iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of synced 2026-05-22 14:43:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
amazon-bedrock-agentcore-sa…/04-infrastructure-as-code/terraform/end-to-end-weather-agent/iam.tf
T

234 lines
6.3 KiB
Terraform
Raw Permalink Normal View History

Add Terraform Infrastructure-as-Code (IaC) patterns for AgentCore deployment (#654)
2025-11-24 07:38:56 -06:00
# Data sources
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
# ============================================================================
# Weather Agent Execution Role - For AgentCore Runtime
# ============================================================================
resource "aws_iam_role" "agent_execution" {
name = "${var.stack_name}-agent-execution-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "AssumeRolePolicy"
Effect = "Allow"
Principal = {
Service = "bedrock-agentcore.amazonaws.com"
}
Action = "sts:AssumeRole"
Condition = {
StringEquals = {
"aws:SourceAccount" = data.aws_caller_identity.current.id
}
ArnLike = {
"aws:SourceArn" = "arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:*"
}
}
}]
})
tags = {
Name = "${var.stack_name}-agent-execution-role"
Module = "IAM"
Agent = "WeatherAgent"
}
}
# Attach AWS managed policy for AgentCore
resource "aws_iam_role_policy_attachment" "agent_execution_managed" {
role = aws_iam_role.agent_execution.name
policy_arn = "arn:aws:iam::aws:policy/BedrockAgentCoreFullAccess"
}
# Inline policy for agent execution
resource "aws_iam_role_policy" "agent_execution" {
name = "AgentCoreExecutionPolicy"
role = aws_iam_role.agent_execution.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# ECR Access
{
Sid = "ECRImageAccess"
Effect = "Allow"
Action = [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability"
]
Resource = aws_ecr_repository.weather_ecr.arn
},
{
Sid = "ECRTokenAccess"
Effect = "Allow"
Action = ["ecr:GetAuthorizationToken"]
Resource = "*"
},
# CloudWatch Logs
{
Sid = "CloudWatchLogs"
Effect = "Allow"
Action = [
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:log-group:/aws/bedrock-agentcore/runtimes/*"
},
# X-Ray Tracing
{
Sid = "XRayTracing"
Effect = "Allow"
Action = [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets"
]
Resource = "*"
},
# CloudWatch Metrics
{
Sid = "CloudWatchMetrics"
Effect = "Allow"
Action = ["cloudwatch:PutMetricData"]
Resource = "*"
Condition = {
StringEquals = {
"cloudwatch:namespace" = "bedrock-agentcore"
}
}
},
# Bedrock Model Invocation
{
Sid = "BedrockModelInvocation"
Effect = "Allow"
Action = [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
]
Resource = "*"
},
# Workload Access Tokens
{
Sid = "GetAgentAccessToken"
Effect = "Allow"
Action = [
"bedrock-agentcore:GetWorkloadAccessToken",
"bedrock-agentcore:GetWorkloadAccessTokenForJWT",
"bedrock-agentcore:GetWorkloadAccessTokenForUserId"
]
Resource = [
"arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:workload-identity-directory/default",
"arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:workload-identity-directory/default/workload-identity/*"
]
},
# S3 Access for Results Bucket
{
Sid = "S3ResultsAccess"
Effect = "Allow"
Action = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
]
Resource = [
aws_s3_bucket.results.arn,
"${aws_s3_bucket.results.arn}/*"
]
}
]
})
}
# ============================================================================
# CodeBuild Service Role - For Docker Image Building
# ============================================================================
resource "aws_iam_role" "codebuild" {
name = "${var.stack_name}-codebuild-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Service = "codebuild.amazonaws.com"
}
Action = "sts:AssumeRole"
}]
})
tags = {
Name = "${var.stack_name}-codebuild-role"
Module = "IAM"
}
}
# Inline policy for CodeBuild
resource "aws_iam_role_policy" "codebuild" {
name = "CodeBuildPolicy"
role = aws_iam_role.codebuild.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# CloudWatch Logs
{
Sid = "CloudWatchLogs"
Effect = "Allow"
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:log-group:/aws/codebuild/*"
},
# ECR Access
{
Sid = "ECRAccess"
Effect = "Allow"
Action = [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
Resource = [
aws_ecr_repository.weather_ecr.arn,
"*"
]
},
# S3 Source Access
{
Sid = "S3SourceAccess"
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:GetObjectVersion"
]
Resource = "${aws_s3_bucket.agent_source.arn}/*"
},
{
Sid = "S3BucketAccess"
Effect = "Allow"
Action = [
"s3:ListBucket",
"s3:GetBucketLocation"
]
Resource = aws_s3_bucket.agent_source.arn
}
]
})
}
Reference in New Issue Copy Permalink