Skip to content

aws-ia/terraform-aws-bedrock

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform Bedrock Module

Amazon Bedrock is a fully managed service that offers a choice of foundation models (FMs) along with a broad set of capabilities for building generative AI applications.

This module includes resources to deploy Bedrock features.

Knowledge Bases

With Knowledge Bases for Amazon Bedrock, you can give FMs and agents contextual information from your company’s private data sources for Retrieval Augmented Generation (RAG) to deliver more relevant, accurate, and customized responses.

Create a Knowledge Base

A vector index on a vector store is required to create a Knowledge Base. This construct currently supports Amazon OpenSearch Serverless, Amazon RDS Aurora PostgreSQL, Pinecone, and MongoDB. By default, this resource will create an OpenSearch Serverless vector collection and index for each Knowledge Base you create, but you can provide an existing collection to have more control. For other resources you need to have the vector stores already created and credentials stored in AWS Secrets Manager.

The resource accepts an instruction prop that is provided to any Bedrock Agent it is associated with so the agent can decide when to query the Knowledge Base.

To create a knowledge base, make sure you pass in the appropriate variables and set the create_kb variable to true.

Example default Opensearch Serverless Agent with Knowledgebase

provider "opensearch" {
  url         = module.bedrock.default_collection[0].collection_endpoint
  healthcheck = false
}

module "bedrock" {
  source  = "aws-ia/bedrock/aws"
  version = "0.0.5"
  create_kb = true
  create_default_kb = true
  foundation_model = "anthropic.claude-v2"
  instruction = "You are an automotive assisant who can provide detailed information about cars to a customer."
}

Knowledge Base - Data Sources

Data sources are the various repositories or systems from which information is extracted and ingested into the knowledge base. These sources provide the raw content that will be processed, indexed, and made available for querying within the knowledge base system. Data sources can include various types of systems such as document management systems, databases, file storage systems, and content management platforms. Suuported Data Sources include Amazon S3 buckets, Web Crawlers, SharePoint sites, Salesforce instances, and Confluence spaces.

  • Amazon S3. You can either create a new data source by passing in the existing data source arn to the input variable kb_s3_data_source or create a new one by setting create_s3_data_source to true.

  • Web Crawler. You can create a new web crawler data source by setting the create_web_crawler input variable to true and passing in the necessary variables for urls, scope, etc.

  • SharePoint. You can create a new SharePoint data source by setting the create_sharepoint input variable to true and passing in the necessary variables for site urls, filter patterns, etc.

  • Salesforce. You can create a new Salesforce data source by setting the create_salesforce input variable to true and passing in the necessary variables for site urls, filter patterns, etc.

  • Confluence. You can create a new Confluence data source by setting the create_confluence input variable to true and passing in the necessary variables for site urls, filter patterns, etc.

Agents

Enable generative AI applications to execute multistep tasks across company systems and data sources.

Create an Agent

The following example creates an Agent with a simple instruction and without any action groups or knowedlge bases.

module "bedrock" {
  source  = "aws-ia/bedrock/aws"
  version = "0.0.5"
  foundation_model = "anthropic.claude-v2"
  instruction = "You are an automotive assisant who can provide detailed information about cars to a customer."
}

To create an Agent with a default Knowledge Base you simply set create_kb and create_default_kb to true:

module "bedrock" {
  source  = "aws-ia/bedrock/aws"
  version = "0.0.5"
  create_kb = true
  create_default_kb = true
  foundation_model = "anthropic.claude-v2"
  instruction = "You are an automotive assisant who can provide detailed information about cars to a customer."
}

Action Groups

An action group defines functions your agent can call. The functions are Lambda functions. The action group uses an OpenAPI schema to tell the agent what your functions do and how to call them. You can configure an action group by passing in the appropriate input variables.

Prepare the Agent

The Agent constructs take an optional parameter shouldPrepareAgent to indicate that the Agent should be prepared after any updates to an agent, Knowledge Base association, or action group. This may increase the time to create and update those resources. By default, this value is true.

Prompt Overrides

Bedrock Agents allows you to customize the prompts and LLM configuration for its different steps. You can disable steps or create a new prompt template. Prompt templates can be inserted from plain text files.

Bedrock Guardrails

Amazon Bedrock's Guardrails feature enables you to implement robust governance and control mechanisms for your generative AI applications, ensuring alignment with your specific use cases and responsible AI policies. Guardrails empowers you to create multiple tailored policy configurations, each designed to address the unique requirements and constraints of different use cases. These policy configurations can then be seamlessly applied across multiple foundation models (FMs) and Agents, ensuring a consistent user experience and standardizing safety, security, and privacy controls throughout your generative AI ecosystem.

With Guardrails, you can define and enforce granular, customizable policies to precisely govern the behavior of your generative AI applications. You can configure the following policies in a guardrail to avoid undesirable and harmful content and remove sensitive information for privacy protection.

Content filters – Adjust filter strengths to block input prompts or model responses containing harmful content.

Denied topics – Define a set of topics that are undesirable in the context of your application. These topics will be blocked if detected in user queries or model responses.

Word filters – Configure filters to block undesirable words, phrases, and profanity. Such words can include offensive terms, competitor names etc.

Sensitive information filters – Block or mask sensitive information such as personally identifiable information (PII) or custom regex in user inputs and model responses.

You can create a Guardrail by setting create_guardrail to true and passing in the appropriate input variables:

module "bedrock" {
  source  = "aws-ia/bedrock/aws"
  version = "0.0.5"
  create_kb = false
  create_default_kb = false
  create_guardrail = true
  blocked_input = "Blocked input"
  blocked_output = "Blocked output"
  filters_config = [
      {
        input_strength  = "MEDIUM"
        output_strength = "MEDIUM"
        type            = "HATE"
      },
      {
        input_strength  = "HIGH"
        output_strength = "HIGH"
        type            = "VIOLENCE"
      }
  ]
  pii_entities_config = [
      {
        action = "BLOCK"
        type   = "NAME"
      },
      {
        action = "BLOCK"
        type   = "DRIVER_ID"
      },
      {
        action = "ANONYMIZE"
        type   = "USERNAME"
      },
  ]
  regexes_config = [{
      action      = "BLOCK"
      description = "example regex"
      name        = "regex_example"
      pattern     = "^\\d{3}-\\d{2}-\\d{4}$"
  }]
  managed_word_lists_config = [{
      type = "PROFANITY"
  }]
  words_config = [{
    text = "HATE"
  }]
  topics_config = [{
      name       = "investment_topic"
      examples   = ["Where should I invest my money ?"]
      type       = "DENY"
      definition = "Investment advice refers to inquiries, guidance, or recommendations regarding the management or allocation of funds or assets with the goal of generating returns ."
  }]
  foundation_model = "anthropic.claude-v2"
  instruction = "You are an automotive assisant who can provide detailed information about cars to a customer."
}

Requirements

Name Version
terraform >= 1.0.7
aws ~>5.0
awscc >= 1.0.0
opensearch = 2.2.0
random >= 3.6.0
time ~> 0.6

Providers

Name Version
aws ~>5.0
awscc >= 1.0.0
opensearch = 2.2.0
random >= 3.6.0
time ~> 0.6

Modules

No modules.

Resources

Name Type
aws_bedrockagent_data_source.knowledge_base_ds resource
aws_cloudwatch_log_group.knowledge_base_cwl resource
aws_iam_policy.bedrock_kb_s3_decryption_policy resource
aws_iam_policy.bedrock_knowledge_base_policy resource
aws_iam_policy.bedrock_knowledge_base_policy_s3 resource
aws_iam_role.agent_role resource
aws_iam_role.bedrock_knowledge_base_role resource
aws_iam_role_policy.agent_policy resource
aws_iam_role_policy.bedrock_kb_oss resource
aws_iam_role_policy.kb_policy resource
aws_iam_role_policy_attachment.bedrock_kb_s3_decryption_policy_attachment resource
aws_iam_role_policy_attachment.bedrock_knowledge_base_policy_attachment resource
aws_iam_role_policy_attachment.bedrock_knowledge_base_policy_s3_attachment resource
aws_opensearchserverless_access_policy.data_policy resource
aws_opensearchserverless_security_policy.nw_policy resource
aws_opensearchserverless_security_policy.security_policy resource
awscc_bedrock_agent.bedrock_agent resource
awscc_bedrock_agent_alias.bedrock_agent_alias resource
awscc_bedrock_data_source.knowledge_base_confluence resource
awscc_bedrock_data_source.knowledge_base_salesforce resource
awscc_bedrock_data_source.knowledge_base_sharepoint resource
awscc_bedrock_data_source.knowledge_base_web_crawler resource
awscc_bedrock_guardrail.guardrail resource
awscc_bedrock_guardrail_version.guardrail resource
awscc_bedrock_knowledge_base.knowledge_base_default resource
awscc_bedrock_knowledge_base.knowledge_base_mongo resource
awscc_bedrock_knowledge_base.knowledge_base_opensearch resource
awscc_bedrock_knowledge_base.knowledge_base_pinecone resource
awscc_bedrock_knowledge_base.knowledge_base_rds resource
awscc_logs_delivery.knowledge_base_log_delivery resource
awscc_logs_delivery_destination.knowledge_base_log_destination resource
awscc_logs_delivery_source.knowledge_base_log_source resource
awscc_opensearchserverless_collection.default_collection resource
awscc_s3_bucket.s3_data_source resource
opensearch_index.default_oss_index resource
random_string.solution_prefix resource
time_sleep.wait_after_index_creation resource
time_sleep.wait_before_index_creation resource
aws_caller_identity.current data source
aws_iam_policy_document.agent_permissions data source
aws_iam_policy_document.agent_trust data source
aws_iam_policy_document.knowledge_base_permissions data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
foundation_model The foundation model for the Bedrock agent. string n/a yes
instruction A narrative instruction to provide the agent as context. string n/a yes
action_group_description Description of the action group. string null no
action_group_name Name of the action group. string null no
action_group_state State of the action group. string null no
agent_alias_description Description of the agent alias. string null no
agent_alias_name The name of the guardrail. string "TerraformBedrockAgentAlias" no
agent_alias_tags Tag bedrock agent alias resource. map(string) null no
agent_description A description of agent. string null no
agent_id Agent identifier. string null no
agent_name The name of your agent. string "TerraformBedrockAgents" no
api_schema_payload String OpenAPI Payload. string null no
api_schema_s3_bucket_name A bucket in S3. string null no
api_schema_s3_object_key An object key in S3. string null no
auth_type The supported authentication type. string null no
base_prompt_template Defines the prompt template with which to replace the default prompt template. string null no
bedrock_agent_version Agent version. string null no
blocked_input_messaging Messaging for when violations are detected in text. string "Blocked input" no
blocked_outputs_messaging Messaging for when violations are detected in text. string "Blocked output" no
collection_arn The ARN of the collection. string null no
collection_name The name of the collection. string null no
confluence_credentials_secret_arn The ARN of an AWS Secrets Manager secret that stores your authentication credentials for your Confluence instance URL. string null no
connection_string The endpoint URL for your index management page. string null no
crawl_filter_type The crawl filter type. string null no
crawler_scope The scope that a web crawl job will be restricted to. string null no
create_ag Whether or not to create an action group. bool false no
create_agent Whether or not to deploy an agent. bool true no
create_agent_alias Whether or not to create an agent alias. bool false no
create_confluence Whether or not create a Confluence data source. bool false no
create_default_kb Whether or not to create the default knowledge base. bool false no
create_guardrail Whether or not to create a guardrail. bool false no
create_kb Whether or not to attach a knowledge base. bool false no
create_kb_log_group Whether or not to create a log group for the knowledge base. bool false no
create_mongo_config Whether or not to use MongoDB Atlas configuration bool false no
create_opensearch_config Whether or not to use Opensearch Serverless configuration bool false no
create_pinecone_config Whether or not to use Pinecone configuration bool false no
create_rds_config Whether or not to use RDS configuration bool false no
create_s3_data_source Whether or not to create the S3 data source. bool true no
create_salesforce Whether or not create a Salesforce data source. bool false no
create_sharepoint Whether or not create a Share Point data source. bool false no
create_web_crawler Whether or not create a web crawler data source. bool false no
credentials_secret_arn The ARN of the secret in Secrets Manager that is linked to your database string null no
custom_control Custom control of action execution. string null no
database_name Name of the database. string null no
endpoint Database endpoint string null no
endpoint_service_name MongoDB Atlas endpoint service name. string null no
exclusion_filters A set of regular expression filter patterns for a type of object. list(string) [] no
existing_kb The ID of the existing knowledge base. string null no
filters_config List of content filter configs in content policy. list(map(string)) null no
guardrail_description Description of the guardrail. string null no
guardrail_kms_key_arn KMS encryption key to use for the guardrail. string null no
guardrail_name The name of the guardrail. string "TerraformBedrockGuardrail" no
guardrail_tags A map of tags keys and values for the knowledge base. list(map(string)) null no
host_type The supported host type, whether online/cloud or server/on-premises. string null no
host_url The host URL or instance URL. string null no
idle_session_ttl How long sessions should be kept open for the agent. number 600 no
inclusion_filters A set of regular expression filter patterns for a type of object. list(string) [] no
kb_description Description of knowledge base. string "Terraform deployed Knowledge Base" no
kb_embedding_model_arn The ARN of the model used to create vector embeddings for the knowledge base. string "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-embed-text-v1" no
kb_log_group_retention_in_days The retention period of the knowledge base log group. number 0 no
kb_monitoring_arn The ARN of the target for delivery of knowledge base application logs string null no
kb_name Name of the knowledge base. string "knowledge-base" no
kb_role_arn The ARN of the IAM role with permission to invoke API operations on the knowledge base. string null no
kb_s3_data_source The S3 data source ARN for the knowledge base. string null no
kb_s3_data_source_kms_arn The ARN of the KMS key used to encrypt S3 content string null no
kb_state State of knowledge base; whether it is enabled or disabled string "ENABLED" no
kb_storage_type The storage type of a knowledge base. string null no
kb_tags A map of tags keys and values for the knowledge base. map(string) null no
kb_type The type of a knowledge base. string null no
kms_key_arn KMS encryption key to use for the agent. string null no
lambda_action_group_executor ARN of Lambda. string null no
managed_word_lists_config A config for the list of managed words. list(map(string)) null no
max_length The maximum number of tokens to generate in the response. number 0 no
metadata_field The name of the field in which Amazon Bedrock stores metadata about the vector store. string "AMAZON_BEDROCK_METADATA" no
name_prefix This value is appended at the beginning of resource names. string "BedrockAgents" no
namespace The namespace to be used to write new data to your pinecone database string null no
override_lambda_arn The ARN of the Lambda function to use when parsing the raw foundation model output in parts of the agent sequence. string null no
parent_action_group_signature Action group signature for a builtin action. string null no
parser_mode Specifies whether to override the default parser Lambda function. string null no
pattern_object_filter_list List of pattern object information.
list(object({
exclusion_filters = optional(list(string))
inclusion_filters = optional(list(string))
object_type = optional(string)

}))
[] no
pii_entities_config List of entities. list(map(string)) null no
primary_key_field The name of the field in which Bedrock stores the ID for each entry. string null no
prompt_creation_mode Specifies whether to override the default prompt template. string null no
prompt_override Whether to provide prompt override configuration. bool false no
prompt_state Specifies whether to allow the agent to carry out the step specified in the promptType. string null no
prompt_type The step in the agent sequence that this prompt configuration applies to. string null no
rate_limit Rate of web URLs retrieved per minute. number null no
regexes_config List of regex. list(map(string)) null no
resource_arn The ARN of the vector store. string null no
salesforce_credentials_secret_arn The ARN of an AWS Secrets Manager secret that stores your authentication credentials for your Salesforce instance URL. string null no
seed_urls A list of web urls. list(object({url = string})) [] no
share_point_credentials_secret_arn The ARN of an AWS Secrets Manager secret that stores your authentication credentials for your SharePoint site/sites. string null no
share_point_domain The domain of your SharePoint instance or site URL/URLs. string null no
share_point_site_urls A list of one or more SharePoint site URLs. list(string) [] no
skip_resource_in_use Specifies whether to allow deleting action group while it is in use. bool null no
stop_sequences A list of stop sequences. list(string) [] no
table_name The name of the table in the database. string null no
tags Tag bedrock agent resource. map(string) null no
temperature The likelihood of the model selecting higher-probability options while generating a response. number 0 no
tenant_id The identifier of your Microsoft 365 tenant. string null no
text_field The name of the field in which Amazon Bedrock stores the raw text from your data. string "AMAZON_BEDROCK_TEXT_CHUNK" no
top_k Sample from the k most likely next tokens. number 50 no
top_p Cumulative probability cutoff for token selection. number 0.5 no
topics_config List of topic configs in topic policy
list(object({
name = string
examples = list(string)
type = string
definition = string
}))
null no
vector_field The name of the field where the vector embeddings are stored string "bedrock-knowledge-base-default-vector" no
vector_index_name The name of the vector index. string "bedrock-knowledge-base-default-index" no
words_config List of custom word configs. list(map(string)) null no

Outputs

Name Description
bedrock_agent The Amazon Bedrock Agent if it is created.
cloudwatch_log_group The name of the CloudWatch log group for the knowledge base. If no log group was requested, value will be null
datasource_identifier The unique identifier of the data source.
default_collection Opensearch default collection value.
default_kb_identifier The unique identifier of the default knowledge base that was created. If no default KB was requested, value will be null
mongo_kb_identifier The unique identifier of the MongoDB knowledge base that was created. If no MongoDB KB was requested, value will be null
opensearch_kb_identifier The unique identifier of the OpenSearch knowledge base that was created. If no OpenSearch KB was requested, value will be null
pinecone_kb_identifier The unique identifier of the Pinecone knowledge base that was created. If no Pinecone KB was requested, value will be null
rds_kb_identifier The unique identifier of the RDS knowledge base that was created. If no RDS KB was requested, value will be null
s3_data_source_arn The Amazon Bedrock Data Source for S3.