aws bedrock support

JamesWoolfenden · May 1, 2024 · d8d00f8 · d8d00f8
1 parent 290a5cf
commit d8d00f8
Show file tree

Hide file tree

Showing 16 changed files with 367 additions and 9 deletions.
diff --git a/src/aws.go b/src/aws.go
@@ -728,6 +728,12 @@ func AwsLookup(name string) interface{} {
 		"aws_auditmanager_framework":                               awsAuditmanagerFramework,
 		"aws_auditmanager_framework_share":                         awsAuditmanagerFrameworkShare,
 		"aws_auditmanager_organization_admin_account_registration": awsAuditmanagerOrganizationAdminAccountRegistration,
+		"aws_bedrock_custom_model":                                 awsBedrockCustomModel,
+		"aws_bedrock_model_invocation_logging_configuration":       awsBedrockModelInvocationLoggingConfiguration,
+		"aws_bedrock_provisioned_model_throughput":                 awsBedrockProvisionedModelThroughput,
+		"aws_bedrockagent_agent":                                   awsBedrockagentAgent,
+		"aws_bedrockagent_agent_action_group":                      awsBedrockagentActionGroup,
+		"aws_bedrockagent_agent_alias":                             awsBedrockagentAgentAlias,
 	}
 
 	return TFLookup[name]

diff --git a/src/coverage/aws.md b/src/coverage/aws.md
@@ -55,12 +55,6 @@ Datasource percentage coverage 99.81
 ./resource.ps1 aws_appsync_resolver
 ./resource.ps1 aws_appsync_type
 ./resource.ps1 aws_athena_prepared_statement
-./resource.ps1 aws_bedrock_custom_model
-./resource.ps1 aws_bedrock_model_invocation_logging_configuration
-./resource.ps1 aws_bedrock_provisioned_model_throughput
-./resource.ps1 aws_bedrockagent_agent
-./resource.ps1 aws_bedrockagent_agent_action_group
-./resource.ps1 aws_bedrockagent_agent_alias
 ./resource.ps1 aws_chime_voice_connector
 ./resource.ps1 aws_chime_voice_connector_group
 ./resource.ps1 aws_chime_voice_connector_logging
@@ -702,4 +696,3 @@ Datasource percentage coverage 99.81
 ./resource.ps1 aws_worklink_website_certificate_authority_association
 ./resource.ps1 aws_workspaces_connection_alias
 ./resource.ps1 aws_workspaces_ip_group
-./resource.ps1 aws_identitystore_groups -type data
diff --git a/src/files.go b/src/files.go
@@ -1824,3 +1824,21 @@ var awsAuditmanagerFrameworkShare []byte
 
 //go:embed mapping/aws/resource/auditmanager/aws_auditmanager_organization_admin_account_registration.json
 var awsAuditmanagerOrganizationAdminAccountRegistration []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrock_custom_model.json
+var awsBedrockCustomModel []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrock_model_invocation_logging_configuration.json
+var awsBedrockModelInvocationLoggingConfiguration []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrock_provisioned_model_throughput.json
+var awsBedrockProvisionedModelThroughput []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrockagent_agent.json
+var awsBedrockagentAgent []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrockagent_agent_action_group.json
+var awsBedrockagentActionGroup []byte
+
+//go:embed mapping/aws/resource/bedrock/aws_bedrockagent_agent_alias.json
+var awsBedrockagentAgentAlias []byte
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrock_custom_model.json b/src/mapping/aws/resource/bedrock/aws_bedrock_custom_model.json
@@ -0,0 +1,14 @@
+[
+  {
+    "apply": [
+      "bedrock:CreateModelCustomizationJob",
+      "bedrock:GetModelCustomizationJob"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrock_model_invocation_logging_configuration.json b/src/mapping/aws/resource/bedrock/aws_bedrock_model_invocation_logging_configuration.json
@@ -0,0 +1,17 @@
+[
+  {
+    "apply": [
+      "bedrock:PutModelInvocationLoggingConfiguration",
+      "bedrock:DeleteModelInvocationLoggingConfiguration",
+      "bedrock:GetModelInvocationLoggingConfiguration"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "bedrock:DeleteModelInvocationLoggingConfiguration"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrock_provisioned_model_throughput.json b/src/mapping/aws/resource/bedrock/aws_bedrock_provisioned_model_throughput.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "bedrock:CreateProvisionedModelThroughput",
+      "bedrock:UpdateProvisionedModelThroughput",
+      "bedrock:DeleteProvisionedModelThroughput",
+      "bedrock:GetProvisionedModelThroughput"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "bedrock:DeleteProvisionedModelThroughput"
+    ],
+    "modify": [
+      "bedrock:UpdateProvisionedModelThroughput"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent.json b/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent.json
@@ -0,0 +1,22 @@
+[
+  {
+    "apply": [
+      "bedrock:CreateAgent",
+      "bedrock:DeleteAgent",
+      "bedrock:UpdateAgent",
+      "iam:PassRole",
+      "bedrock:GetAgent",
+      "bedrock:PrepareAgent"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "bedrock:DeleteAgent"
+    ],
+    "modify": [
+      "bedrock:UpdateAgent"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent_action_group.json b/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent_action_group.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "bedrock:GetAgentActionGroup",
+      "bedrock:CreateAgentActionGroup",
+      "bedrock:DeleteAgentActionGroup",
+      "bedrock:UpdateAgentActionGroup"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "bedrock:DeleteAgentActionGroup"
+    ],
+    "modify": [
+      "bedrock:UpdateAgentActionGroup"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent_alias.json b/src/mapping/aws/resource/bedrock/aws_bedrockagent_agent_alias.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "bedrock:CreateAgentAlias",
+      "bedrock:DeleteAgentAlias",
+      "bedrock:UpdateAgentAlias",
+      "bedrock:GetAgentAlias"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "bedrock:DeleteAgentAlias"
+    ],
+    "modify": [
+      "bedrock:UpdateAgentAlias"
+    ],
+    "plan": []
+  }
+]
diff --git a/terraform/aws/backup/aws_bedrock_custom_model.tf b/terraform/aws/backup/aws_bedrock_custom_model.tf
@@ -0,0 +1,54 @@
+data "aws_bedrock_foundation_model" "example" {
+  provider = aws.central
+  model_id = "amazon.titan-text-express-v1"
+}
+
+resource "aws_bedrock_custom_model" "pike" {
+  provider              = aws.central
+  custom_model_name     = "example-model"
+  job_name              = "example-job-1"
+  base_model_identifier = data.aws_bedrock_foundation_model.example.model_arn
+  role_arn              = aws_iam_role.bedrock.arn
+
+  hyperparameters = {
+    "epochCount"              = "1"
+    "batchSize"               = "1"
+    "learningRate"            = "0.005"
+    "learningRateWarmupSteps" = "0"
+  }
+
+  output_data_config {
+    s3_uri = "s3://${aws_s3_bucket.output.id}/data/"
+  }
+
+  training_data_config {
+    s3_uri = "s3://${aws_s3_bucket.training.id}/data/train.jsonl"
+  }
+}
+
+resource "aws_s3_bucket" "training" {
+  bucket = "piketrainingjgw"
+}
+
+resource "aws_s3_bucket" "output" {
+  bucket = "pikeoutputjgw"
+}
+
+
+resource "aws_iam_role" "bedrock" {
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : { "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" },
+          "Action" : "sts:AssumeRole",
+        }
+      ]
+    }
+  )
+}
+
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/aws/backup/aws_bedrock_model_invocation_logging_configuration.tf b/terraform/aws/backup/aws_bedrock_model_invocation_logging_configuration.tf
@@ -0,0 +1,59 @@
+resource "aws_bedrock_model_invocation_logging_configuration" "pike" {
+  provider = aws.central
+  depends_on = [
+    aws_s3_bucket_policy.example
+  ]
+
+  logging_config {
+    embedding_data_delivery_enabled = true
+    image_data_delivery_enabled     = true
+    text_data_delivery_enabled      = true
+    s3_config {
+      bucket_name = aws_s3_bucket.example.id
+      key_prefix  = "bedrock"
+    }
+  }
+}
+
+resource "aws_s3_bucket" "example" {
+  bucket        = "pikeexamplejgw"
+  force_destroy = true
+  lifecycle {
+    ignore_changes = [
+      tags["CreatorId"], tags["CreatorName"],
+    ]
+  }
+}
+
+
+resource "aws_s3_bucket_policy" "example" {
+  bucket = aws_s3_bucket.example.bucket
+
+  policy = <<EOF
+  {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "bedrock.amazonaws.com"
+      },
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.example.arn}/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "aws:SourceAccount": "${data.aws_caller_identity.current.account_id}"
+        },
+        "ArnLike": {
+          "aws:SourceArn": "arn:aws:bedrock:us-east-1:${data.aws_caller_identity.current.account_id}:*"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/terraform/aws/backup/aws_bedrock_provisioned_model_throughput.tf b/terraform/aws/backup/aws_bedrock_provisioned_model_throughput.tf
@@ -0,0 +1,7 @@
+resource "aws_bedrock_provisioned_model_throughput" "pike" {
+  provider               = aws.central
+  provisioned_model_name = "example-model"
+  model_arn              = aws_bedrock_custom_model.pike.custom_model_arn
+  commitment_duration    = "SixMonths"
+  model_units            = 1
+}
diff --git a/terraform/aws/backup/aws_bedrockagent_agent.tf b/terraform/aws/backup/aws_bedrockagent_agent.tf
@@ -0,0 +1,50 @@
+resource "aws_iam_role" "example" {
+  assume_role_policy = data.aws_iam_policy_document.example_agent_trust.json
+  name_prefix        = "AmazonBedrockExecutionRoleForAgents_"
+}
+
+data "aws_iam_policy_document" "example_agent_trust" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      identifiers = ["bedrock.amazonaws.com"]
+      type        = "Service"
+    }
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:SourceAccount"
+    }
+
+    condition {
+      test     = "ArnLike"
+      values   = ["arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:agent/*"]
+      variable = "AWS:SourceArn"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "example_agent_permissions" {
+  statement {
+    actions = ["bedrock:InvokeModel"]
+    resources = [
+      "arn:aws:bedrock:${data.aws_region.current.name}::foundation-model/anthropic.claude-v2",
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "example" {
+  policy = data.aws_iam_policy_document.example_agent_permissions.json
+  role   = aws_iam_role.example.id
+}
+
+
+data "aws_region" "current" {}
+
+resource "aws_bedrockagent_agent" "test" {
+  provider                    = aws.central
+  agent_name                  = "my-agent-name"
+  agent_resource_role_arn     = aws_iam_role.example.arn
+  idle_session_ttl_in_seconds = 500
+  foundation_model            = "anthropic.claude-v2"
+}
diff --git a/terraform/aws/backup/aws_bedrockagent_agent_action_group.tf b/terraform/aws/backup/aws_bedrockagent_agent_action_group.tf
@@ -0,0 +1,6 @@
+resource "aws_bedrockagent_agent_action_group" "pike" {
+  provider          = aws.central
+  action_group_name = "pike"
+  agent_id          = aws_bedrockagent_agent.test.agent_id
+  agent_version     = "DRAFT"
+}
diff --git a/terraform/aws/backup/aws_bedrockagent_agent_alias.tf b/terraform/aws/backup/aws_bedrockagent_agent_alias.tf
@@ -0,0 +1,6 @@
+resource "aws_bedrockagent_agent_alias" "example" {
+  provider         = aws.central
+  agent_alias_name = "my-agent-alias"
+  agent_id         = aws_bedrockagent_agent.test.agent_id
+  description      = "Test ALias"
+}