From fb0b4f1d1fe466b59be69b3d9b50e9cab51aee87 Mon Sep 17 00:00:00 2001 From: Noah Paige Date: Mon, 14 Oct 2024 13:30:58 -0400 Subject: [PATCH] Re format Lambda IAM Permissions CDK App --- deploy/stacks/lambda_api.py | 273 ++++++++++++++++++------------------ 1 file changed, 139 insertions(+), 134 deletions(-) diff --git a/deploy/stacks/lambda_api.py b/deploy/stacks/lambda_api.py index 962474b61..2c54c1975 100644 --- a/deploy/stacks/lambda_api.py +++ b/deploy/stacks/lambda_api.py @@ -155,7 +155,9 @@ def __init__( retention=getattr(logs.RetentionDays, self.log_retention_duration), ), description='dataall graphql function', - role=self.create_function_role(envname, resource_prefix, 'graphql', pivot_role_name, vpc), + role=self.create_function_role( + envname, resource_prefix, 'graphql', pivot_role_name, vpc, self._get_bedrock_policy_statement() + ), code=_lambda.DockerImageCode.from_ecr( repository=ecr_repository, tag=image_tag, cmd=['api_handler.handler'] ), @@ -347,149 +349,153 @@ def create_lambda_sgs(self, envname, name, resource_prefix, vpc): return lambda_sg @run_if(['modules.worksheets.features.nlq']) - def add_bedrock_policy(self, role): - stmt = iam.PolicyStatement( - actions=[ - 'bedrock:InvokeModel', - 'bedrock:GetPrompt', - 'bedrock:CreateFoundationModelAgreement', - 'bedrock:InvokeFlow', - ], - resources=['*'], - ) - role.add_to_policy(stmt) - - def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_name, vpc): - role_name = f'{resource_prefix}-{envname}-{fn_name}-role' - statements = [ - iam.PolicyStatement( - actions=[ - 'secretsmanager:GetSecretValue', - 'kms:Decrypt', - 'secretsmanager:DescribeSecret', - 'ecs:RunTask', - # 'bedrock:InvokeModel', - 'kms:Encrypt', - 'sqs:ReceiveMessage', - 'kms:GenerateDataKey', - 'sqs:SendMessage', - 'ecs:DescribeClusters', - 'ssm:GetParametersByPath', - 'ssm:GetParameters', - 'ssm:GetParameter', - ], - resources=[ - f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*{resource_prefix}*', - f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*dataall*', - f'arn:aws:ecs:{self.region}:{self.account}:cluster/*{resource_prefix}*', - f'arn:aws:ecs:{self.region}:{self.account}:task-definition/*{resource_prefix}*:*', - f'arn:aws:kms:{self.region}:{self.account}:key/*', - f'arn:aws:sqs:{self.region}:{self.account}:*{resource_prefix}*', - f'arn:aws:ssm:*:{self.account}:parameter/*dataall*', - f'arn:aws:ssm:*:{self.account}:parameter/*{resource_prefix}*', - ], - ), - iam.PolicyStatement( - actions=[ - 'sts:AssumeRole', - ], - resources=[ - f'arn:aws:iam::*:role/{pivot_role_name}*', - 'arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*', - ], - ), - iam.PolicyStatement( - actions=[ - 'ecs:ListTasks', - ], - resources=['*'], - conditions={ - 'ArnEquals': { - 'ecs:cluster': f'arn:aws:ecs:{self.region}:{self.account}:cluster/*{resource_prefix}*' - } - }, - ), - iam.PolicyStatement( - actions=[ - 'iam:PassRole', - ], - resources=[f'arn:aws:iam::{self.account}:role/{resource_prefix}-{envname}*'], - ), + def _get_bedrock_policy_statement(self): + return [ iam.PolicyStatement( actions=[ - 's3:GetObject', - 's3:ListBucketVersions', - 's3:ListBucket', - 's3:GetBucketLocation', - 's3:GetObjectVersion', - 'logs:StartQuery', - 'logs:DescribeLogGroups', - 'logs:DescribeLogStreams', - 'logs:DescribeQueries', - 'logs:StopQuery', - 'logs:GetQueryResults', - 'logs:CreateLogGroup', - 'logs:CreateLogStream', - 'logs:PutLogEvents', + 'bedrock:InvokeModel', + 'bedrock:GetPrompt', + 'bedrock:CreateFoundationModelAgreement', + 'bedrock:InvokeFlow', ], resources=[ - f'arn:aws:s3:::{resource_prefix}-{envname}-{self.account}-{self.region}-resources/*', - f'arn:aws:s3:::{resource_prefix}-{envname}-{self.account}-{self.region}-resources', - f'arn:aws:logs:{self.region}:{self.account}:log-group:*{resource_prefix}*:log-stream:*', - f'arn:aws:logs:{self.region}:{self.account}:log-group:*{resource_prefix}*', + f'arn:aws:bedrock:{self.region}:{self.account}:flow/*', + f'arn:aws:bedrock:{self.region}:{self.account}:prompt/*', + f'arn:aws:bedrock:{self.region}::foundation-model/*', ], - ), - iam.PolicyStatement( - actions=[ - 'ec2:DescribeNetworkInterfaces', - 'xray:PutTraceSegments', - 'xray:PutTelemetryRecords', - 'xray:GetSamplingRules', - 'xray:GetSamplingTargets', - 'xray:GetSamplingStatisticSummaries', - 'cognito-idp:ListGroups', - 'cognito-idp:ListUsersInGroup', - ], - resources=['*'], - ), - iam.PolicyStatement( - actions=[ - 'ec2:CreateNetworkInterface', - 'ec2:DeleteNetworkInterface', - ], - resources=[ - f'arn:aws:ec2:{self.region}:{self.account}:*/*', - ], - ), - iam.PolicyStatement( - actions=[ - 'ec2:AssignPrivateIpAddresses', - 'ec2:UnassignPrivateIpAddresses', - ], - resources=[ - f'arn:aws:ec2:{self.region}:{self.account}:*/*', - ], - conditions={'StringEquals': {'ec2:VpcID': f'{vpc.vpc_id}'}}, - ), - iam.PolicyStatement( - actions=[ - 'aoss:APIAccessAll', - ], - resources=[ - f'arn:aws:aoss:{self.region}:{self.account}:collection/*', - ], - ), - iam.PolicyStatement( - actions=['events:EnableRule', 'events:DisableRule'], - resources=[f'arn:aws:events:{self.region}:{self.account}:rule/dataall*'], - ), + ) ] + def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_name, vpc, extra_statements=[]): + role_name = f'{resource_prefix}-{envname}-{fn_name}-role' + role_inline_policy = iam.Policy( self, f'{resource_prefix}-{envname}-{fn_name}-policy', policy_name=f'{resource_prefix}-{envname}-{fn_name}-policy', - statements=statements, + statements=[ + iam.PolicyStatement( + actions=[ + 'secretsmanager:GetSecretValue', + 'kms:Decrypt', + 'secretsmanager:DescribeSecret', + 'ecs:RunTask', + 'kms:Encrypt', + 'sqs:ReceiveMessage', + 'kms:GenerateDataKey', + 'sqs:SendMessage', + 'ecs:DescribeClusters', + 'ssm:GetParametersByPath', + 'ssm:GetParameters', + 'ssm:GetParameter', + ], + resources=[ + f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*{resource_prefix}*', + f'arn:aws:secretsmanager:{self.region}:{self.account}:secret:*dataall*', + f'arn:aws:ecs:{self.region}:{self.account}:cluster/*{resource_prefix}*', + f'arn:aws:ecs:{self.region}:{self.account}:task-definition/*{resource_prefix}*:*', + f'arn:aws:kms:{self.region}:{self.account}:key/*', + f'arn:aws:sqs:{self.region}:{self.account}:*{resource_prefix}*', + f'arn:aws:ssm:*:{self.account}:parameter/*dataall*', + f'arn:aws:ssm:*:{self.account}:parameter/*{resource_prefix}*', + ], + ), + iam.PolicyStatement( + actions=[ + 'sts:AssumeRole', + ], + resources=[ + f'arn:aws:iam::*:role/{pivot_role_name}*', + 'arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*', + ], + ), + iam.PolicyStatement( + actions=[ + 'ecs:ListTasks', + ], + resources=['*'], + conditions={ + 'ArnEquals': { + 'ecs:cluster': f'arn:aws:ecs:{self.region}:{self.account}:cluster/*{resource_prefix}*' + } + }, + ), + iam.PolicyStatement( + actions=[ + 'iam:PassRole', + ], + resources=[f'arn:aws:iam::{self.account}:role/{resource_prefix}-{envname}*'], + ), + iam.PolicyStatement( + actions=[ + 's3:GetObject', + 's3:ListBucketVersions', + 's3:ListBucket', + 's3:GetBucketLocation', + 's3:GetObjectVersion', + 'logs:StartQuery', + 'logs:DescribeLogGroups', + 'logs:DescribeLogStreams', + 'logs:DescribeQueries', + 'logs:StopQuery', + 'logs:GetQueryResults', + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + ], + resources=[ + f'arn:aws:s3:::{resource_prefix}-{envname}-{self.account}-{self.region}-resources/*', + f'arn:aws:s3:::{resource_prefix}-{envname}-{self.account}-{self.region}-resources', + f'arn:aws:logs:{self.region}:{self.account}:log-group:*{resource_prefix}*:log-stream:*', + f'arn:aws:logs:{self.region}:{self.account}:log-group:*{resource_prefix}*', + ], + ), + iam.PolicyStatement( + actions=[ + 'ec2:DescribeNetworkInterfaces', + 'xray:PutTraceSegments', + 'xray:PutTelemetryRecords', + 'xray:GetSamplingRules', + 'xray:GetSamplingTargets', + 'xray:GetSamplingStatisticSummaries', + 'cognito-idp:ListGroups', + 'cognito-idp:ListUsersInGroup', + ], + resources=['*'], + ), + iam.PolicyStatement( + actions=[ + 'ec2:CreateNetworkInterface', + 'ec2:DeleteNetworkInterface', + ], + resources=[ + f'arn:aws:ec2:{self.region}:{self.account}:*/*', + ], + ), + iam.PolicyStatement( + actions=[ + 'ec2:AssignPrivateIpAddresses', + 'ec2:UnassignPrivateIpAddresses', + ], + resources=[ + f'arn:aws:ec2:{self.region}:{self.account}:*/*', + ], + conditions={'StringEquals': {'ec2:VpcID': f'{vpc.vpc_id}'}}, + ), + iam.PolicyStatement( + actions=[ + 'aoss:APIAccessAll', + ], + resources=[ + f'arn:aws:aoss:{self.region}:{self.account}:collection/*', + ], + ), + iam.PolicyStatement( + actions=['events:EnableRule', 'events:DisableRule'], + resources=[f'arn:aws:events:{self.region}:{self.account}:rule/dataall*'], + ), + ] + + extra_statements, ) role = iam.Role( self, @@ -498,7 +504,6 @@ def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_nam inline_policies={f'{resource_prefix}-{envname}-{fn_name}-inline': role_inline_policy.document}, assumed_by=iam.ServicePrincipal('lambda.amazonaws.com'), ) - self.add_bedrock_policy(role) return role def create_api_gateway(