Updated CDK code for custom KMS keys, new VPCs. Minor package updates.

.dockerignore

@@ -13,6 +13,7 @@ tesseract/*
 poppler/*
 build/*
 dist/*
+docs/*
 build_deps/*
 user_guide/*
 cdk/config/*

.github/workflows/check_file_size.yml

@@ -1,16 +0,0 @@
-name: Check file size
-on:               # or directly `on: [push]` to run the action on every push on any branch
-  pull_request:
-    branches: [main]
-
-  # to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  sync-to-hub:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check large files
-        uses: ActionsDesk/[email protected]
-        with:
-          filesizelimit: 10485760 # this is 10MB so we can sync to HF Spaces

.gitignore

@@ -25,6 +25,7 @@ cdk/cdk.out/*
 cdk/archive/*
 tld/*
 tmp/*
+docs/*
 cdk.out/*
 cdk.json
 cdk.context.json

README.md

@@ -10,7 +10,7 @@ license: agpl-3.0
 ---
 # Document redaction
 
-version: 0.7.0
+version: 0.7.1
 
 Redact personally identifiable information (PII) from documents (pdf, images), open text, or tabular data (xlsx/csv/parquet). Please see the [User Guide](#user-guide) for a walkthrough on how to use the app. Below is a very brief overview.
     

cdk/cdk_config.py

@@ -82,8 +82,12 @@ CONTEXT_FILE = get_or_create_env_var('CONTEXT_FILE', 'cdk.context.json') # Defin
 CDK_FOLDER = get_or_create_env_var('CDK_FOLDER', '') # FULL_PATH_TO_CDK_FOLDER_HERE (with forward slash)
 RUN_USEAST_STACK = get_or_create_env_var('RUN_USEAST_STACK', 'False')
 
-### VPC
+### VPC and connections
 VPC_NAME = get_or_create_env_var('VPC_NAME', '')
+NEW_VPC_DEFAULT_NAME = get_or_create_env_var('NEW_VPC_DEFAULT_NAME', f'{CDK_PREFIX}vpc')
+NEW_VPC_CIDR = get_or_create_env_var('NEW_VPC_CIDR', '') # "10.0.0.0/24"
+
+
 EXISTING_IGW_ID = get_or_create_env_var('EXISTING_IGW_ID', '')
 SINGLE_NAT_GATEWAY_ID = get_or_create_env_var('SINGLE_NAT_GATEWAY_ID', '')
 
@@ -122,6 +126,10 @@ ECR_CDK_REPO_NAME = get_or_create_env_var('ECR_CDK_REPO_NAME', f"{CDK_PREFIX}{EC
 S3_LOG_CONFIG_BUCKET_NAME = get_or_create_env_var('S3_LOG_CONFIG_BUCKET_NAME', f"{CDK_PREFIX}s3-logs".lower()) # S3 bucket names need to be lower case
 S3_OUTPUT_BUCKET_NAME = get_or_create_env_var('S3_OUTPUT_BUCKET_NAME', f"{CDK_PREFIX}s3-output".lower())
 
+### KMS KEYS FOR S3 AND SECRETS MANAGER
+USE_CUSTOM_KMS_KEY = get_or_create_env_var('USE_CUSTOM_KMS_KEY', '1')
+CUSTOM_KMS_KEY_NAME = get_or_create_env_var('CUSTOM_KMS_KEY_NAME', f"alias/{CDK_PREFIX}kms-key".lower())
+
 ### ECS
 FARGATE_TASK_DEFINITION_NAME = get_or_create_env_var('FARGATE_TASK_DEFINITION_NAME', f"{CDK_PREFIX}FargateTaskDefinition")
 TASK_DEFINITION_FILE_LOCATION = get_or_create_env_var('TASK_DEFINITION_FILE_LOCATION', CDK_FOLDER + CONFIG_FOLDER + "task_definition.json") 
@@ -160,7 +168,7 @@ CLOUDFRONT_DOMAIN = get_or_create_env_var('CLOUDFRONT_DOMAIN', "cloudfront_place
 
 
 # Certificate for Application load balancer (optional, for HTTPS and logins through the ALB)
-ACM_CERTIFICATE_ARN = get_or_create_env_var('ACM_CERTIFICATE_ARN', '')
+ACM_SSL_CERTIFICATE_ARN = get_or_create_env_var('ACM_SSL_CERTIFICATE_ARN', '')
 SSL_CERTIFICATE_DOMAIN = get_or_create_env_var('SSL_CERTIFICATE_DOMAIN', '') # e.g. example.com or www.example.com
 
 # This should be the CloudFront domain, the domain linked to your ACM certificate, or the DNS of your application load balancer in console afterwards

cdk/cdk_stack.py

@@ -21,11 +21,12 @@ from aws_cdk import (
     aws_elasticloadbalancingv2 as elbv2,
     aws_logs as logs,
     aws_wafv2 as wafv2,
+    aws_kms as kms,
     aws_dynamodb as dynamodb # Import the DynamoDB module    
 )
 
 from constructs import Construct
-from cdk_config import CDK_PREFIX, VPC_NAME, AWS_MANAGED_TASK_ROLES_LIST, GITHUB_REPO_USERNAME, GITHUB_REPO_NAME, GITHUB_REPO_BRANCH, ECS_TASK_MEMORY_SIZE, ECS_TASK_CPU_SIZE, CUSTOM_HEADER, CUSTOM_HEADER_VALUE, AWS_REGION, CLOUDFRONT_GEO_RESTRICTION, DAYS_TO_DISPLAY_WHOLE_DOCUMENT_JOBS, GRADIO_SERVER_PORT, PUBLIC_SUBNETS_TO_USE, PUBLIC_SUBNET_CIDR_BLOCKS, PUBLIC_SUBNET_AVAILABILITY_ZONES, PRIVATE_SUBNETS_TO_USE, PRIVATE_SUBNET_CIDR_BLOCKS, PRIVATE_SUBNET_AVAILABILITY_ZONES, CODEBUILD_PROJECT_NAME, ECS_SECURITY_GROUP_NAME, ALB_NAME_SECURITY_GROUP_NAME, ALB_NAME, COGNITO_USER_POOL_NAME, COGNITO_USER_POOL_CLIENT_NAME, COGNITO_USER_POOL_CLIENT_SECRET_NAME, FARGATE_TASK_DEFINITION_NAME, ECS_SERVICE_NAME, WEB_ACL_NAME, CLOUDFRONT_DISTRIBUTION_NAME, ECS_TASK_ROLE_NAME, ALB_TARGET_GROUP_NAME, S3_LOG_CONFIG_BUCKET_NAME, S3_OUTPUT_BUCKET_NAME, ACM_CERTIFICATE_ARN, CLUSTER_NAME, CODEBUILD_ROLE_NAME, ECS_TASK_EXECUTION_ROLE_NAME, ECR_CDK_REPO_NAME, ECS_LOG_GROUP_NAME, SAVE_LOGS_TO_DYNAMODB, ACCESS_LOG_DYNAMODB_TABLE_NAME, FEEDBACK_LOG_DYNAMODB_TABLE_NAME, USAGE_LOG_DYNAMODB_TABLE_NAME, TASK_DEFINITION_FILE_LOCATION, EXISTING_IGW_ID, SINGLE_NAT_GATEWAY_ID, NAT_GATEWAY_NAME, COGNITO_USER_POOL_DOMAIN_PREFIX, COGNITO_REDIRECTION_URL, AWS_ACCOUNT_ID, ECS_USE_FARGATE_SPOT, ECS_READ_ONLY_FILE_SYSTEM, USE_CLOUDFRONT, LOAD_BALANCER_WEB_ACL_NAME
+from cdk_config import CDK_PREFIX, VPC_NAME, AWS_MANAGED_TASK_ROLES_LIST, GITHUB_REPO_USERNAME, GITHUB_REPO_NAME, GITHUB_REPO_BRANCH, ECS_TASK_MEMORY_SIZE, ECS_TASK_CPU_SIZE, CUSTOM_HEADER, CUSTOM_HEADER_VALUE, AWS_REGION, CLOUDFRONT_GEO_RESTRICTION, DAYS_TO_DISPLAY_WHOLE_DOCUMENT_JOBS, GRADIO_SERVER_PORT, PUBLIC_SUBNETS_TO_USE, PUBLIC_SUBNET_CIDR_BLOCKS, PUBLIC_SUBNET_AVAILABILITY_ZONES, PRIVATE_SUBNETS_TO_USE, PRIVATE_SUBNET_CIDR_BLOCKS, PRIVATE_SUBNET_AVAILABILITY_ZONES, CODEBUILD_PROJECT_NAME, ECS_SECURITY_GROUP_NAME, ALB_NAME_SECURITY_GROUP_NAME, ALB_NAME, COGNITO_USER_POOL_NAME, COGNITO_USER_POOL_CLIENT_NAME, COGNITO_USER_POOL_CLIENT_SECRET_NAME, FARGATE_TASK_DEFINITION_NAME, ECS_SERVICE_NAME, WEB_ACL_NAME, CLOUDFRONT_DISTRIBUTION_NAME, ECS_TASK_ROLE_NAME, ALB_TARGET_GROUP_NAME, S3_LOG_CONFIG_BUCKET_NAME, S3_OUTPUT_BUCKET_NAME, ACM_SSL_CERTIFICATE_ARN, CLUSTER_NAME, CODEBUILD_ROLE_NAME, ECS_TASK_EXECUTION_ROLE_NAME, ECR_CDK_REPO_NAME, ECS_LOG_GROUP_NAME, SAVE_LOGS_TO_DYNAMODB, ACCESS_LOG_DYNAMODB_TABLE_NAME, FEEDBACK_LOG_DYNAMODB_TABLE_NAME, USAGE_LOG_DYNAMODB_TABLE_NAME, TASK_DEFINITION_FILE_LOCATION, EXISTING_IGW_ID, SINGLE_NAT_GATEWAY_ID, NAT_GATEWAY_NAME, COGNITO_USER_POOL_DOMAIN_PREFIX, COGNITO_REDIRECTION_URL, AWS_ACCOUNT_ID, ECS_USE_FARGATE_SPOT, ECS_READ_ONLY_FILE_SYSTEM, USE_CLOUDFRONT, LOAD_BALANCER_WEB_ACL_NAME, NEW_VPC_DEFAULT_NAME, NEW_VPC_CIDR, USE_CUSTOM_KMS_KEY, S3_KMS_KEY_NAME
 from cdk_functions import create_subnets, create_web_acl_with_common_rules, add_custom_policies, add_alb_https_listener_with_cert, create_nat_gateway # Only keep CDK-native functions
 
 def _get_env_list(env_var_name: str) -> List[str]:
@@ -67,20 +68,80 @@ class CdkStack(Stack):
                 print(f"Warning: Context key '{key}' not found or not a list. Returning empty list.")
                 return []
             # Optional: Add validation that all items in the list are dicts
-            return ctx_value       
+            return ctx_value
+
+        self.template_options.description = "Deployment of the 'doc_redaction' PDF, image, and XLSX/CSV redaction app. Git repo available at: https://github.com/seanpedrick-case/doc_redaction."  
 
 
         # --- VPC and Subnets (Assuming VPC is always lookup, Subnets are created/returned by create_subnets) ---
-        # --- VPC Lookup (Always lookup as per your assumption) ---
-        try:
-            vpc = ec2.Vpc.from_lookup(
+        new_vpc_created = False
+        if VPC_NAME:
+            print("Looking for current VPC:", VPC_NAME)
+            try:
+                vpc = ec2.Vpc.from_lookup(
+                    self,
+                    "VPC",
+                    vpc_name=VPC_NAME
+                )
+                print("Successfully looked up VPC:", vpc.vpc_id)
+            except Exception as e:
+                raise Exception(f"Could not look up VPC with name '{VPC_NAME}' due to: {e}")
+        
+        elif NEW_VPC_DEFAULT_NAME:
+            new_vpc_created = True
+            print(f"NEW_VPC_DEFAULT_NAME ('{NEW_VPC_DEFAULT_NAME}') is set. Creating a new VPC.")
+
+            # Configuration for the new VPC
+            # You can make these configurable via context as well, e.g.,
+            # new_vpc_cidr = self.node.try_get_context("new_vpc_cidr") or "10.0.0.0/24"
+            # new_vpc_max_azs = self.node.try_get_context("new_vpc_max_azs") or 2 # Use 2 AZs by default for HA
+            # new_vpc_nat_gateways = self.node.try_get_context("new_vpc_nat_gateways") or new_vpc_max_azs # One NAT GW per AZ for HA
+                                                                                                    # or 1 for cost savings if acceptable
+            if not NEW_VPC_CIDR:
+                raise Exception("App has been instructed to create a new VPC but not VPC CDR range provided to variable NEW_VPC_CIDR")
+            
+            print("Provided NEW_VPC_CIDR range:", NEW_VPC_CIDR)
+
+            new_vpc_cidr = NEW_VPC_CIDR
+            new_vpc_max_azs = 2 # Creates resources in 2 AZs. Adjust as needed.
+            
+            # For "a NAT gateway", you can set nat_gateways=1.
+            # For resilience (NAT GW per AZ), set nat_gateways=new_vpc_max_azs.
+            # The Vpc construct will create NAT Gateway(s) if subnet_type PRIVATE_WITH_EGRESS is used
+            # and nat_gateways > 0.
+            new_vpc_nat_gateways = 1 # Creates a single NAT Gateway for cost-effectiveness.
+                                     # If you need one per AZ for higher availability, set this to new_vpc_max_azs.
+
+            vpc = ec2.Vpc(
                 self,
-                "VPC",
-                vpc_name=VPC_NAME
+                "MyNewLogicalVpc", # This is the CDK construct ID
+                vpc_name=NEW_VPC_DEFAULT_NAME,
+                ip_addresses=ec2.IpAddresses.cidr(new_vpc_cidr),
+                max_azs=new_vpc_max_azs,
+                nat_gateways=new_vpc_nat_gateways, # Number of NAT gateways to create
+                subnet_configuration=[
+                    ec2.SubnetConfiguration(
+                        name="Public", # Name prefix for public subnets
+                        subnet_type=ec2.SubnetType.PUBLIC,
+                        cidr_mask=28  # Adjust CIDR mask as needed (e.g., /24 provides ~250 IPs per subnet)
+                    ),
+                    ec2.SubnetConfiguration(
+                        name="Private", # Name prefix for private subnets
+                        subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS, # Ensures these subnets have NAT Gateway access
+                        cidr_mask=28  # Adjust CIDR mask as needed
+                    )
+                    # You could also add ec2.SubnetType.PRIVATE_ISOLATED if needed
+                ],
+                # Internet Gateway is created and configured automatically for PUBLIC subnets.
+                # Route tables for public subnets will point to the IGW.
+                # Route tables for PRIVATE_WITH_EGRESS subnets will point to the NAT Gateway(s).
             )
-            print("Successfully looked up VPC:", vpc.vpc_id)
-        except Exception as e:
-            raise Exception(f"Could not look up VPC with name '{VPC_NAME}' due to: {e}")
+            print(f"Successfully created new VPC: {vpc.vpc_id} with name '{NEW_VPC_DEFAULT_NAME}'")
+            # If nat_gateways > 0, vpc.nat_gateway_ips will contain EIPs if Vpc created them.
+            # vpc.public_subnets, vpc.private_subnets, vpc.isolated_subnets are populated.            
+
+        else:
+            raise Exception("VPC_NAME for current VPC not found, and NEW_VPC_DEFAULT_NAME not found to create a new VPC")
         
         # --- Subnet Handling (Check Context and Create/Import) ---
         # Initialize lists to hold ISubnet objects (L2) and CfnSubnet/CfnRouteTable (L1)
@@ -100,35 +161,68 @@ class CdkStack(Stack):
             print("vpc.public_subnets:", vpc.public_subnets)
             print("vpc.private_subnets:", vpc.private_subnets)
 
-            # public_subnets_by_az: Dict[str, List[ec2.ISubnet]] = {}
-            # private_subnets_by_az: Dict[str, List[ec2.ISubnet]] = {}
+            if vpc.public_subnets: # These are already one_per_az if max_azs was used and Vpc created them
+                self.public_subnets.extend(vpc.public_subnets)
+            else:
+                self.node.add_warning("No public subnets found in the VPC.")
+
+            # Get private subnets with egress specifically
+            #selected_private_subnets_with_egress = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS)           
 
-            # Iterate through the subnets exposed by the Vpc L2 construct.
-            # for subnet in vpc.public_subnets:
-            #     az = subnet.availability_zone
-            #     if az not in public_subnets_by_az:
-            #         public_subnets_by_az[az] = []
-            #     public_subnets_by_az[az].append(subnet)
+            print(f"Selected from VPC: {len(self.public_subnets)} public, {len(self.private_subnets)} private_with_egress subnets.")
 
+            if len(self.public_subnets) < 1 or len(self.private_subnets) < 1 : # Simplified check for new VPC
+                 # If new_vpc_max_azs was 1, you'd have 1 of each. If 2, then 2 of each.
+                 # The original check ' < 2' might be too strict if new_vpc_max_azs=1
+                 pass # For new VPC, allow single AZ setups if configured that way. The VPC construct ensures one per AZ up to max_azs.
+
+            if not self.public_subnets and not self.private_subnets:
+                print("Error: No public or private subnets could be found in the VPC for automatic selection. "
+                      "You must either specify subnets in *_SUBNETS_TO_USE or ensure the VPC has discoverable subnets.")
+                raise RuntimeError("No suitable subnets found for automatic selection.")
+            else:
+                print(f"Automatically selected {len(self.public_subnets)} public and {len(self.private_subnets)} private subnets based on VPC properties.")
+            
             selected_public_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC, one_per_az=True)
             private_subnets_egress = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS, one_per_az=True)
-            private_subnets_isolated = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, one_per_az=True)
 
+            if private_subnets_egress.subnets:
+                self.private_subnets.extend(private_subnets_egress.subnets)
+            else:
+                self.node.add_warning("No PRIVATE_WITH_EGRESS subnets found in the VPC.")
+
+            try:
+                private_subnets_isolated = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, one_per_az=True)
+            except Exception as e:
+                private_subnets_isolated = []
+                print("Could not find any isolated subnets due to:", e)
+
+            
+
+            ###
             combined_subnet_objects = []
 
-            if private_subnets_egress.subnets:
-                # Add the first PRIVATE_WITH_EGRESS subnet
-                combined_subnet_objects.append(private_subnets_egress.subnets[0])
+            if private_subnets_isolated:
+                if private_subnets_egress.subnets:
+                    # Add the first PRIVATE_WITH_EGRESS subnet
+                    combined_subnet_objects.append(private_subnets_egress.subnets[0])
+            elif not private_subnets_isolated:
+                if private_subnets_egress.subnets:
+                    # Add the first PRIVATE_WITH_EGRESS subnet
+                    combined_subnet_objects.extend(private_subnets_egress.subnets)
             else:
                 self.node.add_warning("No PRIVATE_WITH_EGRESS subnets found to select the first one.")
 
             # Add all PRIVATE_ISOLATED subnets *except* the first one (if they exist)
-            if len(private_subnets_isolated.subnets) > 1:
-                combined_subnet_objects.extend(private_subnets_isolated.subnets[1:])
-            elif private_subnets_isolated.subnets: # Only 1 isolated subnet, add a warning if [1:] was desired
-                self.node.add_warning("Only one PRIVATE_ISOLATED subnet found, private_subnets_isolated.subnets[1:] will be empty.")
-            else:
-                self.node.add_warning("No PRIVATE_ISOLATED subnets found.")
+            try:
+                if len(private_subnets_isolated.subnets) > 1:
+                    combined_subnet_objects.extend(private_subnets_isolated.subnets[1:])
+                elif private_subnets_isolated.subnets: # Only 1 isolated subnet, add a warning if [1:] was desired
+                    self.node.add_warning("Only one PRIVATE_ISOLATED subnet found, private_subnets_isolated.subnets[1:] will be empty.")
+                else:
+                    self.node.add_warning("No PRIVATE_ISOLATED subnets found.")
+            except Exception as e:
+                print("Could not identify private isolated subnets due to:", e)
 
             # Create an ec2.SelectedSubnets object from the combined private subnet list.
             selected_private_subnets = vpc.select_subnets(
@@ -139,29 +233,6 @@ class CdkStack(Stack):
             print("selected_private_subnets:", selected_private_subnets)
 
 
-            #self.private_route_tables_cfn = []
-
-            # for subnet in vpc.private_subnets:
-            #     az = subnet.availability_zone
-            #     if az not in private_subnets_by_az:
-            #         private_subnets_by_az[az] = []
-            #     private_subnets_by_az[az].append(subnet)
-
-            #selected_public_subnets: List[ec2.ISubnet] = []
-            #selected_private_subnets: List[ec2.ISubnet] = []
-
-            # Select one public subnet per AZ, preferring the first one found
-            # for az in sorted(public_subnets_by_az.keys()):
-            #     if public_subnets_by_az[az]:
-            #         selected_public_subnets.append(public_subnets_by_az[az][0])
-            #         print(f"Selected existing public subnet: {public_subnets_by_az[az][0].subnet_id} from AZ {az}.")
-
-            # Select one private subnet per AZ, preferring the first one found
-            # for az in sorted(private_subnets_by_az.keys()):
-            #     if private_subnets_by_az[az]:
-            #         selected_private_subnets.append(private_subnets_by_az[az][0])
-            #         print(f"Selected existing private subnet: {private_subnets_by_az[az][0].subnet_id} from AZ {az}.")
-
             if len(selected_public_subnets.subnet_ids) < 2 or len(selected_private_subnets.subnet_ids) < 2:
                 raise Exception("Need at least two public or private subnets in different availability zones")
 
@@ -222,11 +293,11 @@ class CdkStack(Stack):
                 self.public_subnets.extend(newly_created_public_subnets)
                 self.public_route_tables_cfn.extend(newly_created_public_rts_cfn)
 
-        if not self.public_subnets:
-            raise Exception("No public subnets found or created, exiting.")
-        
+        if not self.public_subnets and not names_to_create_public and not PUBLIC_SUBNETS_TO_USE :
+            raise Exception("No public subnets found or created, exiting.")        
 
         # --- NAT Gateway Creation/Lookup ---
+        print("Creating NAT gateway/located existing")
         self.single_nat_gateway_id = None
 
         nat_gw_id_from_context = SINGLE_NAT_GATEWAY_ID
@@ -234,9 +305,20 @@ class CdkStack(Stack):
         if nat_gw_id_from_context:
             print(f"Using existing NAT Gateway ID from context: {nat_gw_id_from_context}")
             self.single_nat_gateway_id = nat_gw_id_from_context
-        else:
-            # If not in context, create a new one, but only if we have a public subnet.
-            if self.public_subnets:
+
+        elif new_vpc_created and new_vpc_nat_gateways > 0 and hasattr(vpc, 'nat_gateways') and vpc.nat_gateways:
+            self.single_nat_gateway_id = vpc.nat_gateways[0].gateway_id
+            print(f"Using NAT Gateway {self.single_nat_gateway_id} created by the new VPC construct.")
+
+        if not self.single_nat_gateway_id:
+            print("Creating a new NAT gateway")
+
+            if hasattr(vpc, 'nat_gateways') and vpc.nat_gateways:
+                print("Existing NAT gateway found in vpc")
+                pass
+            
+                # If not in context, create a new one, but only if we have a public subnet.
+            elif self.public_subnets:
                 print("NAT Gateway ID not found in context. Creating a new one.")
                 # Place the NAT GW in the first available public subnet
                 first_public_subnet = self.public_subnets[0]
@@ -248,7 +330,7 @@ class CdkStack(Stack):
                     nat_gateway_id_context_key=SINGLE_NAT_GATEWAY_ID
                 )
             else:
-                print("WARNING: No public subnets available. Cannot create a NAT Gateway.")
+                print("WARNING: No public subnets available and NAT gateway not found in existing VPC. Cannot create a NAT Gateway.")
 
 
         # --- 4. Process Private Subnets ---
@@ -280,17 +362,24 @@ class CdkStack(Stack):
         else:
             print("No private subnets specified for creation in context ('private_subnets_to_create').")
 
-        if not self.private_subnets:
+        # if not self.private_subnets:
+        #     raise Exception("No private subnets found or created, exiting.")
+        
+        if not self.private_subnets and not names_to_create_private and not PRIVATE_SUBNETS_TO_USE:
+            # This condition might need adjustment for new VPCs.
             raise Exception("No private subnets found or created, exiting.")
 
         # --- 5. Sanity Check and Output ---
-
-        # Output the single NAT Gateway ID for verification
+        # Output the single NAT Gateway ID for verification        
         if self.single_nat_gateway_id:
             CfnOutput(self, "SingleNatGatewayId", value=self.single_nat_gateway_id,
-                      description="ID of the single NAT Gateway used for private subnets.")
+                      description="ID of the single NAT Gateway resolved or created.")
+        elif NEW_VPC_DEFAULT_NAME and (self.node.try_get_context("new_vpc_nat_gateways") or 1) > 0:
+            print("INFO: A new VPC was created with NAT Gateway(s). Their routing is handled by the VPC construct. No single_nat_gateway_id was explicitly set for separate output.")
         else:
-            raise Exception("No single NAT Gateway was created or resolved.")
+            out_message = "WARNING: No single NAT Gateway was resolved or created explicitly by the script's logic after VPC setup."
+            print(out_message)
+            raise Exception(out_message)
 
         # --- Outputs for other stacks/regions ---
         # These are crucial for cross-stack, cross-region referencing
@@ -303,34 +392,6 @@ class CdkStack(Stack):
         self.params["public_route_tables"] = self.public_route_tables_cfn
 
 
-#class CdkStackMain(Stack):
- #   def __init__(self, scope: Construct, construct_id: str, private_subnets:List[ec2.ISubnet]=[], private_route_tables: List[ec2.CfnRouteTable]=[], public_subnets:List[ec2.ISubnet]=[], public_route_tables: List[ec2.CfnRouteTable]=[], **kwargs) -> None:
-  #      super().__init__(scope, construct_id, **kwargs)
-
-        # --- Helper to get context values ---
-        # def get_context_bool(key: str, default: bool = False) -> bool:
-        #     return self.node.try_get_context(key) or default
-
-        # def get_context_str(key: str, default: str = None) -> str:
-        #      return self.node.try_get_context(key) or default
-        
-        # def get_context_dict(key: str, default: dict = None) -> dict:
-        #     return self.node.try_get_context(key) or default
-        
-        # def get_context_list_of_dicts(key: str) -> List[Dict[str, Any]]:
-        #     ctx_value = self.node.try_get_context(key)
-
-        #     if not isinstance(ctx_value, list):
-        #         print(f"Warning: Context key '{key}' not found or not a list. Returning empty list.")
-        #         return []
-        #     # Optional: Add validation that all items in the list are dicts
-        #     return ctx_value
-        
-        # self.private_subnets: List[ec2.ISubnet] = private_subnets
-        # self.private_route_tables_cfn: List[ec2.CfnRouteTable] = private_route_tables
-        # self.public_subnets: List[ec2.ISubnet] = public_subnets
-        # self.public_route_tables_cfn: List[ec2.CfnRouteTable] = public_route_tables
-
         private_subnet_selection = ec2.SubnetSelection(subnets=self.private_subnets)
         public_subnet_selection = ec2.SubnetSelection(subnets=self.public_subnets)  
 
@@ -340,16 +401,6 @@ class CdkStack(Stack):
         for sub in public_subnet_selection.subnets:
             print("public subnet:", sub.subnet_id, "is in availability zone:", sub.availability_zone)
 
-        # try:
-        #     vpc = ec2.Vpc.from_lookup(
-        #         self,
-        #         "VPC",
-        #         vpc_name=VPC_NAME
-        #     )
-        #     print("Successfully looked up VPC")
-        # except Exception as e:
-        #     raise Exception(f"Could not look up VPC with name '{VPC_NAME}' due to: {e}")
-
         print("Private subnet route tables:", self.private_route_tables_cfn)
 
         # Add the S3 Gateway Endpoint to the VPC
@@ -368,31 +419,60 @@ class CdkStack(Stack):
                 description="The id for the S3 Gateway Endpoint.") # Specify the S3 service
 
         # --- IAM Roles ---
-        try:
-            codebuild_role_name = CODEBUILD_ROLE_NAME
-            custom_sts_kms_policy = """{
-"Version": "2012-10-17",
-"Statement": [
-    {
-        "Sid": "STSCallerIdentity",
-        "Effect": "Allow",
-        "Action": [
-            "sts:GetCallerIdentity"
-        ],
-        "Resource": "*"
-    },
-    {
-      "Sid": "KMSAccess",
-      "Effect": "Allow",
-      "Action": [
-        "kms:Encrypt",
-        "kms:Decrypt",
-        "kms:GenerateDataKey"
-      ],
-      "Resource": "*"
+        if USE_CUSTOM_KMS_KEY == '1':
+            kms_key = kms.Key(self, "RedactionSharedKmsKey", alias=S3_KMS_KEY_NAME, removal_policy=RemovalPolicy.DESTROY)
+
+            custom_sts_kms_policy_dict = {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "STSCallerIdentity",
+                "Effect": "Allow",
+                "Action": [
+                    "sts:GetCallerIdentity"
+                ],
+                "Resource": "*"
+            },
+            {
+              "Sid": "KMSAccess",
+              "Effect": "Allow",
+              "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:GenerateDataKey"
+              ],
+              "Resource": kms_key.key_arn # Use key_arn, as it's the full ARN, safer than key_id
+            }
+        ]
     }
-]
-}"""
+        else:
+            kms_key = None
+
+            custom_sts_kms_policy_dict = {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "STSCallerIdentity",
+                "Effect": "Allow",
+                "Action": [
+                    "sts:GetCallerIdentity"
+                ],
+                "Resource": "*"
+            }  ,          
+        {
+                      "Sid": "KMSSecretsManagerDecrypt", # Explicitly add decrypt for default key
+                      "Effect": "Allow",
+                      "Action": [
+                        "kms:Decrypt"
+                      ],
+                      "Resource": f"arn:aws:kms:{AWS_REGION}:{AWS_ACCOUNT_ID}:key/aws/secretsmanager"
+                    }
+                ]
+            }
+        custom_sts_kms_policy = json.dumps(custom_sts_kms_policy_dict, indent=4)
+
+        try:
+            codebuild_role_name = CODEBUILD_ROLE_NAME            
 
             if get_context_bool(f"exists:{codebuild_role_name}"):
                 # If exists, lookup/import the role using ARN from context
@@ -458,13 +538,21 @@ class CdkStack(Stack):
                 bucket = s3.Bucket.from_bucket_name(self, "LogConfigBucket", bucket_name=log_bucket_name)
                 print("Using existing S3 bucket", log_bucket_name)
             else:
-                bucket = s3.Bucket(self, "LogConfigBucket", bucket_name=log_bucket_name,
-                versioned=False, # Set to True if you need versioning
-                # IMPORTANT: Set removal_policy to DESTROY
-                removal_policy=RemovalPolicy.DESTROY,
-                # IMPORTANT: Set auto_delete_objects to True to empty the bucket before deletion
-                auto_delete_objects=True
-                ) # Explicitly set bucket_name
+                if USE_CUSTOM_KMS_KEY == '1' and isinstance(kms_key, kms.Key):
+                    bucket = s3.Bucket(self, "LogConfigBucket", bucket_name=log_bucket_name,
+                    versioned=False,
+                    removal_policy=RemovalPolicy.DESTROY,
+                    auto_delete_objects=True,
+                    encryption=s3.BucketEncryption.KMS,
+                    encryption_key=kms_key
+                    )
+                else:                
+                    bucket = s3.Bucket(self, "LogConfigBucket", bucket_name=log_bucket_name,
+                    versioned=False,
+                    removal_policy=RemovalPolicy.DESTROY,
+                    auto_delete_objects=True
+                    )
+
                 print("Created S3 bucket", log_bucket_name)
 
             # Add policies - this will apply to both created and imported buckets
@@ -491,18 +579,31 @@ class CdkStack(Stack):
                 output_bucket = s3.Bucket.from_bucket_name(self, "OutputBucket", bucket_name=output_bucket_name)
                 print("Using existing Output bucket", output_bucket_name)
             else:
-                output_bucket = s3.Bucket(self, "OutputBucket", bucket_name=output_bucket_name,
-                     lifecycle_rules=[
+                if USE_CUSTOM_KMS_KEY == '1' and isinstance(kms_key, kms.Key):
+                    output_bucket = s3.Bucket(self, "OutputBucket", bucket_name=output_bucket_name,
+                    lifecycle_rules=[
                          s3.LifecycleRule(
                              expiration=Duration.days(int(DAYS_TO_DISPLAY_WHOLE_DOCUMENT_JOBS))
                          )
                      ],
-                    versioned=False, # Set to True if you need versioning
-                    # IMPORTANT: Set removal_policy to DESTROY
+                    versioned=False,
+                    removal_policy=RemovalPolicy.DESTROY,
+                    auto_delete_objects=True,
+                    encryption=s3.BucketEncryption.KMS,
+                    encryption_key=kms_key
+                    )
+                else:                
+                    output_bucket = s3.Bucket(self, "OutputBucket", bucket_name=output_bucket_name,
+                    lifecycle_rules=[
+                         s3.LifecycleRule(
+                             expiration=Duration.days(int(DAYS_TO_DISPLAY_WHOLE_DOCUMENT_JOBS))
+                         )
+                     ],
+                    versioned=False,
                     removal_policy=RemovalPolicy.DESTROY,
-                    # IMPORTANT: Set auto_delete_objects to True to empty the bucket before deletion
                     auto_delete_objects=True
-                )
+                    )
+
                 print("Created Output bucket:", output_bucket_name)
 
             # Add policies to output bucket
@@ -602,14 +703,7 @@ class CdkStack(Stack):
         # --- Security Groups ---
         try:
             ecs_security_group_name = ECS_SECURITY_GROUP_NAME
-            # Following checks by name don't really work
-            # Use CDK's from_lookup_by_name which handles lookup or throws an error if not found
-            #try:
-            #     ecs_security_group = ec2.SecurityGroup.from_lookup_by_name(
-            #         self, "ECSSecurityGroup", vpc=vpc, security_group_name=ecs_security_group_name
-            #     )
-            #     print(f"Using existing Security Group: {ecs_security_group_name}")
-            # except Exception: # If lookup fails, create
+
             try:
                  ecs_security_group = ec2.SecurityGroup(
                      self,
@@ -622,12 +716,7 @@ class CdkStack(Stack):
                 print("Failed to create ECS security group due to:", e)
 
             alb_security_group_name = ALB_NAME_SECURITY_GROUP_NAME
-            # try:
-            #     alb_security_group = ec2.SecurityGroup.from_lookup_by_name(
-            #         self, "ALBSecurityGroup", vpc=vpc, security_group_name=alb_security_group_name
-            #     )
-            #     print(f"Using existing Security Group: {alb_security_group_name}")
-            # except Exception: # If lookup fails, create
+
             try:
                 alb_security_group = ec2.SecurityGroup(
                     self,
@@ -717,8 +806,6 @@ class CdkStack(Stack):
                 print("Successfully created new Application Load Balancer")
         except Exception as e:
             raise Exception("Could not handle application load balancer due to:", e)
-        
-
 
         # --- Cognito User Pool ---
         try:
@@ -738,7 +825,7 @@ class CdkStack(Stack):
                 print(f"Created new user pool {user_pool.user_pool_id}.")
 
             # If you're using a certificate, assume that you will be using the ALB Cognito login features. You need different redirect URLs to accept the token that comes from Cognito authentication.                
-            if ACM_CERTIFICATE_ARN:
+            if ACM_SSL_CERTIFICATE_ARN:
                 redirect_uris = [COGNITO_REDIRECTION_URL, COGNITO_REDIRECTION_URL + "/oauth2/idpresponse"]
             else:
                 redirect_uris = [COGNITO_REDIRECTION_URL]
@@ -786,31 +873,39 @@ class CdkStack(Stack):
 
         # --- Secrets Manager Secret ---
         try:
-             secret_name = COGNITO_USER_POOL_CLIENT_SECRET_NAME
-             if get_context_bool(f"exists:{secret_name}"):
+            secret_name = COGNITO_USER_POOL_CLIENT_SECRET_NAME
+            if get_context_bool(f"exists:{secret_name}"):
                  # Lookup by name
                  secret = secretsmanager.Secret.from_secret_name_v2(self, "CognitoSecret", secret_name=secret_name)
                  print(f"Using existing Secret {secret_name}.")
-             else:
-                 secret = secretsmanager.Secret(self, "CognitoSecret", # Logical ID
-                     secret_name=secret_name, # Explicit resource name
-                     secret_object_value={
-                         "REDACTION_USER_POOL_ID": SecretValue.unsafe_plain_text(user_pool.user_pool_id), # Use the CDK attribute
-                         "REDACTION_CLIENT_ID": SecretValue.unsafe_plain_text(user_pool_client.user_pool_client_id), # Use the CDK attribute
-                         "REDACTION_CLIENT_SECRET": user_pool_client.user_pool_client_secret # Use the CDK attribute
-                     }
-                 )
-                 print(f"Created new secret {secret_name}.")
+            else:
+                if USE_CUSTOM_KMS_KEY == '1' and isinstance(kms_key, kms.Key):
+                    secret = secretsmanager.Secret(self, "CognitoSecret", # Logical ID
+                        secret_name=secret_name, # Explicit resource name
+                        secret_object_value={
+                            "REDACTION_USER_POOL_ID": SecretValue.unsafe_plain_text(user_pool.user_pool_id), # Use the CDK attribute
+                            "REDACTION_CLIENT_ID": SecretValue.unsafe_plain_text(user_pool_client.user_pool_client_id), # Use the CDK attribute
+                            "REDACTION_CLIENT_SECRET": user_pool_client.user_pool_client_secret # Use the CDK attribute
+                        },
+                        encryption_key=kms_key
+                    )
+                else:
+                    secret = secretsmanager.Secret(self, "CognitoSecret", # Logical ID
+                        secret_name=secret_name, # Explicit resource name
+                        secret_object_value={
+                            "REDACTION_USER_POOL_ID": SecretValue.unsafe_plain_text(user_pool.user_pool_id), # Use the CDK attribute
+                            "REDACTION_CLIENT_ID": SecretValue.unsafe_plain_text(user_pool_client.user_pool_client_id), # Use the CDK attribute
+                            "REDACTION_CLIENT_SECRET": user_pool_client.user_pool_client_secret # Use the CDK attribute
+                        }
+                    )
+
+                print(f"Created new secret {secret_name}.")
 
         except Exception as e:
              raise Exception("Could not handle Secrets Manager secret due to:", e)
 
         # --- Fargate Task Definition ---
         try:
-            # For task definitions, re-creating with the same logical ID creates new revisions.
-            # If you want to use a *specific existing revision*, you'd need to look it up by ARN.
-            # If you want to update the latest revision, defining it here is the standard.
-            # Let's assume we always define it here to get revision management.
             fargate_task_definition_name = FARGATE_TASK_DEFINITION_NAME
 
             read_only_file_system = ECS_READ_ONLY_FILE_SYSTEM == 'True'     
@@ -906,8 +1001,8 @@ class CdkStack(Stack):
 
             cdk_managed_log_group = logs.LogGroup(self, "MyTaskLogGroup", # CDK Logical ID
             log_group_name=log_group_name_from_config,
-            retention=logs.RetentionDays.ONE_MONTH, # Example: set retention
-            removal_policy=RemovalPolicy.DESTROY # If you want it deleted when stack is deleted
+            retention=logs.RetentionDays.ONE_MONTH,
+            removal_policy=RemovalPolicy.DESTROY
             )
 
             epheremal_storage_volume_cdk_obj = ecs.Volume(
@@ -926,10 +1021,7 @@ class CdkStack(Stack):
                 cpu_architecture=ecs.CpuArchitecture.X86_64,
                 operating_system_family=ecs.OperatingSystemFamily.LINUX
             ),
-            # 1. Specify the total ephemeral storage for the task
             ephemeral_storage_gib=21, # Minimum is 21 GiB
-            # 2. Define the volume at the task level
-            # This volume will use the ephemeral storage configured above.
             volumes=[epheremal_storage_volume_cdk_obj]
             )
             print("Fargate task definition defined.")
@@ -1093,7 +1185,7 @@ class CdkStack(Stack):
             print(f"ALB listener on port {listener_port} defined.")
 
 
-            if ACM_CERTIFICATE_ARN:
+            if ACM_SSL_CERTIFICATE_ARN:
                 http_listener.add_action(
                         "DefaultAction", # Logical ID for the default action
                         action=elbv2.ListenerAction.redirect(protocol='HTTPS',
@@ -1135,7 +1227,7 @@ class CdkStack(Stack):
                 print("Added targets and actions to ALB HTTP listener.")            
 
             # Now the same for HTTPS if you have an ACM certificate
-            if ACM_CERTIFICATE_ARN:
+            if ACM_SSL_CERTIFICATE_ARN:
                 listener_port_https = 443
                 # Check if Listener exists - from_listener_arn or lookup by port/ALB                
 
@@ -1143,7 +1235,7 @@ class CdkStack(Stack):
                 self,
                 "MyHttpsListener", # Logical ID for the HTTPS listener
                 alb,
-                acm_certificate_arn=ACM_CERTIFICATE_ARN,
+                ACM_SSL_CERTIFICATE_ARN=ACM_SSL_CERTIFICATE_ARN,
                 default_target_group=target_group,
                 enable_cognito_auth=True,
                 cognito_user_pool=user_pool,

cdk/check_resources.py

@@ -49,150 +49,151 @@ def check_and_set_context():
     context_data = {}
 
     # --- Find the VPC ID first ---
-    print("VPC_NAME:", VPC_NAME)
-    vpc_id, nat_gateways = get_vpc_id_by_name(VPC_NAME)
-
-    # If you expect only one, or one per AZ and you're creating one per AZ in CDK:
-    if nat_gateways:
-        # For simplicity, let's just check if *any* NAT exists in the VPC
-        # A more robust check would match by subnet, AZ, or a specific tag.
-        context_data["exists:NatGateway"] = True
-        context_data["id:NatGateway"] = nat_gateways[0]['NatGatewayId'] # Store the ID of the first one found
-    else:
-        context_data["exists:NatGateway"] = False
-        context_data["id:NatGateway"] = None
-
-    if not vpc_id:
-        # If the VPC doesn't exist, you might not be able to check/create subnets.
-        # Decide how to handle this: raise an error, set a flag, etc.
-        raise RuntimeError(f"Required VPC '{VPC_NAME}' not found. Cannot proceed with subnet checks.")
-
-    context_data["vpc_id"] = vpc_id # Store VPC ID in context
-
-    # SUBNET CHECKS
-    context_data: Dict[str, Any] = {}
-    all_proposed_subnets_data: List[Dict[str, str]] = []
-
-    # Flag to indicate if full validation mode (with CIDR/AZs) is active
-    full_validation_mode = False
-
-    # Determine if full validation mode is possible/desired
-    # It's 'desired' if CIDR/AZs are provided, and their lengths match the name lists.
-    public_ready_for_full_validation = (
-        len(PUBLIC_SUBNETS_TO_USE) > 0 and
-        len(PUBLIC_SUBNET_CIDR_BLOCKS) == len(PUBLIC_SUBNETS_TO_USE) and
-        len(PUBLIC_SUBNET_AVAILABILITY_ZONES) == len(PUBLIC_SUBNETS_TO_USE)
-    )
-    private_ready_for_full_validation = (
-        len(PRIVATE_SUBNETS_TO_USE) > 0 and
-        len(PRIVATE_SUBNET_CIDR_BLOCKS) == len(PRIVATE_SUBNETS_TO_USE) and
-        len(PRIVATE_SUBNET_AVAILABILITY_ZONES) == len(PRIVATE_SUBNETS_TO_USE)
-    )
-
-    # Activate full validation if *any* type of subnet (public or private) has its full details provided.
-    # You might adjust this logic if you require ALL subnet types to have CIDRs, or NONE.
-    if public_ready_for_full_validation or private_ready_for_full_validation:
-        full_validation_mode = True
-
-        # If some are ready but others aren't, print a warning or raise an error based on your strictness
-        if public_ready_for_full_validation and not private_ready_for_full_validation and PRIVATE_SUBNETS_TO_USE:
-            print("Warning: Public subnets have CIDRs/AZs, but private subnets do not. Only public will be fully validated/created with CIDRs.")
-        if private_ready_for_full_validation and not public_ready_for_full_validation and PUBLIC_SUBNETS_TO_USE:
-            print("Warning: Private subnets have CIDRs/AZs, but public subnets do not. Only private will be fully validated/created with CIDRs.")
-
-        # Prepare data for validate_subnet_creation_parameters for all subnets that have full details
-        if public_ready_for_full_validation:
-            for i, name in enumerate(PUBLIC_SUBNETS_TO_USE):
-                all_proposed_subnets_data.append({
-                    'name': name,
-                    'cidr': PUBLIC_SUBNET_CIDR_BLOCKS[i],
-                    'az': PUBLIC_SUBNET_AVAILABILITY_ZONES[i]
-                })
-        if private_ready_for_full_validation:
-            for i, name in enumerate(PRIVATE_SUBNETS_TO_USE):
-                all_proposed_subnets_data.append({
-                    'name': name,
-                    'cidr': PRIVATE_SUBNET_CIDR_BLOCKS[i],
-                    'az': PRIVATE_SUBNET_AVAILABILITY_ZONES[i]
-                })
-
-
-    print(f"Target VPC ID for Boto3 lookup: {vpc_id}")
-
-    # Fetch all existing subnets in the target VPC once to avoid repeated API calls
-    try:
-        existing_aws_subnets = _get_existing_subnets_in_vpc(vpc_id)
-    except Exception as e:
-        print(f"Failed to fetch existing VPC subnets. Aborting. Error: {e}")
-        raise SystemExit(1) # Exit immediately if we can't get baseline data
-    
-    print("\n--- Running Name-Only Subnet Existence Check Mode ---")
-    # Fallback: check only by name using the existing data
-    checked_public_subnets = {}
-    if PUBLIC_SUBNETS_TO_USE:
-        for subnet_name in PUBLIC_SUBNETS_TO_USE:
-            print("subnet_name:", subnet_name)
-            exists, subnet_id = check_subnet_exists_by_name(subnet_name, existing_aws_subnets)
-            checked_public_subnets[subnet_name] = {"exists": exists, "id": subnet_id}
-
-            # If the subnet exists, remove it from the proposed subnets list
-            if checked_public_subnets[subnet_name]["exists"] == True:
-                all_proposed_subnets_data = [
-                    subnet for subnet in all_proposed_subnets_data 
-                    if subnet['name'] != subnet_name
-                ]
-
-    context_data["checked_public_subnets"] = checked_public_subnets
-
-    checked_private_subnets = {}
-    if PRIVATE_SUBNETS_TO_USE:
-        for subnet_name in PRIVATE_SUBNETS_TO_USE:
-            print("subnet_name:", subnet_name)
-            exists, subnet_id = check_subnet_exists_by_name(subnet_name, existing_aws_subnets)
-            checked_private_subnets[subnet_name] = {"exists": exists, "id": subnet_id}
-
-            # If the subnet exists, remove it from the proposed subnets list
-            if checked_private_subnets[subnet_name]["exists"] == True:
-                all_proposed_subnets_data = [
-                    subnet for subnet in all_proposed_subnets_data 
-                    if subnet['name'] != subnet_name
-                ]
-
-    context_data["checked_private_subnets"] = checked_private_subnets
-
-
-
-    print("\nName-only existence subnet check complete.\n")
-
-    if full_validation_mode:
-        print("\n--- Running in Full Subnet Validation Mode (CIDR/AZs provided) ---")
-        try:
-            validate_subnet_creation_parameters(vpc_id, all_proposed_subnets_data, existing_aws_subnets)
-            print("\nPre-synth validation successful. Proceeding with CDK synth.\n")
-
-            # Populate context_data for downstream CDK construct creation
-            context_data["public_subnets_to_create"] = []
+    if VPC_NAME:
+        print("VPC_NAME:", VPC_NAME)
+        vpc_id, nat_gateways = get_vpc_id_by_name(VPC_NAME)
+
+        # If you expect only one, or one per AZ and you're creating one per AZ in CDK:
+        if nat_gateways:
+            # For simplicity, let's just check if *any* NAT exists in the VPC
+            # A more robust check would match by subnet, AZ, or a specific tag.
+            context_data["exists:NatGateway"] = True
+            context_data["id:NatGateway"] = nat_gateways[0]['NatGatewayId'] # Store the ID of the first one found
+        else:
+            context_data["exists:NatGateway"] = False
+            context_data["id:NatGateway"] = None
+
+        if not vpc_id:
+            # If the VPC doesn't exist, you might not be able to check/create subnets.
+            # Decide how to handle this: raise an error, set a flag, etc.
+            raise RuntimeError(f"Required VPC '{VPC_NAME}' not found. Cannot proceed with subnet checks.")
+
+        context_data["vpc_id"] = vpc_id # Store VPC ID in context
+
+        # SUBNET CHECKS
+        context_data: Dict[str, Any] = {}
+        all_proposed_subnets_data: List[Dict[str, str]] = []
+
+        # Flag to indicate if full validation mode (with CIDR/AZs) is active
+        full_validation_mode = False
+
+        # Determine if full validation mode is possible/desired
+        # It's 'desired' if CIDR/AZs are provided, and their lengths match the name lists.
+        public_ready_for_full_validation = (
+            len(PUBLIC_SUBNETS_TO_USE) > 0 and
+            len(PUBLIC_SUBNET_CIDR_BLOCKS) == len(PUBLIC_SUBNETS_TO_USE) and
+            len(PUBLIC_SUBNET_AVAILABILITY_ZONES) == len(PUBLIC_SUBNETS_TO_USE)
+        )
+        private_ready_for_full_validation = (
+            len(PRIVATE_SUBNETS_TO_USE) > 0 and
+            len(PRIVATE_SUBNET_CIDR_BLOCKS) == len(PRIVATE_SUBNETS_TO_USE) and
+            len(PRIVATE_SUBNET_AVAILABILITY_ZONES) == len(PRIVATE_SUBNETS_TO_USE)
+        )
+
+        # Activate full validation if *any* type of subnet (public or private) has its full details provided.
+        # You might adjust this logic if you require ALL subnet types to have CIDRs, or NONE.
+        if public_ready_for_full_validation or private_ready_for_full_validation:
+            full_validation_mode = True
+
+            # If some are ready but others aren't, print a warning or raise an error based on your strictness
+            if public_ready_for_full_validation and not private_ready_for_full_validation and PRIVATE_SUBNETS_TO_USE:
+                print("Warning: Public subnets have CIDRs/AZs, but private subnets do not. Only public will be fully validated/created with CIDRs.")
+            if private_ready_for_full_validation and not public_ready_for_full_validation and PUBLIC_SUBNETS_TO_USE:
+                print("Warning: Private subnets have CIDRs/AZs, but public subnets do not. Only private will be fully validated/created with CIDRs.")
+
+            # Prepare data for validate_subnet_creation_parameters for all subnets that have full details
             if public_ready_for_full_validation:
                 for i, name in enumerate(PUBLIC_SUBNETS_TO_USE):
-                    context_data["public_subnets_to_create"].append({
+                    all_proposed_subnets_data.append({
                         'name': name,
                         'cidr': PUBLIC_SUBNET_CIDR_BLOCKS[i],
-                        'az': PUBLIC_SUBNET_AVAILABILITY_ZONES[i],
-                        'is_public': True
+                        'az': PUBLIC_SUBNET_AVAILABILITY_ZONES[i]
                     })
-            context_data["private_subnets_to_create"] = []
             if private_ready_for_full_validation:
                 for i, name in enumerate(PRIVATE_SUBNETS_TO_USE):
-                    context_data["private_subnets_to_create"].append({
+                    all_proposed_subnets_data.append({
                         'name': name,
                         'cidr': PRIVATE_SUBNET_CIDR_BLOCKS[i],
-                        'az': PRIVATE_SUBNET_AVAILABILITY_ZONES[i],
-                        'is_public': False
+                        'az': PRIVATE_SUBNET_AVAILABILITY_ZONES[i]
                     })
 
-        except (ValueError, Exception) as e:
-            print(f"\nFATAL ERROR: Subnet parameter validation failed: {e}\n")
-            raise SystemExit(1) # Exit if validation fails
+
+        print(f"Target VPC ID for Boto3 lookup: {vpc_id}")
+
+        # Fetch all existing subnets in the target VPC once to avoid repeated API calls
+        try:
+            existing_aws_subnets = _get_existing_subnets_in_vpc(vpc_id)
+        except Exception as e:
+            print(f"Failed to fetch existing VPC subnets. Aborting. Error: {e}")
+            raise SystemExit(1) # Exit immediately if we can't get baseline data
+        
+        print("\n--- Running Name-Only Subnet Existence Check Mode ---")
+        # Fallback: check only by name using the existing data
+        checked_public_subnets = {}
+        if PUBLIC_SUBNETS_TO_USE:
+            for subnet_name in PUBLIC_SUBNETS_TO_USE:
+                print("subnet_name:", subnet_name)
+                exists, subnet_id = check_subnet_exists_by_name(subnet_name, existing_aws_subnets)
+                checked_public_subnets[subnet_name] = {"exists": exists, "id": subnet_id}
+
+                # If the subnet exists, remove it from the proposed subnets list
+                if checked_public_subnets[subnet_name]["exists"] == True:
+                    all_proposed_subnets_data = [
+                        subnet for subnet in all_proposed_subnets_data 
+                        if subnet['name'] != subnet_name
+                    ]
+
+        context_data["checked_public_subnets"] = checked_public_subnets
+
+        checked_private_subnets = {}
+        if PRIVATE_SUBNETS_TO_USE:
+            for subnet_name in PRIVATE_SUBNETS_TO_USE:
+                print("subnet_name:", subnet_name)
+                exists, subnet_id = check_subnet_exists_by_name(subnet_name, existing_aws_subnets)
+                checked_private_subnets[subnet_name] = {"exists": exists, "id": subnet_id}
+
+                # If the subnet exists, remove it from the proposed subnets list
+                if checked_private_subnets[subnet_name]["exists"] == True:
+                    all_proposed_subnets_data = [
+                        subnet for subnet in all_proposed_subnets_data 
+                        if subnet['name'] != subnet_name
+                    ]
+
+        context_data["checked_private_subnets"] = checked_private_subnets
+
+
+
+        print("\nName-only existence subnet check complete.\n")
+
+        if full_validation_mode:
+            print("\n--- Running in Full Subnet Validation Mode (CIDR/AZs provided) ---")
+            try:
+                validate_subnet_creation_parameters(vpc_id, all_proposed_subnets_data, existing_aws_subnets)
+                print("\nPre-synth validation successful. Proceeding with CDK synth.\n")
+
+                # Populate context_data for downstream CDK construct creation
+                context_data["public_subnets_to_create"] = []
+                if public_ready_for_full_validation:
+                    for i, name in enumerate(PUBLIC_SUBNETS_TO_USE):
+                        context_data["public_subnets_to_create"].append({
+                            'name': name,
+                            'cidr': PUBLIC_SUBNET_CIDR_BLOCKS[i],
+                            'az': PUBLIC_SUBNET_AVAILABILITY_ZONES[i],
+                            'is_public': True
+                        })
+                context_data["private_subnets_to_create"] = []
+                if private_ready_for_full_validation:
+                    for i, name in enumerate(PRIVATE_SUBNETS_TO_USE):
+                        context_data["private_subnets_to_create"].append({
+                            'name': name,
+                            'cidr': PRIVATE_SUBNET_CIDR_BLOCKS[i],
+                            'az': PRIVATE_SUBNET_AVAILABILITY_ZONES[i],
+                            'is_public': False
+                        })
+
+            except (ValueError, Exception) as e:
+                print(f"\nFATAL ERROR: Subnet parameter validation failed: {e}\n")
+                raise SystemExit(1) # Exit if validation fails
 
     # Example checks and setting context values
     # IAM Roles

cdk/post_cdk_build_quickstart.py

@@ -13,10 +13,10 @@ start_codebuild_build(PROJECT_NAME=CODEBUILD_PROJECT_NAME)
 # Upload config.env file to S3 bucket
 upload_file_to_s3(local_file_paths="config/config.env", s3_key="", s3_bucket=S3_LOG_CONFIG_BUCKET_NAME)
 
-total_seconds = 480 # 8 minutes * 60 seconds/minute
+total_seconds = 450 # 7.5 minutes
 update_interval = 1 # Update every second
 
-print("Waiting eight minutes for the CodeBuild container to build.")
+print("Waiting 7.5 minutes for the CodeBuild container to build.")
 
 # tqdm iterates over a range, and you perform a small sleep in each iteration
 for i in tqdm(range(total_seconds), desc="Building container"):

cdk/requirements.txt

@@ -1,5 +1,5 @@
-aws-cdk-lib==2.200.2
-boto3==1.38.35
-pandas==2.2.3
+aws-cdk-lib==2.202.0
+boto3==1.38.41
+pandas==2.3.0
 nodejs==0.1.1
 python-dotenv==1.0.1

index.qmd

@@ -2,7 +2,7 @@
 title: "Home"
 ---
 
-version: 0.7.0
+version: 0.7.1
 
 Welcome to the Document Redaction App documentation. This site provides comprehensive documentation for the Document Redaction App.
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "doc_redaction"
-version = "0.7.0"
+version = "0.7.1"
 description = "Redact PDF/image-based documents, or CSV/XLSX files using a Gradio-based GUI interface"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -18,13 +18,13 @@ dependencies = [
     "presidio_anonymizer==2.2.358",
     "presidio-image-redactor==0.0.56",
     "pikepdf==9.5.2",
-    "pandas==2.2.3",
+    "pandas==2.3.0",
     "scikit-learn==1.6.1",
-    "spacy==3.8.4",
+    "spacy==3.8.7",
     # Direct URL dependency for spacy model
     "en_core_web_lg @ https://github.com/explosion/spacy-models/releases/download/en_core_web_lg-3.8.0/en_core_web_lg-3.8.0.tar.gz",
-    "gradio==5.34.0",
-    "boto3==1.38.35",
+    "gradio==5.34.2",
+    "boto3==1.38.46",
     "pyarrow==19.0.1",
     "openpyxl==3.1.5",
     "Faker==36.1.1",

requirements.txt

@@ -6,12 +6,12 @@ presidio_analyzer==2.2.358
 presidio_anonymizer==2.2.358
 presidio-image-redactor==0.0.56
 pikepdf==9.5.2
-pandas==2.2.3
+pandas==2.3.0
 scikit-learn==1.6.1
-spacy==3.8.4
+spacy==3.8.7
 en_core_web_lg @ https://github.com/explosion/spacy-models/releases/download/en_core_web_lg-3.8.0/en_core_web_lg-3.8.0.tar.gz
-gradio==5.34.0
-boto3==1.38.35
+gradio==5.34.2
+boto3==1.38.46
 pyarrow==19.0.1
 openpyxl==3.1.5
 Faker==36.1.1

src/installation_guide.qmd

@@ -1,5 +1,5 @@
 ---
-title: "App installation guide (with CDK)"
+title: "App installation guide (with CDK or locally on Windows)"
 format:
   html:
     toc: true # Enable the table of contents
@@ -7,17 +7,17 @@ format:
     toc-title: "On this page" # Optional: Title for your TOC
 ---
 
-# Introduction
+# Installation with CDK
 
-This guide gives an overview of how to install the app in an AWS environment using the code in the cdk/ folder of this Github repo. The most important thing you need is some familiarity with AWS and how to use it via console or command line, as well as administrator access to at least one region. Then follow the below steps.
+This guide gives an overview of how to install the app in an AWS environment using the code in the 'cdk/' folder of this Github repo. The most important thing you need is some familiarity with AWS and how to use it via console or command line, as well as administrator access to at least one region. Then follow the below steps.
 
 ## Prerequisites
 
+*   Ensure you have an AWS Administrator account in your desired region to be able to deploy all the resources mentioned in cdk_stack.py.
 *   Install git on your computer from: [https://git-scm.com](https://git-scm.com)
-*   You will also need to install nodejs and npm: [https://docs.npmjs.com/downloading-and-installing-node-js-and-npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm)
-*   You will need an AWS Administrator account in your desired region to install.
-*   You will need AWS CDK v2 installed: [https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-*   You will need to bootstrap the environment with CDK in both your primary region, and `us-east-1` if installing CloudFront and associated WAF.
+*   Install nodejs and npm: [https://docs.npmjs.com/downloading-and-installing-node-js-and-npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). If using Windows, it may be easiest to install from the .msi installer at the bottom of the page [here](https://nodejs.org/en/download/).
+*   Install AWS CDK v2: [https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+*   Bootstrap the environment with CDK in both your primary region, and `us-east-1` if installing CloudFront and associated WAF.
     ```bash
     # Bootstrap your primary region
     cdk bootstrap aws://<YOUR_AWS_ACCOUNT>/eu-west-1
@@ -30,27 +30,23 @@ This guide gives an overview of how to install the app in an AWS environment usi
     git clone https://github.com/seanpedrick-case/doc_redaction.git
     ```
 
-# VPC ACM Certificate
+## Note on ACM Certificates
 
-This CDK code is designed to work within an existing VPC. The code does not create a new VPC if it doesn't exist. So you will need to do that yourself.
+To get full HTTPS data transfer through the app, you will need an SSL certificate registered with AWS Certificate Manager.
 
-Additionally, to get full HTTPS data transfer through the app, you will need an SSL certificate registered with AWS Certificate Manager.
-
-You can either use the SSL certificate from a domain, or import an existing certificate into Certificate Manager. Ask your IT admin if you need help with this.
-
-## If getting an SSL certificate for an existing domain
-
-Make sure to point the certificate to `*.<domain-name>`.
+You can either use the SSL certificate from a domain, or import an existing certificate into Certificate Manager. If you're not sure, ask your IT admin if you need help with this. If getting an SSL certificate for an existing domain, make sure to point the certificate to `*.<domain-name>`.
 
 Update your DNS records to include the CNAME record given by AWS. After your stack has been created, you will also need to create a CNAME DNS record for your domain pointing to your load balancer DNS with a subdomain, e.g., `redaction.<domain-name>`.
 
-1.  Create a python environment, load in packages from `requirements.txt`.
+## Steps to install the app using CDK
+
+### 1.  Create a python environment, load in packages from `requirements.txt`.
 
-    Need a `cdk.json` in the `cdk` folder. It should contain the following:
+    You need a `cdk.json` in the `cdk` folder. It should contain the following:
 
     ```json
     {
-        "app": "<PATH TO PYTHON ENVIRONMENT FOLDER WHERE REQUIREMENTS HAVE BEEN LOADED>python.exe app.py",
+        "app": "<PATH TO PYTHON ENVIRONMENT FOLDER WHERE REQUIREMENTS HAVE BEEN LOADED>/python.exe app.py",
         "context": {
           "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
           "@aws-cdk/core:stackRelativeExports": true,
@@ -71,99 +67,129 @@ Update your DNS records to include the CNAME record given by AWS. After your sta
       }
     ```
 
-2.  Create a `cdk_config.env` file in the `config` subfolder. Here as a minimum it would be useful to put the following details in the env file (below are example values, other possible variables to use here can be seen in the `cdk` folder/`cdk_config.py`).
+### 2.  Create a `cdk_config.env` file in the `config` subfolder. 
+
+Depending on which environment variables you put in this file, you can choose whether to install the app in a completely new VPC, or in an existing VPC. The following shows you example config files that you could use.
+
+#### Deploying the app an a brand new VPC
+
+Here as a minimum it would be useful to put the following details in the cdk_config.env file (below are all example values, other possible variables to use here can be seen in the `cdk` folder/`cdk_config.py`).
 
     ```ini
-    CDK_PREFIX=example-prefix # Prefix to most created elements in your stack
-    VPC_NAME=example-vpc-name # Name of the VPC within which all the other elements will be created
-    AWS_REGION=us-west-1 # Region where elements will be created
+    CDK_PREFIX=example-prefix # This prefix will be added to the name of most of the created elements in your stack
+    NEW_VPC_CIDR=10.0.0.0/24 # The CIDR range for your newly created VPC
+    AWS_REGION=<your-region> # Region where elements will be created
     AWS_ACCOUNT_ID=1234567890 # AWS account ID that has administrator access that you will use for deploying the stack
     CDK_FOLDER=C:/path_to_cdk_folder/ # The place where the cdk folder code is located
     CONTEXT_FILE=C:/path_to_cdk_folder/cdk.context.json
-    EXISTING_IGW_ID=igw-1234567890 # (optional) The ID for an existing internet gateway that you want to use instead of creating a new one
-    SINGLE_NAT_GATEWAY_ID=nat-123456789 # (optional) The ID for an existing NAT gateway that you want to use instead of creating a new one
-    COGNITO_USER_POOL_DOMAIN_PREFIX=lambeth-redaction-37924 # The prefix of the login / user sign up domain that you want to use with Cognito login. Should not contain the terms amazon, aws, or cognito.
+    
+    COGNITO_USER_POOL_DOMAIN_PREFIX=redaction-12345 # The prefix of the login / user sign up domain that you want to use with Cognito login. Should not contain the terms amazon, aws, or cognito.
+    COGNITO_AUTH=1 # Do you want to do in-app authentication (username and password only, not necessary if you are using an SSL certificate as recommended below)  
+    USE_CLOUDFRONT=True # Recommended. If you intend to use CloudFront as the front URL to your application load balancer (ALB). This has some extra security features that you won't get with just an ALB, e.g. limiting app access by country.
     RUN_USEAST_STACK=False # Set this to True only if you have permissions to create a Cloudfront distribution and web ACL on top of it in the us-east-1 region. If you don't, the section below shows how you can create the CloudFront resource manually and map it to your application load balancer (as you should have permissions for that if you are admin in your region).
+    CLOUDFRONT_DOMAIN=<example>.cloudfront.net # If you already know the domain of the CloudFront distribution that you want to use, you can add this here.
+    # If you are using an SSL certificate with your ALB (highly recommended):
+    ACM_SSL_CERTIFICATE_ARN=<SSL Certificate ARN> # This is the ARN of the SSL certificate that you have installed in AWS Certificate Manager
+    SSL_CERTIFICATE_DOMAIN=redaction.example.com # This is the domain of the SSL certificate that you have installed in AWS Certificate Manager
+    
     ```
 
-**Note: If you are using an SSL certificate with Cognito login on the application load balancer, you can set COGNITO_AUTH to 0 above, as you don't need the second login step to get to the app**
+**Note: If you are using an SSL certificate with Cognito login on the application load balancer (strongly advised), you can set COGNITO_AUTH to 0 above, as you don't need the second login step to get to the app**
 
-# Subnets
+#### In an existing VPC
 
-### NOTE: I would generally advise creating new subnets as then you will be sure about connectivity between AWS resources that underpin your app.
+From the above example, remove the variable 'NEW_VPC_CIDR' and replace with the below:
 
-*   If you set no subnets, the app will try to use existing private and public subnets. This approach is risky as the app may overlap with IP addresses assigned to existing AWS resources. It is advised to at least specify existing subnets that you know are available, or create your own using one of the below methods.
+```ini
+VPC_NAME=example-vpc-name # Name of the VPC within which all the other elements will be created
+EXISTING_IGW_ID=igw-1234567890 # (optional) The ID for an existing internet gateway that you want to use instead of creating a new one
+SINGLE_NAT_GATEWAY_ID=nat-123456789 # (optional) The ID for an existing NAT gateway that you want to use instead of creating a new one
+```
+##### Subnets
+
+If you are using an existing VPC then you may want to deploy the app within existing subnets rather than creating new ones:
+
+*   If you define no subnets in environment variables, the app will try to use existing private and public subnets. Bear in mind the app may overlap with IP addresses assigned to existing AWS resources. It is advised to at least specify existing subnets that you know are available, or create your own using one of the below methods.
 
 *   If you want to use existing subnets, you can list them in the following environment variables:
-    *   `PUBLIC_SUBNETS_TO_USE=["PublicSubnet1", "PublicSubnet2", "PublicSubnet3"]`
-    *   `PRIVATE_SUBNETS_TO_USE=["PrivateSubnet1", "PrivateSubnet2", "PrivateSubnet3"]`
+```ini
+PUBLIC_SUBNETS_TO_USE=["PublicSubnet1", "PublicSubnet2", "PublicSubnet3"]`
+PRIVATE_SUBNETS_TO_USE=["PrivateSubnet1", "PrivateSubnet2", "PrivateSubnet3"]`
+```
 
 *   If you want to create new subnets, you need to also specify CIDR blocks and availability zones for the new subnets. The app will check with you upon deployment whether these CIDR blocks are available before trying to create.
-    *   `PUBLIC_SUBNET_CIDR_BLOCKS=['10.222.333.0/28', '10.222.333.16/28', '10.222.333.32/28']`
-    *   `PUBLIC_SUBNET_AVAILABILITY_ZONES=['eu-east-1a', 'eu-east-1b', 'eu-east-1c']`
-    *   `PRIVATE_SUBNET_CIDR_BLOCKS=['10.222.333.48/28', '10.222.333.64/28', '10.222.333.80/28']`
-    *   `PRIVATE_SUBNET_AVAILABILITY_ZONES=['eu-east-1a', 'eu-east-1b', 'eu-east-1c']`
+
+```ini
+PUBLIC_SUBNET_CIDR_BLOCKS=['10.222.333.0/28', '10.222.333.16/28', '10.222.333.32/28']
+PUBLIC_SUBNET_AVAILABILITY_ZONES=['eu-east-1a', 'eu-east-1b', 'eu-east-1c']
+PRIVATE_SUBNET_CIDR_BLOCKS=['10.222.333.48/28', '10.222.333.64/28', '10.222.333.80/28']
+PRIVATE_SUBNET_AVAILABILITY_ZONES=['eu-east-1a', 'eu-east-1b', 'eu-east-1c']
+```
 
 If you try to create subnets in invalid CIDR blocks / availability zones, the console output will tell you and it will show you the currently occupied CIDR blocks to help find a space for new subnets you want to create.
 
-3.  In command line in console, go to your `cdk` folder in the redaction app folder. Run `cdk deploy --all`. This should try to deploy the first stack in the `app.py` file.
+### 3.  Deploy your AWS stack using cdk deploy --all
+
+In command line in console, go to your `cdk` folder in the redaction app folder. Run `cdk deploy --all`. This should try to deploy the first stack in the `app.py` file.
+
+Hopefully everything will deploy successfully and you will be able to see your new stack in CloudFormation in the AWS console.
+
+### 4.  Tasks for after CDK deployment
 
-    Hopefully everything will deploy successfully and you will be able to see your new stack in CloudFormation in the AWS console.
+The CDK deployment will create all the AWS resources needed to run the redaction app. However, there are some objects in AWS
 
-4.  Tasks for after CDK deployment
+#### Run `post_cdk_build_quickstart.py`
 
-# Tasks performed by `post_cdk_build_quickstart.py`
+The following tasks are done by the `post_cdk_build_quickstart.py` file that you can find in the `cdk` folder. You will need to run this when logged in with AWS SSO through command line. I will describe how to do this in AWS console just in case the `.py` file doesn't work for you.
 
-**Note:** The following tasks are done by the `post_cdk_build_quickstart.py` file that you can find in the `cdk` folder. You will need to run this when logged in with AWS SSO through command line. I will describe how to do this in AWS console just in case the `.py` file doesn't work for you.
+##### Codebuild
 
-## Codebuild
+You need to build CodeBuild project after stack has finished deploying your CDK stack, as there will be no container in ECR.
 
-Need to build CodeBuild project after stack has finished building, as there will be no container in ECR.
+If you don't want to run the 'post_cdk_build_quickstart.py' file, in console, go to CodeBuild -> your project -> click Start build. Check the logs, the build should complete in about 6-7 minutes.
 
-Go to CodeBuild -> your project -> click Start build. Check the logs, the build should be progressing.
+##### Create a `config.env` file and upload to S3
 
-## Create a `config.env` file and upload to S3
+The 'post_cdk_build_quickstart' file will upload a config file to S3, as the Fargate task definition references a `config.env` file.
 
-The Fargate task definition references a `config.env` file.
+if you want to do this manually:
 
-Need to create a `config.env` file to upload to the S3 bucket that has the variables:
+Create a `config.env` file to upload to the S3 bucket that has at least the following variables:
 
 ```ini
-COGNITO_AUTH=1
-RUN_AWS_FUNCTIONS=1
-SESSION_OUTPUT_FOLDER=True # If this is False it currently seems to fail to allow for writable log directories
+COGNITO_AUTH=1 # If you are using an SSL certificate with your application load balancer, you will be logging in there. Set this to 0 to turn off the default login screen.
+RUN_AWS_FUNCTIONS=1 # This will enable the app to communicate with AWS services.
+SESSION_OUTPUT_FOLDER=True # This will put outputs for each user in separate output folders.
 ```
 
-Go to S3 and choose the new `...-logs` bucket that you created. Upload the `config.env` file into this bucket.
+* Then, go to S3 and choose the new `...-logs` bucket that you created. Upload the `config.env` file into this bucket.
 
-## Update Elastic Container Service
+##### Update Elastic Container Service
 
 Now that the app container is in Elastic Container Registry, you can proceed to run the app on a Fargate server.
-
-Go to your new cluster, your new service, and select 'Update service'.
+The 'post_cdk_build_quickstart.py' file will do this for you, but you can also try this in Console. In ECS, go to your new cluster, your new service, and select 'Update service'.
 
 Select 'Force new deployment', and then set 'Desired number of tasks' to 1.
 
-# Additional Manual Tasks
-
-# Update DNS records for your domain (If using a domain for the SSL certificate)
-
-To do this, you need to create a CNAME DNS record for your domain pointing to your load balancer DNS from a subdomain of your main domain registration, e.g., `redaction.<domain-name>`.
+## Additional Manual Tasks
 
-# Cognito
+### Update DNS records for your domain (If using a domain for the SSL certificate)
 
-Go to Cognito and create a user with your own email address. Generate a password.
+If the SSL certificate you are using is associated with a domain, you will need to update the DNS records for your domain registered with the AWS SSL certificate. To do this, you need to create a CNAME DNS record for your domain pointing to your load balancer DNS from a subdomain of your main domain registration, e.g., `redaction.<domain-name>`.
 
-Go to Cognito -> App clients -> Login pages -> View login page.
+### Create a user in Cognito
 
-Enter the email and temporary password details that come in the email (don't include the last full stop!).
+You will next need to a create a user in Cognito to be able to log into the app.
 
-Change your password.
+* Go to Cognito and create a user with your own email address. Generate a password.
+* Go to Cognito -> App clients -> Login pages -> View login page.
+* Enter the email and temporary password details that come in the email (don't include the last full stop!).
+* Change your password on the screen that pops up. You should now be able to login to the app.
 
-## Set MFA (optional)
-On the Cognito user pool page you can also enable MFA, if you are using an SSL certificate with Cognito login on the Application Load Balancer. Go to Cognito -> your user pool -> Sign in ->  Multi-factor authentication
+### Set Multi-Factor Authentication for Cognito logins(optional but recommended)
+On the Cognito user pool page you can also enable MFA, if you are using an SSL certificate with Cognito login on the Application Load Balancer. Go to Cognito -> your user pool -> Sign in ->  Multi-factor authentication.
 
-# Create CloudFront distribution 
+### Create CloudFront distribution 
 **Note: this is only relevant if you set `RUN_USEAST_STACK` to 'False' during CDK deployment**
 
 If you were not able to create a CloudFront distribution via CDK, you should be able to do it through console. I would advise using CloudFront as the front end to the app.
@@ -186,25 +212,19 @@ Create a new CloudFront distribution.
     *   **For Behavior (modify default behavior):**
         *   Under Viewer protocol policy choose 'HTTP and HTTPS'.
 
-## Security features
+#### Security features
 
-In your CloudFront distribution, under 'Security' -> Edit -> Enable security protections.
+You can add security features to your CloudFront distribution (recommended). If you use WAF, you will also need to change the default settings to allow for file upload to the app.
 
-Choose rate limiting (default is fine).
+* In your CloudFront distribution, under 'Security' -> Edit -> Enable security protections.
+* Choose rate limiting (default is fine). Then click Create.
+* In CloudFront geographic restrictions -> Countries -> choose an Allow list of countries.
+* Click again on Edit.
+* In AWS WAF protection enabled you should see a link titled 'View details of your configuration'.
+* Go to Rules -> `AWS-AWSManagedRulesCommonRuleSet`, click Edit.
+* Under `SizeRestrictions_BODY` choose rule action override 'Override to Allow'. This is needed to allow for file upload to the app.
 
-Create.
-
-In CloudFront geographic restrictions -> Countries -> choose an Allow list of countries.
-
-Click again on Edit.
-
-AWS WAF protection enabled you should see a link titled 'View details of your configuration'.
-
-Go to Rules -> `AWS-AWSManagedRulesCommonRuleSet`, click Edit.
-
-Under `SizeRestrictions_BODY` choose rule action override 'Override to Allow'. This is needed to allow for file upload to the app.
-
-# Change Cognito redirection URL to your CloudFront distribution
+### Change Cognito redirection URL to your CloudFront distribution
 
 Go to Cognito -> your user pool -> App Clients -> Login pages -> Managed login configuration.
 
@@ -215,7 +235,7 @@ Ensure that the callback URL is:
     *   `https://<CloudFront domain name>/oauth2/idpresponse`
     *   `https://<CloudFront domain name>/oauth/idpresponse`
 
-# Force traffic to come from specific CloudFront distribution (optional)
+### Force traffic to come from specific CloudFront distribution (optional)
 
 Note that this only potentially helps with security if you are not using an SSL certificate with Cognito login on your application load balancer.
 
@@ -231,3 +251,5 @@ Go to EC2 - Load Balancers -> Your load balancer -> Listeners -> Your listener -
 Then, change the default listener rule.
 
 *   Under Routing action change to 'Return fixed response'.
+
+You should now have successfully installed the document redaction app in an AWS environment using CDK.