From 29db122a058b62899f83bccb81f335635bf57f88 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 14:28:14 -0400 Subject: [PATCH 01/23] just add bedrock to service role create --- policies/sc-developer/policy.tf | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 0fff97b..86a1885 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -51,45 +51,45 @@ data "aws_iam_policy_document" "inline" { effect = "Allow" resources = ["*"] actions = [ - "athena:*", + "aoss:*", "apigateway:*", + "athena:*", "bedrock:*", - "logs:*", "cloudshell:*", "cloudwatch:*", "codebuild:*", "codecommit:*", "codedeploy:*", "codepipeline:*", - "dynamodb:*", "dms:*", + "dynamodb:*", "ebs:*", "ecr:*", "ecs:*", "eks:*", "elasticfilesystem:*", "elasticloadbalancing:*", + "elasticloadbalancingv2:*", + "elasticmapreduce:*", + "es:*", "firehose:*", + "glue:*", "inspector2:BatchGet*", "inspector2:Describe*", "inspector2:Get*", "inspector2:List*", - "elasticloadbalancingv2:*", - "elasticmapreduce:*", - "es:*", - "aoss:*", - "glue:*", + "kinesis:*", "lambda:*", + "logs:*", "mq:*", "quicksight:*", "rds:*", "s3:*", + "sagemaker:*", "secretsmanager:*", - "states:*", "sqs:*", - "kinesis:*", + "states:*", "transfer:*", - "sagemaker:*", ] } statement { @@ -239,6 +239,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "elasticloadbalancing", "ElasticLoadBalancing*")), format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "mq", "MQ*")), format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "rds", "RDS*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")), ] actions = [ "iam:PutRolePolicy", @@ -268,15 +269,15 @@ data "aws_iam_policy_document" "inline" { test = "StringEquals" variable = "iam:PassedToService" values = [ + "apigateway.amazonaws.com", + "ecs-tasks.amazonaws.com", + "ecs.amazonaws.com", "firehose.amazonaws.com", "glue.amazonaws.com", + "lambda.amazonaws.com", "rds.amazonaws.com", "s3.amazonaws.com", - "lambda.amazonaws.com", - "ecs.amazonaws.com", - "ecs-tasks.amazonaws.com", "states.amazonaws.com", - "apigateway.amazonaws.com" ] } } From e01ab76da67e5d3d9c2360c100c92b21eb9d5415 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 14:43:25 -0400 Subject: [PATCH 02/23] scoped create role for bedrock --- policies/sc-developer/policy.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 86a1885..220ae70 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -246,6 +246,14 @@ data "aws_iam_policy_document" "inline" { "iam:AttachRolePolicy", ] } + statement { + sid = "AllowIAMRoleRead" + effect = "Allow" + resources = [format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*"))] + actions = [ + "iam:CreateRole", + ] + } # statement { # sid = "AllowServiceLinkedRoleCreate" # effect = "Allow" From 1088d20e0c05e6e761c89c96dec3527cffec2b96 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 14:51:00 -0400 Subject: [PATCH 03/23] add scoped create policy --- policies/sc-developer/policy.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 220ae70..9d0aee7 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -254,6 +254,14 @@ data "aws_iam_policy_document" "inline" { "iam:CreateRole", ] } + statement { + sid = "AllowIAMPolicyCreate" + effect = "Allow" + resources = [format(local.all_account_arn_iam, format("policy/%v", "AmazonBedrockAgentBedrockFoundationModelPolicy*"))] + actions = [ + "iam:CreatePolicy", + ] + } # statement { # sid = "AllowServiceLinkedRoleCreate" # effect = "Allow" From c788890cded30e1c6e286ee9d4f9aa91bce16308 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 14:56:51 -0400 Subject: [PATCH 04/23] maybe not arn --- policies/sc-developer/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 9d0aee7..191d269 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -257,7 +257,7 @@ data "aws_iam_policy_document" "inline" { statement { sid = "AllowIAMPolicyCreate" effect = "Allow" - resources = [format(local.all_account_arn_iam, format("policy/%v", "AmazonBedrockAgentBedrockFoundationModelPolicy*"))] + resources = ["*AmazonBedrockAgentBedrockFoundationModelPolicy*"] actions = [ "iam:CreatePolicy", ] From 667c468d1a87fa74efc29de0d21161694f81d1ca Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 14:58:15 -0400 Subject: [PATCH 05/23] arn required --- policies/sc-developer/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 191d269..a6dbf3e 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -257,7 +257,7 @@ data "aws_iam_policy_document" "inline" { statement { sid = "AllowIAMPolicyCreate" effect = "Allow" - resources = ["*AmazonBedrockAgentBedrockFoundationModelPolicy*"] + resources = [format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*"))] actions = [ "iam:CreatePolicy", ] From e38d20dd23bf4eb320fb28bcf34a14e2dfdaa7e8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 13 Apr 2026 15:02:49 -0400 Subject: [PATCH 06/23] passrole for bedrock --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index a6dbf3e..d8e4894 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -286,6 +286,7 @@ data "aws_iam_policy_document" "inline" { variable = "iam:PassedToService" values = [ "apigateway.amazonaws.com", + "bedrock.amazonaws.com", "ecs-tasks.amazonaws.com", "ecs.amazonaws.com", "firehose.amazonaws.com", From f54b6c74197e0091cab3379ae70a5f5dedbbf489 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 12:16:24 -0400 Subject: [PATCH 07/23] add service linked role create for knowledge bases in bedrock --- policies/sc-developer/policy.tf | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index d8e4894..47c41df 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -262,18 +262,19 @@ data "aws_iam_policy_document" "inline" { "iam:CreatePolicy", ] } - # statement { - # sid = "AllowServiceLinkedRoleCreate" - # effect = "Allow" - # resources = [ + statement { + sid = "AllowServiceLinkedRoleCreate" + effect = "Allow" + resources = [ + "arn:aws-us-gov:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", # "arn:aws-us-gov:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable", # "arn:aws-us-gov:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService", # "arn:aws-us-gov:iam::*:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster", - # ] - # actions = [ - # "iam:CreateServiceLinkedRole", - # ] - # } + ] + actions = [ + "iam:CreateServiceLinkedRole", + ] + } statement { sid = "AllowIamPassRole" effect = "Allow" From 269a5652b989a81888385cd884f7c3f328ce4bb9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 14:21:43 -0400 Subject: [PATCH 08/23] no service linked roles --- policies/sc-developer/policy.tf | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 47c41df..cee0cce 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -257,24 +257,24 @@ data "aws_iam_policy_document" "inline" { statement { sid = "AllowIAMPolicyCreate" effect = "Allow" - resources = [format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*"))] + resources = [format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentBedrockFoundationModelPolicy*"))] actions = [ "iam:CreatePolicy", ] } - statement { - sid = "AllowServiceLinkedRoleCreate" - effect = "Allow" - resources = [ - "arn:aws-us-gov:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless", + # Service Linked roles are created per account in common/service-linked-roles.tf + # statement { + # sid = "AllowServiceLinkedRoleCreate" + # effect = "Allow" + # resources = [ # "arn:aws-us-gov:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable", # "arn:aws-us-gov:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService", # "arn:aws-us-gov:iam::*:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster", - ] - actions = [ - "iam:CreateServiceLinkedRole", - ] - } + # ] + # actions = [ + # "iam:CreateServiceLinkedRole", + # ] + # } statement { sid = "AllowIamPassRole" effect = "Allow" From be0853f6a7c3c59710d36899b4e70b16323cb8dc Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:13:12 -0400 Subject: [PATCH 09/23] add AmazonBedrockAgentInferenceProfilesCrossRegionPolicy --- policies/sc-developer/policy.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index cee0cce..c82e92d 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -257,7 +257,11 @@ data "aws_iam_policy_document" "inline" { statement { sid = "AllowIAMPolicyCreate" effect = "Allow" - resources = [format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentBedrockFoundationModelPolicy*"))] + resources = [ + format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentBedrockFoundationModelPolicy*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentInferenceProfilesCrossRegionPolicy*")), + + ] actions = [ "iam:CreatePolicy", ] From deb5ee8370f61d61a51c5831c47c536c7c8f0924 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:24:23 -0400 Subject: [PATCH 10/23] typo --- policies/sc-developer/policy.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index c82e92d..a3e5139 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -258,8 +258,8 @@ data "aws_iam_policy_document" "inline" { sid = "AllowIAMPolicyCreate" effect = "Allow" resources = [ - format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentBedrockFoundationModelPolicy*")), - format(local.all_account_arn_iam, format("policy/%v", "*AmaznoBedrockAgentInferenceProfilesCrossRegionPolicy*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), ] actions = [ From d4c39dcfe3b0cf0cca41b35b4c28c52eba0acafe Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:41:09 -0400 Subject: [PATCH 11/23] add another policy and CreatePolicyVersion --- policies/sc-developer/policy.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index a3e5139..a0b2e4a 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -260,10 +260,12 @@ data "aws_iam_policy_document" "inline" { resources = [ format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), ] actions = [ "iam:CreatePolicy", + "iam:CreatePolicyVersion", ] } # Service Linked roles are created per account in common/service-linked-roles.tf From 711b4bd6a329ed94f3dc858a6da488ad2f596036 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:43:46 -0400 Subject: [PATCH 12/23] exeuction role for knowledge base --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index a0b2e4a..437c1cd 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -240,6 +240,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "mq", "MQ*")), format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "rds", "RDS*")), format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")), ] actions = [ "iam:PutRolePolicy", From 1c6eb5f58d7bd497762e6e82dd7689cca0b3abcb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:51:06 -0400 Subject: [PATCH 13/23] add in the createRole section --- policies/sc-developer/policy.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 437c1cd..5c87224 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -250,7 +250,10 @@ data "aws_iam_policy_document" "inline" { statement { sid = "AllowIAMRoleRead" effect = "Allow" - resources = [format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*"))] + resources = [ + format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")), + ] actions = [ "iam:CreateRole", ] From 16e8322db8f71d75cc70ea5882d32f833ca9caca Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 17:56:20 -0400 Subject: [PATCH 14/23] add iam:deletePolicyVersion --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 5c87224..787cb1e 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -270,6 +270,7 @@ data "aws_iam_policy_document" "inline" { actions = [ "iam:CreatePolicy", "iam:CreatePolicyVersion", + "iam:DeletePolicyVersion", ] } # Service Linked roles are created per account in common/service-linked-roles.tf From 88ddbbb1da6a11e289132b10bdbdcc7edc26f6b2 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 18:30:27 -0400 Subject: [PATCH 15/23] add FoundationModelPolicyForKnowledgeBase --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 787cb1e..7d6e130 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -265,6 +265,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), ] actions = [ From 1179009873049a3788e10efa09688ea6fe9eb161 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 18:48:14 -0400 Subject: [PATCH 16/23] another policy create --- policies/sc-developer/policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 7d6e130..f1da06b 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -263,10 +263,10 @@ data "aws_iam_policy_document" "inline" { effect = "Allow" resources = [ format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), - ] actions = [ "iam:CreatePolicy", From 1c370a334492eda1f9c73d91619f5ab88a991c2d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 18:53:00 -0400 Subject: [PATCH 17/23] another policy version --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index f1da06b..64f3bc4 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -264,6 +264,7 @@ data "aws_iam_policy_document" "inline" { resources = [ format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), From bca6cf3796612ed340cb622afe0a853fd9374f30 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 14 Apr 2026 19:15:25 -0400 Subject: [PATCH 18/23] amazonbedrockOSSpolicy --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 64f3bc4..97b043a 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -264,6 +264,7 @@ data "aws_iam_policy_document" "inline" { resources = [ format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockOSSPolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), From d25ee7d12926e4686667d3aaeaedfe287b86daca Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 15 Apr 2026 12:01:51 -0400 Subject: [PATCH 19/23] another policy AmazonBedrockAgentRetrieveKnowledgeBasePolicy --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 97b043a..23a3d3e 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -265,6 +265,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockOSSPolicyForKnowledgeBase*")), + format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentRetrieveKnowledgeBasePolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), From a02fddc99ec2037333a381e0bdbdaef67eb7a826 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 20 Apr 2026 15:39:00 -0400 Subject: [PATCH 20/23] add execution role for flows and agent chat functions --- policies/sc-developer/policy.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 23a3d3e..c1c56db 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -252,7 +252,9 @@ data "aws_iam_policy_document" "inline" { effect = "Allow" resources = [ format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForFlows*")), format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "agentChatFunction-role-*")), ] actions = [ "iam:CreateRole", From 04da7857843ee7161c1c964ff6b359172715accf Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 20 Apr 2026 15:57:29 -0400 Subject: [PATCH 21/23] add Agent Function Role --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index c1c56db..3aeb078 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -255,6 +255,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForFlows*")), format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")), format(local.all_account_arn_iam, format("role/service-role/%v", "agentChatFunction-role-*")), + format(local.all_account_arn_iam, format("role/service-role/%v", "*AgentFunction-role-*")), ] actions = [ "iam:CreateRole", From 5168ad799ef0b5e1bbb04ae6e07a41e1407c1236 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 20 Apr 2026 16:06:37 -0400 Subject: [PATCH 22/23] add lambda role --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 3aeb078..72c5bc9 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -273,6 +273,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")), + format(local.all_account_arn_iam, format("policy/%v", "*AWSLambdaBasicExecutionRole*")), ] actions = [ "iam:CreatePolicy", From a42554567b273725a75064f6af116acc2f78fc68 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 20 Apr 2026 16:11:59 -0400 Subject: [PATCH 23/23] allow attach policy --- policies/sc-developer/policy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/sc-developer/policy.tf b/policies/sc-developer/policy.tf index 72c5bc9..20a7f5d 100644 --- a/policies/sc-developer/policy.tf +++ b/policies/sc-developer/policy.tf @@ -258,6 +258,7 @@ data "aws_iam_policy_document" "inline" { format(local.all_account_arn_iam, format("role/service-role/%v", "*AgentFunction-role-*")), ] actions = [ + "iam:AttachRolePolicy", "iam:CreateRole", ] }