adding cross-inference into dev and batch inference into prod (#6571)

* adding cross-inference into dev and batch inference into prod * linter * add data block * linter
ministryofjustice · Jan 17, 2025 · cae7055 · cae7055
1 parent d247321
commit cae7055
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 1 deletion.
diff --git a/terraform/aws/analytical-platform-data-production/tooling-iam/data.tf b/terraform/aws/analytical-platform-data-production/tooling-iam/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/...m/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf b/...m/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf
@@ -49,7 +49,11 @@ data "aws_iam_policy_document" "bedrock_integration" {
       "bedrock:CreateFoundationModelAgreement",
       "bedrock:DeleteFoundationModelAgreement",
       "bedrock:ListFoundationModelAgreementOffers",
-      "bedrock:GetUseCaseForModelAccess"
+      "bedrock:GetUseCaseForModelAccess",
+      "bedrock:CreateModelInvocationJob",
+      "bedrock:GetModelInvocationJob",
+      "bedrock:ListModelInvocationJobs",
+      "bedrock:StopModelInvocationJob"
     ]
     resources = ["*"]
     condition {
@@ -72,6 +76,81 @@ resource "aws_iam_policy" "bedrock_integration" {
   policy      = data.aws_iam_policy_document.bedrock_integration.json
 }
 
+##################################################
+# Bedrock Batch Inference
+##################################################
+
+data "aws_iam_policy_document" "bedrock_batch_inference" {
+  statement {
+    sid     = "AllowBedrockAssumeRoleForBatchInference"
+    actions = ["sts:AssumeRole"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:bedrock:*:${data.aws_caller_identity.current.account_id}:model-invocation-job/*"]
+    }
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["bedrock.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "bedrock_batch_inference" {
+  name               = "bedrock-batch-inference-role"
+  description        = "IAM role for AWS Bedrock to perform batch inference tasks as part of model invocation workflows."
+  assume_role_policy = data.aws_iam_policy_document.bedrock_batch_inference.json
+}
+
+resource "aws_iam_role_policy_attachment" "bedrock_batch_inference" {
+  role       = aws_iam_role.bedrock_batch_inference.name
+  policy_arn = aws_iam_policy.bedrock_integration.arn
+}
+
+# Bedrock Batch Inference s3 access
+data "aws_iam_policy_document" "bedrock_batch_inference_s3_access" {
+  statement {
+    sid    = "BedrockBatchInferenceS3Access"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      "arn:aws:s3:::*"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceAccount"
+      values = [
+        data.aws_caller_identity.current.account_id
+      ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "bedrock_batch_inference_s3_access" {
+  name        = "bedrock-batch-inference-s3-access"
+  description = "S3 access policy for Bedrock batch inference."
+  policy      = data.aws_iam_policy_document.bedrock_batch_inference_s3_access.json
+}
+
+resource "aws_iam_role_policy_attachment" "bedrock_batch_inference_s3_access" {
+  role       = aws_iam_role.bedrock_batch_inference.name
+  policy_arn = aws_iam_policy.bedrock_batch_inference_s3_access.arn
+}
+
+
 #tfsec:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "textract_integration" {
   #checkov:skip=CKV_AWS_111: This is a service policy

diff --git a/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf
@@ -54,6 +54,7 @@ data "aws_iam_policy_document" "bedrock_integration" {
       "bedrock:CreateModelInvocationJob",
       "bedrock:GetModelInvocationJob",
       "bedrock:ListModelInvocationJobs",
+      "bedrock:GetInferenceProfiles",
       "bedrock:StopModelInvocationJob"
     ]
 
@@ -156,6 +157,19 @@ data "aws_iam_policy_document" "bedrock_batch_inference" {
       identifiers = ["bedrock.amazonaws.com"]
     }
   }
+  statement {
+    sid    = "CrossRegionInference"
+    effect = "Allow"
+
+    actions = [
+      "bedrock:InvokeModel"
+    ]
+
+    resources = [
+      "arn:aws:bedrock:*::inference-profile/*",
+      "arn:aws:bedrock:*::foundation-model/*"
+    ]
+  }
 }
 
 resource "aws_iam_role" "bedrock_batch_inference" {