID>` and `<REGION>` with the target deployment values.
+
+## Deploy the Stack
+
+```bash
+cdk deploy
+```
+
+The deployment outputs the REST API endpoint (for example, `https://abc123.execute-api.us-east-1.amazonaws.com/prod/`). Record this value for testing.
+
+## Updating the Stack
+
+After modifying infrastructure or policies, redeploy with the same command:
+
+```bash
+cdk deploy
+```
+
+CDK will perform a change set comparison and apply only the required updates.

python/amazon-verified-permissions-rest-api/docs/diagram.svg

@@ -0,0 +1,90 @@
+# Operations & Testing
+
+## Post-Deployment Tasks
+
+### Define the Client and User Pool IDs
+
+1. In the AWS Management Console, open **Amazon Cognito** and select your user pool.
+2. Copy the **App client ID** for the deployed client and the **User pool ID**.
+
+Set them as shell variables for the commands below:
+
+```bash
+CLIENT_ID=<your-app-client-id>
+
+USER_POOL_ID=<your-user-pool-id>
+```
+
+### Create a Test User
+
+```bash
+aws cognito-idp sign-up --client-id "$CLIENT_ID" --username demo@example.com --password 'P@ssw0rd!' --user-attributes Name=email,Value=demo@example.com
+
+aws cognito-idp admin-confirm-sign-up --user-pool-id "$USER_POOL_ID" --username demo@example.com
+```
+
+### Assign Groups
+
+```bash
+aws cognito-idp admin-add-user-to-group --user-pool-id "$USER_POOL_ID" --username demo@example.com --group-name user
+
+aws cognito-idp admin-add-user-to-group --user-pool-id "$USER_POOL_ID" --username demo@example.com --group-name admin # optional elevated access
+```
+
+## Request Tokens & Call the API
+
+1. Initiate authentication:
+
+   ```bash
+   aws cognito-idp initiate-auth \
+     --auth-flow USER_PASSWORD_AUTH \
+     --client-id "$CLIENT_ID" \
+     --auth-parameters USERNAME=demo@example.com,PASSWORD='P@ssw0rd!'
+   ```
+
+2. Extract the `AccessToken` from the response.
+3. Invoke the API:
+
+   ```bash
+   API_URL=<deployment output>
+   ACCESS_TOKEN=<token from initiate-auth>
+
+   curl -i \
+     -H "Authorization: Bearer $ACCESS_TOKEN" \
+     "$API_URL/user"
+   ```
+
+Users in the `user` group receive `Hello from User!`. Only `admin` group members receive `Hello from Admin!` from the `/admin` route.
+
+## Troubleshooting
+
+- **403 errors on every route:** Ensure the token is an *access* token (not an ID token) and that the Cognito app client allows the SRP auth flow.
+- **`AccessDeniedException` from AVP:** Confirm the policy store was created in a region that supports Verified Permissions and that the token issuer matches the configured user pool.
+- **Caching delays:** The Request Authorizer caches decisions for 120 seconds. Use different tokens or redeploy the stack when testing new policies.
+
+## Observability
+
+The authorizer Lambda logs every AVP decision. Review the CloudWatch log stream for entries similar to `Decision from AVP: Allow` or `Decision from AVP: Deny`.
+
+## Security & Operational Considerations
+
+- Remove `RemovalPolicy.DESTROY` from the user pool before production to avoid accidental data loss.
+- Replace the demo Lambda functions with real business logic or integrate with existing services.
+- Integrate infrastructure-as-code validation and automated tests before promoting changes.
+- Rotate Cognito secrets and enforce password policies that meet organizational requirements.
+
+## Cleanup
+
+To avoid ongoing charges when finished experimenting:
+
+```bash
+cdk destroy
+```
+
+Verify that the Cognito users, Verified Permissions policy store, and CloudWatch logs are removed.
+
+## Additional Resources
+
+- [Amazon Verified Permissions documentation](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/)
+- [Cedar policy language](https://docs.cedarpolicy.com/)
+- [AWS Cloud Development Kit (AWS CDK) v2](https://docs.aws.amazon.com/cdk/v2/guide/work-with-cdk-python.html)