Merge pull request #34 from ministryofjustice/feature/bedrock-read-only

added read-only bedrock permissions for users
ministryofjustice · Sep 23, 2024 · 5c5a3d9 · 5c5a3d9
2 parents 65f6478 + 1a956ce
commit 5c5a3d9
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_iam_policy_document.api_gateway_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.bedrock_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cognito_idp_for_github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/aws.tf b/aws.tf
@@ -60,6 +60,7 @@ data "aws_iam_policy_document" "combined" {
 data "aws_iam_policy_document" "combined_2" {
   source_policy_documents = [
     data.aws_iam_policy_document.elasticache_for_github.json,
+    data.aws_iam_policy_document.bedrock_for_github.json,
   ]
 }
 

diff --git a/bedrock.tf b/bedrock.tf
@@ -0,0 +1,41 @@
+data "aws_iam_policy_document" "bedrock_for_github" {
+  statement {
+    sid    = "AllowBedrockReadOnly"
+    effect = "Allow"
+    actions = [
+      "bedrock:GetFoundationModel",
+      "bedrock:ListFoundationModels",
+      "bedrock:ListTagsForResource",
+      "bedrock:GetFoundationModelAvailability",
+      "bedrock:GetModelInvocationLoggingConfiguration",
+      "bedrock:GetProvisionedModelThroughput",
+      "bedrock:ListProvisionedModelThroughputs",
+      "bedrock:GetModelInvocationJob",
+      "bedrock:ListModelInvocationJobs",
+      "bedrock:GetGuardrail",
+      "bedrock:ListGuardrails",
+      "bedrock:GetEvaluationJob",
+      "bedrock:ListEvaluationJobs",
+      "bedrock:GetInferenceProfile",
+      "bedrock:ListInferenceProfiles"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "AllowBedrockCustomModel"
+    effect = "Allow"
+    actions = [
+      "bedrock:GetModelCustomizationJob",
+      "bedrock:ListModelCustomizationJobs",
+      "bedrock:ListCustomModels",
+      "bedrock:GetCustomModel"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      variable = "aws:PrincipalTag/GithubTeam"
+      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
+    }
+  }
+}