From a5de45c37c8b55cd96282ea37878aec2a3b2c303 Mon Sep 17 00:00:00 2001
From: Sergey Novikov <sergey.novikov@flaconi.de>
Date: Thu, 7 Nov 2024 12:07:55 +0100
Subject: [PATCH 1/3] OPS-6322 Add settings for S3-bucket

---
 README.md                    | 17 ++++++++++++-----
 data.tf                      |  4 ++--
 examples/simple/README.md    |  2 +-
 examples/simple/main.tf      |  2 +-
 examples/simple/variables.tf |  8 ++++++--
 main.tf                      |  4 +++-
 variables.tf                 |  8 ++++++--
 versions.tf                  |  2 +-
 8 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 04d7e90..836cb44 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,6 @@ Terraform module for Amazon Bedrock Agent resources
 [![Tag](https://img.shields.io/github/tag/flaconi/terraform-aws-bedrock-agent.svg)](https://github.com/flaconi/terraform-aws-bedrock-agent/releases)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-For requirements regarding module structure: [style-guide-terraform.md](https://github.com/Flaconi/devops-docs/blob/master/doc/conventions/style-guide-terraform.md)
 
 <!-- TFDOCS_HEADER_START -->
 
@@ -20,7 +19,7 @@ For requirements regarding module structure: [style-guide-terraform.md](https://
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.73 |
-| <a name="provider_opensearch"></a> [opensearch](#provider\_opensearch) | = 2.2.0 |
+| <a name="provider_opensearch"></a> [opensearch](#provider\_opensearch) | ~> 2.2 |
 | <a name="provider_time"></a> [time](#provider\_time) | ~> 0.12 |
 
 <!-- TFDOCS_PROVIDER_END -->
@@ -32,7 +31,7 @@ For requirements regarding module structure: [style-guide-terraform.md](https://
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.73 |
-| <a name="requirement_opensearch"></a> [opensearch](#requirement\_opensearch) | = 2.2.0 |
+| <a name="requirement_opensearch"></a> [opensearch](#requirement\_opensearch) | ~> 2.2 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.12 |
 
 <!-- TFDOCS_REQUIREMENTS_END -->
@@ -72,11 +71,19 @@ Description: Description for the knowledgebase.
 
 Type: `string`
 
-### <a name="input_s3_arn"></a> [s3\_arn](#input\_s3\_arn)
+### <a name="input_s3_configuration"></a> [s3\_configuration](#input\_s3\_configuration)
 
 Description: ARN of S3 bucket with data
 
-Type: `string`
+Type:
+
+```hcl
+object({
+    bucket_arn              = string
+    bucket_owner_account_id = optional(string)
+    inclusion_prefixes      = optional(string)
+  })
+```
 
 ### <a name="input_oss_collection_name"></a> [oss\_collection\_name](#input\_oss\_collection\_name)
 
diff --git a/data.tf b/data.tf
index 711e16b..92f820c 100644
--- a/data.tf
+++ b/data.tf
@@ -85,7 +85,7 @@ data "aws_iam_policy_document" "knowledgebase_permissions" {
   statement {
     actions = ["s3:ListBucket"]
     resources = [
-      var.s3_arn
+      var.s3_configuration.bucket_arn
     ]
     condition {
       test     = "StringEquals"
@@ -96,7 +96,7 @@ data "aws_iam_policy_document" "knowledgebase_permissions" {
   statement {
     actions = ["s3:GetObject"]
     resources = [
-      "${var.s3_arn}/*"
+      "${var.s3_configuration.bucket_arn}/${var.s3_configuration.inclusion_prefixes}*"
     ]
     condition {
       test     = "StringEquals"
diff --git a/examples/simple/README.md b/examples/simple/README.md
index 8bda097..b3aa01c 100644
--- a/examples/simple/README.md
+++ b/examples/simple/README.md
@@ -26,7 +26,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_s3_arn"></a> [s3\_arn](#input\_s3\_arn) | ARN of S3 bucket with data | `string` | n/a | yes |
+| <a name="input_s3_configuration"></a> [s3\_configuration](#input\_s3\_configuration) | ARN of S3 bucket with data | <pre>object({<br>    bucket_arn              = string<br>    bucket_owner_account_id = optional(string)<br>    inclusion_prefixes      = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_oss_collection_name"></a> [oss\_collection\_name](#input\_oss\_collection\_name) | Name of OpenSearch Serverless Collection. | `string` | n/a | yes |
 | <a name="input_oss_additional_roles_arns"></a> [oss\_additional\_roles\_arns](#input\_oss\_additional\_roles\_arns) | Additional ARNs of roles to access OpenSearch | `list(string)` | `[]` | no |
 
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
index b4eab6c..913db34 100644
--- a/examples/simple/main.tf
+++ b/examples/simple/main.tf
@@ -9,7 +9,7 @@ module "agent" {
   knowledgebase_name        = "my-knowledgebase"
   knowledgebase_description = "Description for my knowledgebase"
 
-  s3_arn = var.s3_arn
+  s3_configuration = var.s3_configuration
 
   oss_collection_name = var.oss_collection_name
 
diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
index b97e003..2638be1 100644
--- a/examples/simple/variables.tf
+++ b/examples/simple/variables.tf
@@ -1,6 +1,10 @@
-variable "s3_arn" {
+variable "s3_configuration" {
   description = "ARN of S3 bucket with data"
-  type        = string
+  type = object({
+    bucket_arn              = string
+    bucket_owner_account_id = optional(string)
+    inclusion_prefixes      = optional(string)
+  })
 }
 
 variable "oss_collection_name" {
diff --git a/main.tf b/main.tf
index 14b4722..b7fbce6 100644
--- a/main.tf
+++ b/main.tf
@@ -219,7 +219,9 @@ resource "aws_bedrockagent_data_source" "this" {
   data_source_configuration {
     type = "S3"
     s3_configuration {
-      bucket_arn = var.s3_arn
+      bucket_arn              = var.s3_configuration.bucket_arn
+      bucket_owner_account_id = var.s3_configuration.bucket_owner_account_id
+      inclusion_prefixes      = var.s3_configuration.inclusion_prefixes
     }
   }
   data_deletion_policy = var.knowledgebase_data_deletion_policy
diff --git a/variables.tf b/variables.tf
index ad73a43..bc39a2d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,9 +47,13 @@ variable "knowledgebase_data_deletion_policy" {
   default     = "RETAIN"
 }
 
-variable "s3_arn" {
+variable "s3_configuration" {
   description = "ARN of S3 bucket with data"
-  type        = string
+  type = object({
+    bucket_arn              = string
+    bucket_owner_account_id = optional(string)
+    inclusion_prefixes      = optional(string)
+  })
 }
 
 variable "oss_collection_name" {
diff --git a/versions.tf b/versions.tf
index e0a126c..5951e14 100644
--- a/versions.tf
+++ b/versions.tf
@@ -7,7 +7,7 @@ terraform {
     }
     opensearch = {
       source  = "opensearch-project/opensearch"
-      version = "= 2.2.0"
+      version = "~> 2.2"
     }
     time = {
       source  = "hashicorp/time"

From b0463e68c1753ba617e2e3297d59c449a066dd35 Mon Sep 17 00:00:00 2001
From: Sergey Novikov <sergey.novikov@flaconi.de>
Date: Thu, 7 Nov 2024 13:32:57 +0100
Subject: [PATCH 2/3] OPS-6322 Fix prefixes for S3

---
 README.md                    | 2 +-
 data.tf                      | 2 +-
 examples/simple/README.md    | 2 +-
 examples/simple/main.tf      | 3 +--
 examples/simple/variables.tf | 7 +------
 variables.tf                 | 2 +-
 6 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 836cb44..e9c8a69 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ Type:
 object({
     bucket_arn              = string
     bucket_owner_account_id = optional(string)
-    inclusion_prefixes      = optional(string)
+    inclusion_prefixes      = optional(set(string), [])
   })
 ```
 
diff --git a/data.tf b/data.tf
index 92f820c..d247825 100644
--- a/data.tf
+++ b/data.tf
@@ -96,7 +96,7 @@ data "aws_iam_policy_document" "knowledgebase_permissions" {
   statement {
     actions = ["s3:GetObject"]
     resources = [
-      "${var.s3_configuration.bucket_arn}/${var.s3_configuration.inclusion_prefixes}*"
+      "${var.s3_configuration.bucket_arn}/*"
     ]
     condition {
       test     = "StringEquals"
diff --git a/examples/simple/README.md b/examples/simple/README.md
index b3aa01c..9bba4bf 100644
--- a/examples/simple/README.md
+++ b/examples/simple/README.md
@@ -26,7 +26,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_s3_configuration"></a> [s3\_configuration](#input\_s3\_configuration) | ARN of S3 bucket with data | <pre>object({<br>    bucket_arn              = string<br>    bucket_owner_account_id = optional(string)<br>    inclusion_prefixes      = optional(string)<br>  })</pre> | n/a | yes |
+| <a name="input_s3_configuration"></a> [s3\_configuration](#input\_s3\_configuration) | ARN of S3 bucket with data | <pre>object({<br>    bucket_arn              = string<br>    bucket_owner_account_id = optional(string)<br>    inclusion_prefixes      = optional(set(string), [])<br>  })</pre> | n/a | yes |
 | <a name="input_oss_collection_name"></a> [oss\_collection\_name](#input\_oss\_collection\_name) | Name of OpenSearch Serverless Collection. | `string` | n/a | yes |
 | <a name="input_oss_additional_roles_arns"></a> [oss\_additional\_roles\_arns](#input\_oss\_additional\_roles\_arns) | Additional ARNs of roles to access OpenSearch | `list(string)` | `[]` | no |
 
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
index 913db34..9a6bdbe 100644
--- a/examples/simple/main.tf
+++ b/examples/simple/main.tf
@@ -11,8 +11,7 @@ module "agent" {
 
   s3_configuration = var.s3_configuration
 
-  oss_collection_name = var.oss_collection_name
-
+  oss_collection_name       = "my-collection"
   oss_additional_roles_arns = var.oss_additional_roles_arns
 
   tags = {
diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
index 2638be1..ee554a9 100644
--- a/examples/simple/variables.tf
+++ b/examples/simple/variables.tf
@@ -3,15 +3,10 @@ variable "s3_configuration" {
   type = object({
     bucket_arn              = string
     bucket_owner_account_id = optional(string)
-    inclusion_prefixes      = optional(string)
+    inclusion_prefixes      = optional(set(string), [])
   })
 }
 
-variable "oss_collection_name" {
-  description = "Name of OpenSearch Serverless Collection."
-  type        = string
-}
-
 variable "oss_additional_roles_arns" {
   description = "Additional ARNs of roles to access OpenSearch"
   type        = list(string)
diff --git a/variables.tf b/variables.tf
index bc39a2d..10e5399 100644
--- a/variables.tf
+++ b/variables.tf
@@ -52,7 +52,7 @@ variable "s3_configuration" {
   type = object({
     bucket_arn              = string
     bucket_owner_account_id = optional(string)
-    inclusion_prefixes      = optional(string)
+    inclusion_prefixes      = optional(set(string), [])
   })
 }
 

From d66e81353a1e2494c1ccdd6fadba024652c59269 Mon Sep 17 00:00:00 2001
From: Sergey Novikov <sergey.novikov@flaconi.de>
Date: Thu, 7 Nov 2024 13:34:35 +0100
Subject: [PATCH 3/3] OPS-6322 Fix lint

---
 examples/simple/README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/examples/simple/README.md b/examples/simple/README.md
index 9bba4bf..0519d23 100644
--- a/examples/simple/README.md
+++ b/examples/simple/README.md
@@ -27,7 +27,6 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_s3_configuration"></a> [s3\_configuration](#input\_s3\_configuration) | ARN of S3 bucket with data | <pre>object({<br>    bucket_arn              = string<br>    bucket_owner_account_id = optional(string)<br>    inclusion_prefixes      = optional(set(string), [])<br>  })</pre> | n/a | yes |
-| <a name="input_oss_collection_name"></a> [oss\_collection\_name](#input\_oss\_collection\_name) | Name of OpenSearch Serverless Collection. | `string` | n/a | yes |
 | <a name="input_oss_additional_roles_arns"></a> [oss\_additional\_roles\_arns](#input\_oss\_additional\_roles\_arns) | Additional ARNs of roles to access OpenSearch | `list(string)` | `[]` | no |
 
 ## Outputs