Created
November 6, 2024 16:51
-
-
Save shashank-elastic/290218cd4e787f65fbcbfd6423a0ca85 to your computer and use it in GitHub Desktop.
The gist contains terraform configuration files that would help setup Amazon Bedrock Infrastructure that could be integrated with Elastic Amazon Bedrock Integration.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // data sources | |
| data "aws_region" "current" {} | |
| data "aws_caller_identity" "current" {} | |
| // Creates an S3 bucket (aws_s3_bucket.bedrock_logs) | |
| resource "aws_s3_bucket" "bedrock_logs" { | |
| bucket = "example-bucket-name" | |
| acl = "private" | |
| tags = var.labels | |
| force_destroy = true | |
| } | |
| // Configures a policy to allow S3 to send messages to the SQS queue. | |
| resource "aws_s3_bucket_policy" "bedrock_invocation_logging" { | |
| bucket = aws_s3_bucket.bedrock_logs.bucket | |
| // https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html | |
| policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AmazonBedrockLogsWrite", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "bedrock.amazonaws.com" | |
| }, | |
| "Action": [ | |
| "s3:PutObject" | |
| ], | |
| "Resource": [ | |
| "${aws_s3_bucket.bedrock_logs.arn}/*" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "aws:SourceAccount": "${data.aws_caller_identity.current.account_id}" | |
| }, | |
| "ArnLike": { | |
| "aws:SourceArn": "arn:aws:bedrock:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| // Creates an Amazon Bedrock logging configuration | |
| // https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html | |
| resource "aws_bedrock_model_invocation_logging_configuration" "bedrock_logs" { | |
| depends_on = [ | |
| aws_s3_bucket_policy.bedrock_invocation_logging | |
| ] | |
| logging_config { | |
| embedding_data_delivery_enabled = true | |
| image_data_delivery_enabled = true | |
| text_data_delivery_enabled = true | |
| s3_config { | |
| bucket_name = aws_s3_bucket.bedrock_logs.bucket | |
| key_prefix = data.aws_region.current.name | |
| } | |
| } | |
| } | |
| //Creates an AWS SQS Queue configuration | |
| resource "aws_sqs_queue" "bedrock_log_notifications" { | |
| name = "example-bedrock-log-notifications" | |
| tags = var.labels | |
| policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Id": "sqspolicy", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": "*", | |
| "Action": "sqs:SendMessage", | |
| "Resource": "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:bedrock-log-notifications", | |
| "Condition": { | |
| "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bedrock_logs.arn}" } | |
| } | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| //Creates an IAM role (aws_iam_role.s3_to_sqs_role) and attaches policies for S3 to send messages to SQS and configures S3 Bucket Notification | |
| resource "aws_iam_role" "s3_to_sqs_role" { | |
| name = "s3_to_sqs_role" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "s3.amazonaws.com" | |
| } | |
| Action = "sts:AssumeRole" | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_policy" "s3_to_sqs_policy" { | |
| name = "s3_to_sqs_policy" | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Action = "sqs:SendMessage" | |
| Resource = aws_sqs_queue.bedrock_log_notifications.arn | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_role_policy_attachment" "s3_to_sqs_attachment" { | |
| role = aws_iam_role.s3_to_sqs_role.name | |
| policy_arn = aws_iam_policy.s3_to_sqs_policy.arn | |
| } | |
| resource "aws_sqs_queue_policy" "allow_s3" { | |
| queue_url = aws_sqs_queue.bedrock_log_notifications.id | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Principal = "*" | |
| Action = "sqs:SendMessage" | |
| Resource = aws_sqs_queue.bedrock_log_notifications.arn | |
| Condition = { | |
| ArnEquals = { | |
| "aws:SourceArn" = aws_s3_bucket.bedrock_logs.arn | |
| } | |
| } | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_s3_bucket_notification" "cloudtrail" { | |
| bucket = aws_s3_bucket.bedrock_logs.id | |
| queue { | |
| queue_arn = aws_sqs_queue.bedrock_log_notifications.arn | |
| events = ["s3:ObjectCreated:*"] | |
| } | |
| } | |
| //Creates an IAM role (aws_iam_role.ec2_role) and attaches policies for S3 access and EC2 Instance Connect. | |
| resource "aws_iam_role" "ec2_role" { | |
| name = "ec2_role" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "ec2.amazonaws.com" | |
| } | |
| Action = "sts:AssumeRole" | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_policy" "s3_access_policy" { | |
| name = "s3_access_policy" | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Action = [ | |
| "s3:ListBucket", | |
| "s3:GetObject", | |
| "s3:PutObject" | |
| ] | |
| Resource = [ | |
| aws_s3_bucket.bedrock_logs.arn, | |
| "${aws_s3_bucket.bedrock_logs.arn}/*" | |
| ] | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_role_policy_attachment" "attach_s3_policy" { | |
| role = aws_iam_role.ec2_role.name | |
| policy_arn = aws_iam_policy.s3_access_policy.arn | |
| } | |
| resource "aws_iam_instance_profile" "ec2_instance_profile" { | |
| name = "ec2_instance_profile" | |
| role = aws_iam_role.ec2_role.name | |
| } | |
| // Optional to use to create a security group and attach to the instance | |
| resource "aws_security_group" "allow_ssh" { | |
| name = "allow_ssh" | |
| description = "Allow SSH inbound traffic" | |
| vpc_id = "user_vpc_id" | |
| ingress { | |
| from_port = 22 | |
| to_port = 22 | |
| protocol = "tcp" | |
| cidr_blocks = ["whitelisted IP block for SSH"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| } | |
| // Creates an EC2 Instance (aws_instance.awsbedrock_instance) and attaches to the instance profile (aws_iam_instance_profile.ec2_instance_profile.name) with an existing security group that allows SSH access to the instance | |
| resource "aws_instance" "awsbedrock_instance" { | |
| ami = "Replace with a valid AMI ID " | |
| instance_type = "Replace with desired instance type" | |
| iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.name | |
| // Refer **security_group for additional details | |
| security_groups = ["existing_security_group_for_ssh_access"] // or [aws_security_group.allow_ssh.name] | |
| tags = merge( | |
| var.labels, | |
| { | |
| Name = "awsbedrock-instance" | |
| } | |
| ) | |
| } | |
| // Creates an Amazon Bedrock Guardrail to deny model access for certain high-risk topics. | |
| resource "aws_bedrock_guardrail" "banking_assistant" { | |
| name = "Banking-Assisant" | |
| blocked_input_messaging = "Sorry, the model cannot answer this question." | |
| blocked_outputs_messaging = "Sorry, the model cannot answer this question." | |
| description = "Personal Banking Assistant" | |
| content_policy_config { | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "HIGH" | |
| type = "HATE" | |
| } | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "HIGH" | |
| type = "INSULTS" | |
| } | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "HIGH" | |
| type = "SEXUAL" | |
| } | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "HIGH" | |
| type = "VIOLENCE" | |
| } | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "HIGH" | |
| type = "MISCONDUCT" | |
| } | |
| filters_config { | |
| input_strength = "HIGH" | |
| output_strength = "NONE" | |
| type = "PROMPT_ATTACK" | |
| } | |
| } | |
| contextual_grounding_policy_config { | |
| filters_config { | |
| threshold = "0.99" | |
| type = "GROUNDING" | |
| } | |
| filters_config { | |
| threshold = "0.99" | |
| type = "RELEVANCE" | |
| } | |
| } | |
| sensitive_information_policy_config { | |
| pii_entities_config { | |
| action = "BLOCK" | |
| type = "INTERNATIONAL_BANK_ACCOUNT_NUMBER" | |
| } | |
| } | |
| topic_policy_config { | |
| topics_config { | |
| name = "Retrive Account Number Information" | |
| examples = ["Can I get a sample Account number.", "How will the account number be designed"] | |
| type = "DENY" | |
| definition = "Prompts that can access Account information of a specified employee" | |
| } | |
| topics_config { | |
| name = "Robbing A Bank" | |
| examples = ["How can I rob karnataka bank"] | |
| type = "DENY" | |
| definition = "Detailed Guidance to Rob a Bank" | |
| } | |
| } | |
| word_policy_config { | |
| managed_word_lists_config { | |
| type = "PROFANITY" | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Outputs the ARN of the S3 bucket created for storing Amazon Bedrockmodel invocation logs. | |
| output "bucket_arn" { | |
| description = "ARN of the bucket holding Amazon Bedrockmodel invocation logs." | |
| value = aws_s3_bucket.bedrock_logs.arn | |
| } | |
| // Outputs the URL of the SQS queue that receives notifications for new objects created in the S3 bucket. | |
| output "sqs_queue" { | |
| description = "URL to the SQS queue containing S3 ObjectCreated notifications for new Bedrock log data." | |
| value = aws_sqs_queue.bedrock_log_notifications.url | |
| } | |
| // Outputs the ID of the EC2 instance created for installing the Elastic Agent and streaming logs. | |
| output "ec2-instance" { | |
| description = "EC2 Instance to install Elastic Agent and stream logs" | |
| value = aws_instance.awsbedrock_instance.id | |
| } | |
| output "guardrail_id"{ | |
| description = "Amazon BedrockGuardrail ID" | |
| value = aws_bedrock_guardrail.banking_assistant.guardrail_id | |
| } | |
| output "guardrail_version"{ | |
| description = "Amazon BedrockGuardrail Version" | |
| value = aws_bedrock_guardrail.banking_assistant.version | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = ">= 5.26.0" | |
| } | |
| } | |
| } | |
| provider "aws" { | |
| region = "us-east-1" // Default region can be modified based on user setup | |
| profile = "{{ AWS PROFILE NAME }}" // Specify the AWS Account ID (12 digits) or account alias | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "aws_region" { | |
| type = string | |
| default = "us-east-1" | |
| } | |
| // Customisible Metadata of the Resource in key-value pairs | |
| variable "labels" { | |
| description = "Resource labels." | |
| default = { | |
| division = "user divison" | |
| org = "user org" | |
| team = "user team" | |
| managed_by = "terraform" | |
| } } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment