Skip to content

Commit

Permalink
Merge pull request #5757 from ministryofjustice/feature/bedrock-conso…
Browse files Browse the repository at this point in the history
…le-permissions

Adding bedrock console permissions to sandbox and developer roles.
  • Loading branch information
julialawrence authored Dec 8, 2023
2 parents f0a37fa + e9ebd19 commit 1053363
Showing 1 changed file with 63 additions and 2 deletions.
65 changes: 63 additions & 2 deletions terraform/environments/bootstrap/delegate-access/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,67 @@ data "aws_iam_policy_document" "common_statements" {
}
}

# bedrock console policy -- to be retired when terraform support is introduced
# source: https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console
#tfsec:ignore:aws-iam-no-policy-wildcards
data "aws_iam_policy_document" "bedrock_console" {
#checkov:skip=CKV_AWS_111: This is a service policy
#checkov:skip=CKV_AWS_356: Needs to access multiple resources
statement {
sid = "BedrockConsole"
effect = "Allow"

actions = [
"bedrock:ListFoundationModels",
"bedrock:GetFoundationModel",
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream",
"bedrock:CreateModelCustomizationJob",
"bedrock:GetModelCustomizationJob",
"bedrock:GetFoundationModelAvailability",
"bedrock:ListModelCustomizationJobs",
"bedrock:StopModelCustomizationJob",
"bedrock:GetCustomModel",
"bedrock:ListCustomModels",
"bedrock:DeleteCustomModel",
"bedrock:CreateProvisionedModelThroughput",
"bedrock:UpdateProvisionedModelThroughput",
"bedrock:GetProvisionedModelThroughput",
"bedrock:DeleteProvisionedModelThroughput",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListTagsForResource",
"bedrock:UntagResource",
"bedrock:TagResource",
"bedrock:CreateAgent",
"bedrock:UpdateAgent",
"bedrock:GetAgent",
"bedrock:ListAgents",
"bedrock:CreateActionGroup",
"bedrock:UpdateActionGroup",
"bedrock:GetActionGroup",
"bedrock:ListActionGroups",
"bedrock:CreateAgentDraftSnapshot",
"bedrock:GetAgentVersion",
"bedrock:ListAgentVersions",
"bedrock:CreateAgentAlias",
"bedrock:UpdateAgentAlias",
"bedrock:GetAgentAlias",
"bedrock:ListAgentAliases",
"bedrock:InvokeAgent",
"bedrock:PutFoundationModelEntitlement",
"bedrock:GetModelInvocationLoggingConfiguration",
"bedrock:PutModelInvocationLoggingConfiguration",
"bedrock:CreateFoundationModelAgreement",
"bedrock:DeleteFoundationModelAgreement",
"bedrock:ListFoundationModelAgreementOffers",
"bedrock:GetUseCaseForModelAccess",
"bedrock:PutUseCaseForModelAccess"
]

resources = ["*"]
}
}

# developer policy - member SSO and collaborators
resource "aws_iam_policy" "developer" {
provider = aws.workspace
Expand Down Expand Up @@ -249,7 +310,6 @@ data "aws_iam_policy_document" "data_engineering_additional" {
#checkov:skip=CKV_AWS_110
#checkov:skip=CKV_AWS_356: Needs to access multiple resources
source_policy_documents = [data.aws_iam_policy_document.developer_additional.json] # this is a developer++ policy with additional permissions required for data engineering

statement {
sid = "DataEngineeringAllow"
effect = "Allow"
Expand Down Expand Up @@ -348,7 +408,8 @@ data "aws_iam_policy_document" "sandbox_additional" {
#checkov:skip=CKV_AWS_110
#checkov:skip=CKV2_AWS_40
#checkov:skip=CKV_AWS_356: Needs to access multiple resources
source_policy_documents = [data.aws_iam_policy_document.common_statements.json]
source_policy_documents = [data.aws_iam_policy_document.common_statements.json, data.aws_iam_policy_document.bedrock_console.json]
# added as a source document to ease retirement
statement {
sid = "sandboxAllow"
effect = "Allow"
Expand Down

0 comments on commit 1053363

Please sign in to comment.