Initial commit

Author: anajmi07

infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf

@@ -0,0 +1,213 @@
+resource "aws_iam_policy" "bedrock_permissions" {
+  name = "${var.role_name}-bedrock-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "BedrockPermissions"
+        Effect = "Allow"
+        Action = [
+          "bedrock:InvokeModel",
+          "bedrock:InvokeModelWithResponseStream"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "ecr_permissions" {
+  name = "${var.role_name}-ecr-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "ECRImageAccess"
+        Effect = "Allow"
+        Action = [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetAuthorizationToken"
+        ]
+        Resource = [
+          "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
+        ]
+      },
+      {
+        Sid    = "ECRTokenAccess"
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "logging_permissions" {
+  name = "${var.role_name}-logging-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:DescribeLogStreams",
+          "logs:CreateLogGroup"
+        ]
+        Resource = [
+          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:DescribeLogGroups"
+        ]
+        Resource = [
+          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = [
+          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "monitoring_permissions" {
+  name = "${var.role_name}-monitoring-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "xray:PutTraceSegments",
+          "xray:PutTelemetryRecords",
+          "xray:GetSamplingRules",
+          "xray:GetSamplingTargets"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Resource = "*"
+        Action   = "cloudwatch:PutMetricData"
+        Condition = {
+          StringEquals = {
+            "cloudwatch:namespace" = "bedrock-agentcore"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "agentcore_permissions" {
+  name = "${var.role_name}-agentcore-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "GetAgentAccessToken"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:GetWorkloadAccessToken",
+          "bedrock-agentcore:GetWorkloadAccessTokenForJWT",
+          "bedrock-agentcore:GetWorkloadAccessTokenForUserId"
+        ]
+        Resource = [
+          "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:workload-identity-directory/default",
+          "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:workload-identity-directory/default/workload-identity/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "config_permissions" {
+  name = "${var.role_name}-config-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters"
+        ]
+        Resource = [
+          "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/amazon/*",
+          "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/cognito/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = [
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:cognito_client_secret*",
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:zendesk_credentials*",
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:langfuse_credentials*",
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:gateway_credentials*",
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:tavily_key*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "bedrock_services_permissions" {
+  name = "${var.role_name}-bedrock-services-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "bedrock:Retrieve",
+          "bedrock:RetrieveAndGenerate"
+        ]
+        Resource = [
+          "arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:knowledge-base/${var.knowledge_base_id}"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "bedrock:ApplyGuardrail"
+        ]
+        Resource = [
+          "arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:guardrail/${var.guardrail_id}"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "bedrock:InvokeModel",
+          "bedrock:InvokeModelWithResponseStream"
+        ]
+        Resource = [
+          "arn:aws:bedrock:${data.aws_region.current.name}::foundation-model/*"
+        ]
+      }
+    ]
+  })
+}

infra/modules/agentcore-iam-role/main.tf

@@ -0,0 +1,63 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+resource "aws_iam_role" "bedrock_agentcore_role" {
+  name = var.role_name
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AssumeRolePolicy"
+        Effect = "Allow"
+        Principal = {
+          Service = "bedrock-agentcore.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+        Condition = {
+          StringEquals = {
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+          ArnLike = {
+            "aws:SourceArn" = "arn:aws:bedrock-agentcore:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "bedrock_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.bedrock_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "ecr_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.ecr_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "logging_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.logging_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "monitoring_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.monitoring_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "agentcore_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.agentcore_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "config_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.config_permissions.arn
+}
+
+resource "aws_iam_role_policy_attachment" "bedrock_services_permissions" {
+  role       = aws_iam_role.bedrock_agentcore_role.name
+  policy_arn = aws_iam_policy.bedrock_services_permissions.arn
+}

infra/modules/agentcore-iam-role/outputs.tf

@@ -0,0 +1,9 @@
+output "role_arn" {
+  description = "ARN of the IAM role"
+  value       = aws_iam_role.bedrock_agentcore_role.arn
+}
+
+output "role_name" {
+  description = "Name of the IAM role"
+  value       = aws_iam_role.bedrock_agentcore_role.name
+}

infra/modules/agentcore-iam-role/variables.tf

@@ -0,0 +1,16 @@
+variable "role_name" {
+  description = "Name of the IAM role"
+  type        = string
+}
+
+variable "knowledge_base_id" {
+  description = "Knowledge Base ID to restrict access to"
+  type        = string
+  default     = "*"
+}
+
+variable "guardrail_id" {
+  description = "Guardrail ID to restrict access to"
+  type        = string
+  default     = "*"
+}

infra/modules/bedrock-guardrails/main.tf

@@ -0,0 +1,44 @@
+resource "aws_bedrock_guardrail" "guardrail" {
+  name                      = var.guardrail_name
+  blocked_input_messaging   = var.blocked_input_messaging
+  blocked_outputs_messaging = var.blocked_outputs_messaging
+  description               = var.description
+
+  content_policy_config {
+    filters_config {
+      input_strength  = "MEDIUM"
+      output_strength = "MEDIUM"
+      type            = "HATE"
+    }
+  }
+
+  sensitive_information_policy_config {
+    pii_entities_config {
+      action         = "ANONYMIZE"
+      type           = "US_BANK_ROUTING_NUMBER"
+    }
+
+    pii_entities_config {
+      action         = "ANONYMIZE"
+      type           = "US_SOCIAL_SECURITY_NUMBER"
+    }
+  }
+
+  topic_policy_config {
+    topics_config {
+      name       = "investment_topic"
+      examples   = ["Where should I invest my money ?"]
+      type       = "DENY"
+      definition = "Investment advice refers to inquiries, guidance, or recommendations regarding the management or allocation of funds or assets with the goal of generating returns ."
+    }
+  }
+
+  word_policy_config {
+    managed_word_lists_config {
+      type = "PROFANITY"
+    }
+    words_config {
+      text = "HATE"
+    }
+  }
+}

infra/modules/bedrock-guardrails/outputs.tf

@@ -0,0 +1,9 @@
+output "guardrail_id" {
+  description = "ID of the Bedrock guardrail"
+  value       = aws_bedrock_guardrail.guardrail.guardrail_id
+}
+
+output "guardrail_arn" {
+  description = "ARN of the Bedrock guardrail"
+  value       = aws_bedrock_guardrail.guardrail.guardrail_arn
+}

infra/modules/bedrock-guardrails/variables.tf

@@ -0,0 +1,20 @@
+variable "guardrail_name" {
+  description = "Name of the Bedrock guardrail"
+  type        = string
+}
+
+variable "blocked_input_messaging" {
+  description = "Message to display when input is blocked"
+  type        = string
+}
+
+variable "blocked_outputs_messaging" {
+  description = "Message to display when output is blocked"
+  type        = string
+}
+
+variable "description" {
+  description = "Description of the guardrail"
+  type        = string
+}
+