From 44ecb010b5f4e7dbe84ab13b221852d3f6f2c945 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Wed, 6 Nov 2024 16:59:46 -0800 Subject: [PATCH 1/8] Add role --- .../745-bedrock-agent-role/_tasks.yaml | 14 ++++++++ .../bedrock-agent-role.yaml | 35 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 org-formation/745-bedrock-agent-role/_tasks.yaml create mode 100644 org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml diff --git a/org-formation/745-bedrock-agent-role/_tasks.yaml b/org-formation/745-bedrock-agent-role/_tasks.yaml new file mode 100644 index 00000000..f9b5065f --- /dev/null +++ b/org-formation/745-bedrock-agent-role/_tasks.yaml @@ -0,0 +1,14 @@ +Parameters: + <<: !Include '../_parameters.yaml' + + appName: + Type: String + Default: 'BedrockAgentRole' + +BedrockAgentRole: + Type: update-stacks + Template: ./bedrock-agent-role.yaml + StackName: !Sub '${resourcePrefix}-${appName}-BedrockAgentRole' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: !Ref SynapseLlmProdAccount diff --git a/org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml b/org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml new file mode 100644 index 00000000..60eff41c --- /dev/null +++ b/org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml @@ -0,0 +1,35 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Enables executing a Bedrock model + +Resources: + bedrockAgentRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: bedrock.amazonaws.com + Action: sts:AssumeRole + Condition: + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + ArnLike: + aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*" + Policies: + - PolicyName: bedrockAgentPolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: "bedrock:InvokeModel" + Resource: + - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*" + +Outputs: + BedrockAgentRoleArn: + Description: The ARN of the Bedrock Agent Role + Value: !GetAtt bedrockAgentRole.Arn + Export: + Name: BedrockAgentRoleArn From 92f7d2fcc04ffe80dd732f4c75418369409b2fa6 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Thu, 7 Nov 2024 13:37:34 -0800 Subject: [PATCH 2/8] Move policy from inline to managed --- org-formation/600-access/_tasks.yaml | 28 +++++++++++++++++++++++++++ org-formation/700-aws-sso/_tasks.yaml | 12 ------------ 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index b05660af..b5609d6e 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -388,3 +388,31 @@ SynapseAthenaUserAccessPolicy: ] } PolicyName: SynapseAthenaUserAccessPolicy + +SynapseLlmBedrockAgentPolicy: + Type: update-stacks + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml + StackName: synapsellm-bedrock-agent-policy + DefaultOrganizationBinding: + IncludeMasterAccount: true + Account: + - SynapseLlmProdAccount + Region: !Ref primaryRegion + Parameters: + PolicyDocument: >- + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": "arn:aws:s3:::cf-template*" + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*" + } + ] + } + PolicyName: SynapseLlmBedrockAgentPolicyName diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml index bc2c9464..0ed14ba9 100644 --- a/org-formation/700-aws-sso/_tasks.yaml +++ b/org-formation/700-aws-sso/_tasks.yaml @@ -641,18 +641,6 @@ SsoLlmDeveloper: managedPolicies: - 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' -# https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file - inlinePolicy: >- - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:*", - "Resource": "arn:aws:s3:::cf-template*" - } - ] - } sessionDuration: 'PT12H' # Role for a user that can only access AWS Athena in the Synapse Dev account From 425e5f58cb68359ee47df88e4e193fafa75f08e7 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Thu, 7 Nov 2024 14:21:25 -0800 Subject: [PATCH 3/8] Rename stack/policy --- org-formation/600-access/_tasks.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index b5609d6e..1394a84e 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -389,10 +389,10 @@ SynapseAthenaUserAccessPolicy: } PolicyName: SynapseAthenaUserAccessPolicy -SynapseLlmBedrockAgentPolicy: +SynapseLlmDeveloperPolicy: Type: update-stacks Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml - StackName: synapsellm-bedrock-agent-policy + StackName: synapsellm-developer-policy DefaultOrganizationBinding: IncludeMasterAccount: true Account: @@ -415,4 +415,4 @@ SynapseLlmBedrockAgentPolicy: } ] } - PolicyName: SynapseLlmBedrockAgentPolicyName + PolicyName: SynapseLlmDeveloperPolicy From bde215dc5d45a0a20afff3eeef46b2c1fa92e472 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Mon, 11 Nov 2024 10:51:03 -0800 Subject: [PATCH 4/8] Fix per review --- org-formation/600-access/_tasks.yaml | 8 ++++++++ .../bedrock-agent-role.yaml | 0 org-formation/745-bedrock-agent-role/_tasks.yaml | 14 -------------- 3 files changed, 8 insertions(+), 14 deletions(-) rename org-formation/{745-bedrock-agent-role => 600-access}/bedrock-agent-role.yaml (100%) delete mode 100644 org-formation/745-bedrock-agent-role/_tasks.yaml diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index 1394a84e..a627b080 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -416,3 +416,11 @@ SynapseLlmDeveloperPolicy: ] } PolicyName: SynapseLlmDeveloperPolicy + +BedrockAgentRole: + Type: update-stacks + Template: ./bedrock-agent-role.yaml + StackName: !Sub '${resourcePrefix}-${appName}-BedrockAgentRole' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: !Ref SynapseLlmProdAccount diff --git a/org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml b/org-formation/600-access/bedrock-agent-role.yaml similarity index 100% rename from org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml rename to org-formation/600-access/bedrock-agent-role.yaml diff --git a/org-formation/745-bedrock-agent-role/_tasks.yaml b/org-formation/745-bedrock-agent-role/_tasks.yaml deleted file mode 100644 index f9b5065f..00000000 --- a/org-formation/745-bedrock-agent-role/_tasks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -Parameters: - <<: !Include '../_parameters.yaml' - - appName: - Type: String - Default: 'BedrockAgentRole' - -BedrockAgentRole: - Type: update-stacks - Template: ./bedrock-agent-role.yaml - StackName: !Sub '${resourcePrefix}-${appName}-BedrockAgentRole' - DefaultOrganizationBindingRegion: !Ref primaryRegion - DefaultOrganizationBinding: - Account: !Ref SynapseLlmProdAccount From 186507c9626eff119942487f0d42c7831378c1f7 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Mon, 11 Nov 2024 11:04:15 -0800 Subject: [PATCH 5/8] Rename stack --- org-formation/600-access/_tasks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index a627b080..93bb0625 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -420,7 +420,7 @@ SynapseLlmDeveloperPolicy: BedrockAgentRole: Type: update-stacks Template: ./bedrock-agent-role.yaml - StackName: !Sub '${resourcePrefix}-${appName}-BedrockAgentRole' + StackName: bedrock-agent-role DefaultOrganizationBindingRegion: !Ref primaryRegion DefaultOrganizationBinding: Account: !Ref SynapseLlmProdAccount From ffdc3e1755628fc5b1e55ece1de11f7efd47b3bf Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Mon, 11 Nov 2024 15:21:55 -0800 Subject: [PATCH 6/8] Restore inline policy per review --- org-formation/700-aws-sso/_tasks.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml index 0ed14ba9..bc2c9464 100644 --- a/org-formation/700-aws-sso/_tasks.yaml +++ b/org-formation/700-aws-sso/_tasks.yaml @@ -641,6 +641,18 @@ SsoLlmDeveloper: managedPolicies: - 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' +# https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file + inlinePolicy: >- + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": "arn:aws:s3:::cf-template*" + } + ] + } sessionDuration: 'PT12H' # Role for a user that can only access AWS Athena in the Synapse Dev account From e5631bacd27c1d4b5a3c76cb213a0ee7d0932010 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Tue, 12 Nov 2024 14:10:17 -0800 Subject: [PATCH 7/8] Create agent role in all accounts per review --- org-formation/300-account-defaults/_tasks.yaml | 10 ++++++++++ .../bedrock-agent-role.yaml | 1 + org-formation/600-access/_tasks.yaml | 8 -------- 3 files changed, 11 insertions(+), 8 deletions(-) rename org-formation/{600-access => 300-account-defaults}/bedrock-agent-role.yaml (93%) diff --git a/org-formation/300-account-defaults/_tasks.yaml b/org-formation/300-account-defaults/_tasks.yaml index 4f20e3b6..c278a4ca 100644 --- a/org-formation/300-account-defaults/_tasks.yaml +++ b/org-formation/300-account-defaults/_tasks.yaml @@ -55,3 +55,13 @@ ItKmsKey: IncludeMasterAccount: true Account: '*' Region: !Ref primaryRegion + +BedrockAgentRole: + Type: update-stacks + Template: ./bedrock-agent-role.yaml + StackName: bedrock-agent-role + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + IncludeMasterAccount: false + Account: '*' + Region: !Ref primaryRegion diff --git a/org-formation/600-access/bedrock-agent-role.yaml b/org-formation/300-account-defaults/bedrock-agent-role.yaml similarity index 93% rename from org-formation/600-access/bedrock-agent-role.yaml rename to org-formation/300-account-defaults/bedrock-agent-role.yaml index 60eff41c..cb3eead8 100644 --- a/org-formation/600-access/bedrock-agent-role.yaml +++ b/org-formation/300-account-defaults/bedrock-agent-role.yaml @@ -2,6 +2,7 @@ AWSTemplateFormatVersion: '2010-09-09' Description: Enables executing a Bedrock model Resources: +# https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html bedrockAgentRole: Type: AWS::IAM::Role Properties: diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index 93bb0625..1394a84e 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -416,11 +416,3 @@ SynapseLlmDeveloperPolicy: ] } PolicyName: SynapseLlmDeveloperPolicy - -BedrockAgentRole: - Type: update-stacks - Template: ./bedrock-agent-role.yaml - StackName: bedrock-agent-role - DefaultOrganizationBindingRegion: !Ref primaryRegion - DefaultOrganizationBinding: - Account: !Ref SynapseLlmProdAccount From 8cab8d74616c63cb21881437e3e22fa21b99f7ff Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Tue, 12 Nov 2024 17:26:41 -0800 Subject: [PATCH 8/8] Rename output per review --- org-formation/300-account-defaults/bedrock-agent-role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/org-formation/300-account-defaults/bedrock-agent-role.yaml b/org-formation/300-account-defaults/bedrock-agent-role.yaml index cb3eead8..5db1044b 100644 --- a/org-formation/300-account-defaults/bedrock-agent-role.yaml +++ b/org-formation/300-account-defaults/bedrock-agent-role.yaml @@ -33,4 +33,4 @@ Outputs: Description: The ARN of the Bedrock Agent Role Value: !GetAtt bedrockAgentRole.Arn Export: - Name: BedrockAgentRoleArn + Name: !Sub '${AWS::StackName}-BedrockAgentRoleArn'