Expand Bedrock permissions

policies/sc-developer/policy.tf

@@ -51,45 +51,45 @@ data "aws_iam_policy_document" "inline" {
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "athena:*",
+      "aoss:*",
       "apigateway:*",
+      "athena:*",
       "bedrock:*",
-      "logs:*",
       "cloudshell:*",
       "cloudwatch:*",
       "codebuild:*",
       "codecommit:*",
       "codedeploy:*",
       "codepipeline:*",
-      "dynamodb:*",
       "dms:*",
+      "dynamodb:*",
       "ebs:*",
       "ecr:*",
       "ecs:*",
       "eks:*",
       "elasticfilesystem:*",
       "elasticloadbalancing:*",
+      "elasticloadbalancingv2:*",
+      "elasticmapreduce:*",
+      "es:*",
       "firehose:*",
+      "glue:*",
       "inspector2:BatchGet*",
       "inspector2:Describe*",
       "inspector2:Get*",
       "inspector2:List*",
-      "elasticloadbalancingv2:*",
-      "elasticmapreduce:*",
-      "es:*",
-      "aoss:*",
-      "glue:*",
+      "kinesis:*",
       "lambda:*",
+      "logs:*",
       "mq:*",
       "quicksight:*",
       "rds:*",
       "s3:*",
+      "sagemaker:*",
       "secretsmanager:*",
-      "states:*",
       "sqs:*",
-      "kinesis:*",
+      "states:*",
       "transfer:*",
-      "sagemaker:*",
     ]
   }
   statement {
@@ -239,16 +239,54 @@ data "aws_iam_policy_document" "inline" {
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "elasticloadbalancing", "ElasticLoadBalancing*")),
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "mq", "MQ*")),
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "rds", "RDS*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")),
     ]
     actions = [
       "iam:PutRolePolicy",
       "iam:AttachRolePolicy",
     ]
   }
-  #  statement {
-  #    sid    = "AllowServiceLinkedRoleCreate"
-  #    effect = "Allow"
-  #    resources = [
+  statement {
+    sid       = "AllowIAMRoleRead"
+    effect    = "Allow"
+    resources = [
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForFlows*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "agentChatFunction-role-*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*AgentFunction-role-*")),
+    ]
+    actions = [
+      "iam:AttachRolePolicy",
+      "iam:CreateRole",
+    ]
+  }
+  statement {
+    sid       = "AllowIAMPolicyCreate"
+    effect    = "Allow"
+    resources = [
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockOSSPolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentRetrieveKnowledgeBasePolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AWSLambdaBasicExecutionRole*")),
+    ]
+    actions = [
+      "iam:CreatePolicy",
+      "iam:CreatePolicyVersion",
+      "iam:DeletePolicyVersion",
+    ]
+  }
+  # Service Linked roles are created per account in common/service-linked-roles.tf
+  # statement {
+  #   sid = "AllowServiceLinkedRoleCreate"
+  #   effect = "Allow"
+  #   resources = [
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster",
@@ -268,15 +306,16 @@ data "aws_iam_policy_document" "inline" {
       test     = "StringEquals"
       variable = "iam:PassedToService"
       values = [
+        "apigateway.amazonaws.com",
+        "bedrock.amazonaws.com",
+        "ecs-tasks.amazonaws.com",
+        "ecs.amazonaws.com",
         "firehose.amazonaws.com",
         "glue.amazonaws.com",
+        "lambda.amazonaws.com",
         "rds.amazonaws.com",
         "s3.amazonaws.com",
-        "lambda.amazonaws.com",
-        "ecs.amazonaws.com",
-        "ecs-tasks.amazonaws.com",
         "states.amazonaws.com",
-        "apigateway.amazonaws.com"
       ]
     }
   }