iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of synced 2026-05-22 22:53:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
amazon-bedrock-agentcore-sa…/04-infrastructure-as-code/terraform/basic-runtime/iam.tf
T
Tesfagabir Meharizghi 83b72e1dda Add Terraform Infrastructure-as-Code (IaC) patterns for AgentCore deployment (#654) 
* feat: Add Terraform basic-runtime pattern

* Modified the Terraform basic-runtime with test script, README, default region

* feat: Add Terraform mcp-server-runtime pattern

* feat: Add Terraform multi-agent-runtime pattern

* feat: Add Terraform end-to-end-weather-agent runtime pattern

* Added Terraform main README

* Fixed basic runtime test script

* docs: add Terraform support to IaC README

* Replaced resources to intuitive names, removed hardcoded values, cleaned README

* Enhanced Terraform READMEs

* Removed unused imports

---------

Co-authored-by: Tesfagabir Meharizghi <mehariz@amazon.com>
2025-11-24 08:38:56 -05:00

218 lines
5.9 KiB
Terraform
Raw Permalink Blame History

# Data sources
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
# ============================================================================
# Agent Execution Role - For AgentCore Runtime
# ============================================================================
resource "aws_iam_role" "agent_execution" {
name = "${var.stack_name}-agent-execution-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "AssumeRolePolicy"
Effect = "Allow"
Principal = {
Service = "bedrock-agentcore.amazonaws.com"
}
Action = "sts:AssumeRole"
Condition = {
StringEquals = {
"aws:SourceAccount" = data.aws_caller_identity.current.id
}
ArnLike = {
"aws:SourceArn" = "arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:*"
}
}
}]
})
tags = {
Name = "${var.stack_name}-agent-execution-role"
Module = "IAM"
}
}
# Attach AWS managed policy for AgentCore
resource "aws_iam_role_policy_attachment" "agent_execution_managed" {
role = aws_iam_role.agent_execution.name
policy_arn = "arn:aws:iam::aws:policy/BedrockAgentCoreFullAccess"
}
# Inline policy for agent execution
resource "aws_iam_role_policy" "agent_execution" {
name = "AgentCoreExecutionPolicy"
role = aws_iam_role.agent_execution.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# ECR Access
{
Sid = "ECRImageAccess"
Effect = "Allow"
Action = [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability"
]
Resource = aws_ecr_repository.agent_ecr.arn
},
{
Sid = "ECRTokenAccess"
Effect = "Allow"
Action = ["ecr:GetAuthorizationToken"]
Resource = "*"
},
# CloudWatch Logs
{
Sid = "CloudWatchLogs"
Effect = "Allow"
Action = [
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:log-group:/aws/bedrock-agentcore/runtimes/*"
},
# X-Ray Tracing
{
Sid = "XRayTracing"
Effect = "Allow"
Action = [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets"
]
Resource = "*"
},
# CloudWatch Metrics
{
Sid = "CloudWatchMetrics"
Effect = "Allow"
Action = ["cloudwatch:PutMetricData"]
Resource = "*"
Condition = {
StringEquals = {
"cloudwatch:namespace" = "bedrock-agentcore"
}
}
},
# Bedrock Model Invocation
{
Sid = "BedrockModelInvocation"
Effect = "Allow"
Action = [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
]
Resource = "*"
},
# Workload Access Tokens
{
Sid = "GetAgentAccessToken"
Effect = "Allow"
Action = [
"bedrock-agentcore:GetWorkloadAccessToken",
"bedrock-agentcore:GetWorkloadAccessTokenForJWT",
"bedrock-agentcore:GetWorkloadAccessTokenForUserId"
]
Resource = [
"arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:workload-identity-directory/default",
"arn:aws:bedrock-agentcore:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:workload-identity-directory/default/workload-identity/*"
]
}
]
})
}
# ============================================================================
# CodeBuild Service Role - For Docker Image Building
# ============================================================================
resource "aws_iam_role" "image_build" {
name = "${var.stack_name}-codebuild-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Service = "codebuild.amazonaws.com"
}
Action = "sts:AssumeRole"
}]
})
tags = {
Name = "${var.stack_name}-codebuild-role"
Module = "IAM"
}
}
# Inline policy for CodeBuild
resource "aws_iam_role_policy" "image_build" {
name = "CodeBuildPolicy"
role = aws_iam_role.image_build.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
# CloudWatch Logs
{
Sid = "CloudWatchLogs"
Effect = "Allow"
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
Resource = "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.id}:log-group:/aws/codebuild/*"
},
# ECR Access
{
Sid = "ECRAccess"
Effect = "Allow"
Action = [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
Resource = [
aws_ecr_repository.agent_ecr.arn,
"*"
]
},
# S3 Source Access (for agent-code)
{
Sid = "S3SourceAccess"
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:GetObjectVersion"
]
Resource = "${aws_s3_bucket.agent_source.arn}/*"
},
{
Sid = "S3BucketAccess"
Effect = "Allow"
Action = [
"s3:ListBucket",
"s3:GetBucketLocation"
]
Resource = aws_s3_bucket.agent_source.arn
}
]
})
}
Reference in New Issue View Git Blame Copy Permalink