Merge pull request #118 from awslabs/bug/bucket_name

feat(bugfix): Bug/bucket name
awslabs · Nov 27, 2023 · d965136 · d965136
2 parents 8534135 + 48590d4
commit d965136
Show file tree

Hide file tree

Showing 4 changed files with 176 additions and 28 deletions.
diff --git a/src/common/helpers/redis-helper.ts b/src/common/helpers/redis-helper.ts
@@ -85,7 +85,7 @@ export function buildRedisCluster(scope: Construct, props: RedisProps): elastica
     numCacheNodes: numCacheNodes,
     cacheSubnetGroupName: getRedisSubnetGroup(scope, props).ref,
     vpcSecurityGroupIds: [props.redisSecurityGroup!.securityGroupId],
-    port: 8787,
+    port: props.redisPort,
   });
   return redisCulster;
 }
@@ -113,9 +113,10 @@ export function getRedisSecurityGroup(scope: Construct,
 }
 
 export function setInboundRules(redisSecurityGroup:ec2.SecurityGroup,
-  sourceSecuritygroup:ec2.ISecurityGroup ) {
+  sourceSecuritygroup:ec2.ISecurityGroup,
+  redisPort:number) {
   redisSecurityGroup.connections.allowFrom(sourceSecuritygroup,
-    ec2.Port.tcp(6379));
+    ec2.Port.tcp(redisPort));
 }
 
 

diff --git a/src/patterns/gen-ai/aws-qa-appsync-opensearch/index.ts b/src/patterns/gen-ai/aws-qa-appsync-opensearch/index.ts
@@ -241,7 +241,6 @@ export class QaAppsyncOpensearch extends Construct {
       {
         blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
         encryption: s3.BucketEncryption.S3_MANAGED,
-        bucketName: 'qa-server-access-logs',
         enforceSSL: true,
         versioned: true,
         lifecycleRules: [{
@@ -375,6 +374,31 @@ export class QaAppsyncOpensearch extends Construct {
       },
     });
 
+    // Minimum permissions for a Lambda function to execute while accessing a resource within a VPC
+    question_answering_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:CreateNetworkInterface',
+        'ec2:DeleteNetworkInterface',
+        'ec2:AssignPrivateIpAddresses',
+        'ec2:UnassignPrivateIpAddresses',
+      ],
+      resources: [
+        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+      ],
+    }));
+    // Decribe only works if it's allowed on all resources.
+    // Reference: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions
+    question_answering_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:DescribeNetworkInterfaces',
+      ],
+      resources: [
+        '*',
+      ],
+    }));
+
     // The lambda will access the opensearch credentials
     if (props.openSearchSecret) {props.openSearchSecret.grantRead(question_answering_function_role);}
 

diff --git a/src/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/index.ts b/src/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/index.ts
@@ -274,7 +274,6 @@ export class RagAppsyncStepfnOpensearch extends Construct {
       {
         blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
         encryption: s3.BucketEncryption.S3_MANAGED,
-        bucketName: 'rag-server-access-logs',
         versioned: true,
         lifecycleRules: [{
           expiration: Duration.days(90),
@@ -466,6 +465,30 @@ export class RagAppsyncStepfnOpensearch extends Construct {
       },
     });
 
+    // Minimum permissions for a Lambda function to execute while accessing a resource within a VPC
+    s3_transformer_job_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:CreateNetworkInterface',
+        'ec2:DeleteNetworkInterface',
+        'ec2:AssignPrivateIpAddresses',
+        'ec2:UnassignPrivateIpAddresses',
+      ],
+      resources: [
+        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+      ],
+    }));
+    // Decribe only works if it's allowed on all resources.
+    // Reference: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions
+    s3_transformer_job_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:DescribeNetworkInterfaces',
+      ],
+      resources: [
+        '*',
+      ],
+    }));
 
     s3_transformer_job_function_role.addToPolicy(
       new iam.PolicyStatement({
@@ -569,6 +592,31 @@ export class RagAppsyncStepfnOpensearch extends Construct {
       },
     });
 
+    // Minimum permissions for a Lambda function to execute while accessing a resource within a VPC
+    embeddings_job_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:CreateNetworkInterface',
+        'ec2:DeleteNetworkInterface',
+        'ec2:AssignPrivateIpAddresses',
+        'ec2:UnassignPrivateIpAddresses',
+      ],
+      resources: [
+        'arn:aws:ec2:'+Aws.REGION+':'+Aws.ACCOUNT_ID+':*/*',
+      ],
+    }));
+    // Decribe only works if it's allowed on all resources.
+    // Reference: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions
+    embeddings_job_function_role.addToPolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: [
+        'ec2:DescribeNetworkInterfaces',
+      ],
+      resources: [
+        '*',
+      ],
+    }));
+
     embeddings_job_function_role.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,