Flaconi · snovikov · Nov 4, 2024 · Nov 4, 2024
@@ -77,7 +77,7 @@ test: _pull-tf
 		echo "------------------------------------------------------------"; \
 		echo "# Terraform init"; \
 		echo "------------------------------------------------------------"; \
-		if docker run $$(tty -s && echo "-it" || echo) --rm -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
+		if docker run $$(tty -s && echo "-it" || echo) --rm --network host -v "$(CURRENT_DIR):/t" --workdir "$${DOCKER_PATH}" hashicorp/terraform:$(TF_VERSION) \
 			init \
 				-lock=false \
 				-upgrade \

@@ -1,11 +1,10 @@
-# terraform-module-template
-Template for Terraform modules
-
-<!-- Uncomment and replace with your module name
-[![lint](https://github.com/flaconi/<MODULENAME>/workflows/lint/badge.svg)](https://github.com/flaconi/<MODULENAME>/actions?query=workflow%3Alint)
-[![test](https://github.com/flaconi/<MODULENAME>/workflows/test/badge.svg)](https://github.com/flaconi/<MODULENAME>/actions?query=workflow%3Atest)
-[![Tag](https://img.shields.io/github/tag/flaconi/<MODULENAME>.svg)](https://github.com/flaconi/<MODULENAME>/releases)
--->
+# terraform-aws-bedrock-agent
+
+Terraform module for Amazon Bedrock Agent resources
+
+[![lint](https://github.com/flaconi/terraform-aws-bedrock-agent/workflows/lint/badge.svg)](https://github.com/flaconi/terraform-aws-bedrock-agent/actions?query=workflow%3Alint)
+[![test](https://github.com/flaconi/terraform-aws-bedrock-agent/workflows/test/badge.svg)](https://github.com/flaconi/terraform-aws-bedrock-agent/actions?query=workflow%3Atest)
+[![Tag](https://img.shields.io/github/tag/flaconi/terraform-aws-bedrock-agent.svg)](https://github.com/flaconi/terraform-aws-bedrock-agent/releases)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
 For requirements regarding module structure: [style-guide-terraform.md](https://github.com/Flaconi/devops-docs/blob/master/doc/conventions/style-guide-terraform.md)
@@ -18,7 +17,9 @@ For requirements regarding module structure: [style-guide-terraform.md](https://
 <!-- TFDOCS_PROVIDER_START -->
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.73 |
 
 <!-- TFDOCS_PROVIDER_END -->
 
@@ -28,17 +29,88 @@ No providers.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.73 |
 
 <!-- TFDOCS_REQUIREMENTS_END -->
 
 <!-- TFDOCS_INPUTS_START -->
 ## Required Inputs
 
-No required inputs.
+The following input variables are required:
+
+### <a name="input_name"></a> [name](#input\_name)
+
+Description: Name for the agent.
+
+Type: `string`
+
+### <a name="input_alias_name"></a> [alias\_name](#input\_alias\_name)
+
+Description: Name for the agent alias.
+
+Type: `string`
+
+### <a name="input_knowledgebase_name"></a> [knowledgebase\_name](#input\_knowledgebase\_name)
+
+Description: Name for the knowledgebase.
+
+Type: `string`
+
+### <a name="input_s3_arn"></a> [s3\_arn](#input\_s3\_arn)
+
+Description: ARN of S3 bucket with data
+
+Type: `string`
+
+### <a name="input_oss_arn"></a> [oss\_arn](#input\_oss\_arn)
+
+Description: ARN of OpenSearch Serverless Collection.
+
+Type: `string`
 
 ## Optional Inputs
 
-No optional inputs.
+The following input variables are optional (have default values):
+
+### <a name="input_alias_description"></a> [alias\_description](#input\_alias\_description)
+
+Description: Description for the agent alias.
+
+Type: `string`
+
+Default: `null`
+
+### <a name="input_agent_model_id"></a> [agent\_model\_id](#input\_agent\_model\_id)
+
+Description: Model identifier for agent.
+
+Type: `string`
+
+Default: `"anthropic.claude-v2"`
+
+### <a name="input_knowledgebase_decription"></a> [knowledgebase\_decription](#input\_knowledgebase\_decription)
+
+Description: Description for the knowledgebase.
+
+Type: `string`
+
+Default: `null`
+
+### <a name="input_knowledgebase_model_id"></a> [knowledgebase\_model\_id](#input\_knowledgebase\_model\_id)
+
+Description: Model identifier for Knowledgebase.
+
+Type: `string`
+
+Default: `"amazon.titan-embed-text-v1"`
+
+### <a name="input_tags"></a> [tags](#input\_tags)
+
+Description: A map of tags to assign to the customization job and custom model.
+
+Type: `map(string)`
+
+Default: `{}`
 
 <!-- TFDOCS_INPUTS_END -->
 
@@ -53,4 +125,4 @@ No outputs.
 
 **[MIT License](LICENSE)**
 
-Copyright (c) 2023 **[Flaconi GmbH](https://github.com/flaconi)**
+Copyright (c) 2024 **[Flaconi GmbH](https://github.com/flaconi)**
@@ -0,0 +1,97 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_bedrock_foundation_model" "agent" {
+  model_id = var.agent_model_id
+}
+
+data "aws_bedrock_foundation_model" "knowledgebase" {
+  model_id = var.knowledgebase_model_id
+}
+
+data "aws_iam_policy_document" "agent_trust" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["bedrock.amazonaws.com"]
+      type        = "Service"
+    }
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:SourceAccount"
+    }
+    condition {
+      test     = "ArnLike"
+      values   = ["arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:agent/*"]
+      variable = "AWS:SourceArn"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "agent_permissions" {
+  statement {
+    actions = ["bedrock:InvokeModel"]
+    resources = [
+      data.aws_bedrock_foundation_model.agent.model_arn,
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "knowledgebase_trust" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["bedrock.amazonaws.com"]
+      type        = "Service"
+    }
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:SourceAccount"
+    }
+    condition {
+      test     = "ArnLike"
+      values   = ["arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:knowledge-base/*"]
+      variable = "AWS:SourceArn"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "knowledgebase_permissions" {
+  statement {
+    actions = ["bedrock:InvokeModel"]
+    resources = [
+      data.aws_bedrock_foundation_model.knowledgebase.model_arn,
+    ]
+  }
+  statement {
+    actions = ["aoss:APIAccessAll"]
+    resources = [
+      var.oss_arn
+    ]
+  }
+  statement {
+    actions = ["s3:ListBucket"]
+    resources = [
+      var.s3_arn
+    ]
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:ResourceAccount"
+    }
+  }
+  statement {
+    actions = ["s3:GetObject"]
+    resources = [
+      "${var.s3_arn}/*"
+    ]
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:ResourceAccount"
+    }
+  }
+}
@@ -0,0 +1,73 @@
+resource "aws_iam_role" "agent" {
+  assume_role_policy = data.aws_iam_policy_document.agent_trust.json
+  name_prefix        = "BedrockExecutionRoleForAgents_"
+}
+
+resource "aws_iam_role_policy" "agent" {
+  policy = data.aws_iam_policy_document.agent_permissions.json
+  role   = aws_iam_role.agent.id
+}
+
+resource "aws_iam_role" "knowledgebase" {
+  assume_role_policy = data.aws_iam_policy_document.knowledgebase_trust.json
+  name_prefix        = "BedrockExecutionRoleForKnowledgeBase_"
+}
+
+resource "aws_iam_role_policy" "knowledgebase" {
+  policy = data.aws_iam_policy_document.knowledgebase_permissions.json
+  role   = aws_iam_role.agent.id
+}
+
+resource "aws_bedrockagent_agent" "this" {
+  agent_name                  = var.name
+  agent_resource_role_arn     = aws_iam_role.agent.arn
+  idle_session_ttl_in_seconds = 500
+  foundation_model            = var.agent_model_id
+}
+
+resource "aws_bedrockagent_knowledge_base" "this" {
+  name     = var.knowledgebase_name
+  role_arn = aws_iam_role.knowledgebase.arn
+  knowledge_base_configuration {
+    vector_knowledge_base_configuration {
+      embedding_model_arn = data.aws_bedrock_foundation_model.knowledgebase.model_arn
+    }
+    type = "VECTOR"
+  }
+  storage_configuration {
+    type = "OPENSEARCH_SERVERLESS"
+    opensearch_serverless_configuration {
+      collection_arn    = var.oss_arn
+      vector_index_name = "bedrock-knowledge-base-default-index"
+      field_mapping {
+        vector_field   = "bedrock-knowledge-base-default-vector"
+        text_field     = "AMAZON_BEDROCK_TEXT_CHUNK"
+        metadata_field = "AMAZON_BEDROCK_METADATA"
+      }
+    }
+  }
+}
+
+resource "aws_bedrockagent_agent_alias" "this" {
+  agent_alias_name = var.alias_name
+  agent_id         = aws_bedrockagent_agent.this.agent_id
+  description      = var.alias_description
+}
+
+resource "aws_bedrockagent_data_source" "this" {
+  knowledge_base_id = aws_bedrockagent_knowledge_base.this.id
+  name              = var.knowledgebase_name
+  data_source_configuration {
+    type = "S3"
+    s3_configuration {
+      bucket_arn = var.s3_arn
+    }
+  }
+}
+
+resource "aws_bedrockagent_agent_knowledge_base_association" "this" {
+  agent_id             = aws_bedrockagent_agent.this.id
+  description          = var.knowledgebase_decription
+  knowledge_base_id    = aws_bedrockagent_knowledge_base.this.id
+  knowledge_base_state = "ENABLED"
+}
@@ -0,0 +1,54 @@
+variable "name" {
+  description = "Name for the agent."
+  type        = string
+}
+
+variable "alias_name" {
+  description = "Name for the agent alias."
+  type        = string
+}
+
+variable "alias_description" {
+  description = "Description for the agent alias."
+  type        = string
+  default     = null
+}
+
+variable "agent_model_id" {
+  description = "Model identifier for agent."
+  type        = string
+  default     = "anthropic.claude-v2"
+}
+
+variable "knowledgebase_name" {
+  description = "Name for the knowledgebase."
+  type        = string
+}
+
+variable "knowledgebase_decription" {
+  description = "Description for the knowledgebase."
+  type        = string
+  default     = null
+}
+
+variable "knowledgebase_model_id" {
+  description = "Model identifier for Knowledgebase."
+  type        = string
+  default     = "amazon.titan-embed-text-v1"
+}
+
+variable "s3_arn" {
+  description = "ARN of S3 bucket with data"
+  type        = string
+}
+
+variable "oss_arn" {
+  description = "ARN of OpenSearch Serverless Collection."
+  type        = string
+}
+
+variable "tags" {
+  description = "A map of tags to assign to the customization job and custom model."
+  type        = map(string)
+  default     = {}
+}
@@ -1,3 +1,9 @@
 terraform {
   required_version = "~> 1.3"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.73"
+    }
+  }
 }