OPS-6322 Add tags and fix permissions dependencies (#3)

* OPS-6322 Add tags and fix permissions dependencies * OPS-6322 Add tags * OPS-6322 Fix lint
Flaconi · Nov 7, 2024 · 838aff5 · 838aff5
1 parent e880e27
commit 838aff5
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -112,6 +112,14 @@ Type: `string`
 
 Default: `"amazon.titan-embed-text-v1"`
 
+### <a name="input_knowledgebase_data_deletion_policy"></a> [knowledgebase\_data\_deletion\_policy](#input\_knowledgebase\_data\_deletion\_policy)
+
+Description: Data deletion policy for a data source. Valid values: `RETAIN`, `DELETE`
+
+Type: `string`
+
+Default: `"RETAIN"`
+
 ### <a name="input_oss_additional_roles_arns"></a> [oss\_additional\_roles\_arns](#input\_oss\_additional\_roles\_arns)
 
 Description: Additional ARNs of roles to access OpenSearch

diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -4,7 +4,7 @@ module "agent" {
   name       = "my-example"
   alias_name = "my-alias-name"
 
-  agent_instructions = "Imagine you are manager in a grocery store. Be kind and polite and answer question in eloquent way."
+  agent_instructions = "Imagine you are a manager in a grocery store. Be kind and polite, and answer the question in an eloquent way."
 
   knowledgebase_name        = "my-knowledgebase"
   knowledgebase_description = "Description for my knowledgebase"
@@ -14,4 +14,8 @@ module "agent" {
   oss_collection_name = var.oss_collection_name
 
   oss_additional_roles_arns = var.oss_additional_roles_arns
+
+  tags = {
+    Project = "example"
+  }
 }
diff --git a/main.tf b/main.tf
@@ -2,26 +2,44 @@ resource "aws_iam_role" "agent" {
   assume_role_policy = data.aws_iam_policy_document.agent_trust.json
   name_prefix        = "BedrockExecutionRoleForAgents_"
   path               = "/service-role/"
+
+  tags = var.tags
 }
 
-resource "aws_iam_role_policy" "agent" {
+resource "aws_iam_policy" "agent" {
   policy = data.aws_iam_policy_document.agent_permissions.json
-  role   = aws_iam_role.agent.id
+  name   = aws_iam_role.agent.name
+  path   = "/service-role/"
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "agent" {
+  role       = aws_iam_role.agent.id
+  policy_arn = aws_iam_policy.agent.arn
 }
 
 resource "aws_iam_role" "knowledgebase" {
   assume_role_policy = data.aws_iam_policy_document.knowledgebase_trust.json
   name_prefix        = "BedrockExecutionRoleForKnowledgeBase_"
   path               = "/service-role/"
+
+  tags = var.tags
 }
 
-resource "aws_iam_role_policy" "knowledgebase" {
+resource "aws_iam_policy" "knowledgebase" {
   policy = data.aws_iam_policy_document.knowledgebase_permissions.json
-  role   = aws_iam_role.knowledgebase.id
+  name   = aws_iam_role.knowledgebase.name
+  path   = "/service-role/"
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "knowledgebase" {
+  role       = aws_iam_role.knowledgebase.id
+  policy_arn = aws_iam_policy.knowledgebase.arn
 }
 
-# – OpenSearch Serverless Default –
-# Create a Collection
 resource "aws_opensearchserverless_collection" "this" {
   name        = var.oss_collection_name
   type        = "VECTORSEARCH"
@@ -30,11 +48,13 @@ resource "aws_opensearchserverless_collection" "this" {
     aws_opensearchserverless_security_policy.security_policy,
     aws_opensearchserverless_security_policy.nw_policy
   ]
+
+  tags = var.tags
 }
 
 # Encryption Security Policy
 resource "aws_opensearchserverless_security_policy" "security_policy" {
-  name = "oss-security-policy-${var.oss_collection_name}"
+  name = var.oss_collection_name
   type = "encryption"
   policy = jsonencode({
     Rules = [
@@ -49,7 +69,7 @@ resource "aws_opensearchserverless_security_policy" "security_policy" {
 
 # Network policy
 resource "aws_opensearchserverless_security_policy" "nw_policy" {
-  name = "nw-policy-${var.oss_collection_name}"
+  name = var.oss_collection_name
   type = "network"
   policy = jsonencode([
     {
@@ -79,7 +99,7 @@ resource "aws_opensearchserverless_security_policy" "nw_policy" {
 
 # Data policy
 resource "aws_opensearchserverless_access_policy" "data_policy" {
-  name = "oss-access-policy-${var.oss_collection_name}"
+  name = var.oss_collection_name
   type = "data"
   policy = jsonencode([
     {
@@ -188,6 +208,8 @@ resource "aws_bedrockagent_knowledge_base" "this" {
     }
   }
 
+  tags = var.tags
+
   depends_on = [time_sleep.wait_after_index_creation]
 }
 
@@ -200,6 +222,9 @@ resource "aws_bedrockagent_data_source" "this" {
       bucket_arn = var.s3_arn
     }
   }
+  data_deletion_policy = var.knowledgebase_data_deletion_policy
+
+  depends_on = [aws_iam_role_policy_attachment.knowledgebase]
 }
 
 resource "aws_bedrockagent_agent" "this" {
@@ -212,12 +237,8 @@ resource "aws_bedrockagent_agent" "this" {
   depends_on = [
     aws_bedrockagent_knowledge_base.this
   ]
-}
 
-resource "aws_bedrockagent_agent_alias" "this" {
-  agent_alias_name = var.alias_name
-  agent_id         = aws_bedrockagent_agent.this.agent_id
-  description      = var.alias_description
+  tags = var.tags
 }
 
 resource "time_sleep" "wait_10_seconds" {
@@ -234,3 +255,11 @@ resource "aws_bedrockagent_agent_knowledge_base_association" "this" {
 
   depends_on = [time_sleep.wait_10_seconds]
 }
+
+resource "aws_bedrockagent_agent_alias" "this" {
+  agent_alias_name = var.alias_name
+  agent_id         = aws_bedrockagent_agent.this.agent_id
+  description      = var.alias_description
+
+  depends_on = [aws_bedrockagent_agent_knowledge_base_association.this]
+}
diff --git a/providers.tf b/providers.tf
@@ -1,5 +1,7 @@
 provider "opensearch" {
-  url                 = aws_opensearchserverless_collection.this.collection_endpoint
+  url         = aws_opensearchserverless_collection.this.collection_endpoint
+  healthcheck = false
+
+  # We assume, that aws provider is configured with `assume_role` block.
   aws_assume_role_arn = data.aws_iam_session_context.this.issuer_arn
-  healthcheck         = false
 }
diff --git a/variables.tf b/variables.tf
@@ -41,6 +41,12 @@ variable "knowledgebase_model_id" {
   default     = "amazon.titan-embed-text-v1"
 }
 
+variable "knowledgebase_data_deletion_policy" {
+  description = "Data deletion policy for a data source. Valid values: `RETAIN`, `DELETE`"
+  type        = string
+  default     = "RETAIN"
+}
+
 variable "s3_arn" {
   description = "ARN of S3 bucket with data"
   type        = string