aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.64k stars 3.91k forks source link

Bedrock: PROMPT_ATTACK inside of contentPolicyConfig is not accepting NONE in CfnGuardrail #31919

Open noahsdonaldson opened 2 days ago

noahsdonaldson commented 2 days ago

Describe the bug

Using CDK CfnGuardrail in Bedrock I set the contentPolicyConfig filterConfig settings. PROMPT_ATTACK should be set to "NONE" but when doing a cdk synth or cdk build the values for inputStrength and outputStrength are set to "HIGH". The deployment to CloudFormation fails because the only value that should be set for PROMPT_ATTACK is "NONE".

Here is the CDK CfnGuardrail definition

// Gaurdrail above graphqlapi def
    const myGuardrail = new CfnGuardrail(this, 'myBedrockGuardrail', {
      blockedInputMessaging: 'Input message blocked by Bedrock guardrail.',
      blockedOutputsMessaging: 'Output messages blocked by Bedrock guardrail.',
      name: `Guardrail-${envName}`,
      // Optional properties
      contentPolicyConfig: {
        filtersConfig: [
          {
            inputStrength: 'HIGH',
            outputStrength: 'HIGH',
            type: 'SEXUAL',
          },
          {
            inputStrength: 'HIGH',
            outputStrength: 'HIGH',
            type: 'VIOLENCE',
          },
          {
            inputStrength: 'HIGH',
            outputStrength: 'HIGH',
            type: 'HATE',
          },
          {
            inputStrength: 'HIGH',
            outputStrength: 'HIGH',
            type: 'INSULTS',
          },
          {
            inputStrength: 'HIGH',
            outputStrength: 'HIGH',
            type: 'MISCONDUCT',
          },
          {
            inputStrength: 'NONE',
            outputStrength: 'NONE',
            type: 'PROMPT_ATTACK'
          }
        ],
      },
    });

Here is the cdk.out template that is generated

  "myBedrockGuardrail": {
   "Type": "AWS::Bedrock::Guardrail",
   "Properties": {
    "BlockedInputMessaging": "Input message blocked by Bedrock guardrail.",
    "BlockedOutputsMessaging": "Output messages blocked by Bedrock guardrail.",
    "ContentPolicyConfig": {
     "FiltersConfig": [
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "SEXUAL"
      },
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "VIOLENCE"
      },
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "HATE"
      },
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "INSULTS"
      },
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "MISCONDUCT"
      },
      {
       "InputStrength": "HIGH",
       "OutputStrength": "HIGH",
       "Type": "PROMPT_ATTACK"
      }
     ]
    },
    "Name": "Guardrail-beta"
   },
   "Metadata": {
    "aws:cdk:path": "beta-APIStack/myBedrockGuardrail"
   }
  },

Regression Issue

Last Known Working CDK Version

none

Expected Behavior

When setting PROMPT_ATTACK to NONE, the cdk.out for PROMPT_ATTACK is set to NONE, not HIGH.

Current Behavior

The cloud formation output file has PROMPT_ATTACK set to HIGH regardless of the value set in in the CDK.

Reproduction Steps

Create a CDK, import CfnGuardrail, set contentPolicyConfig, filtersConfig PROMPT_ATTACK inputStrength and outputStrength to "NONE" and run a cdk synth to check the cdk.out file.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.1 (build 10aa526)

Framework Version

No response

Node.js Version

Node.js v18.18.2

OS

Amazon Linux 2 x86_64 5.10 Kernel

Language

TypeScript

Language Version

5.4.5

Other information

No response

ashishdhingra commented 2 days ago

@noahsdonaldson Good morning. Somehow I'm unable to reproduce the issue using the latest version of CDK (as of now 2.164.1 (build bb9275c)). Using your code generates the below CFN template:

{
  "Resources": {
    "myBedrockGuardrail": {
      "Type": "AWS::Bedrock::Guardrail",
      "Properties": {
        "BlockedInputMessaging": "Input message blocked by Bedrock guardrail.",
        "BlockedOutputsMessaging": "Output messages blocked by Bedrock guardrail.",
        "ContentPolicyConfig": {
          "FiltersConfig": [
            {
              "InputStrength": "HIGH",
              "OutputStrength": "HIGH",
              "Type": "SEXUAL"
            },
            {
              "InputStrength": "HIGH",
              "OutputStrength": "HIGH",
              "Type": "VIOLENCE"
            },
            {
              "InputStrength": "HIGH",
              "OutputStrength": "HIGH",
              "Type": "HATE"
            },
            {
              "InputStrength": "HIGH",
              "OutputStrength": "HIGH",
              "Type": "INSULTS"
            },
            {
              "InputStrength": "HIGH",
              "OutputStrength": "HIGH",
              "Type": "MISCONDUCT"
            },
            {
              "InputStrength": "NONE",
              "OutputStrength": "NONE",
              "Type": "PROMPT_ATTACK"
            }
          ]
        },
        "Name": "Guardrail-test"
      },
      "Metadata": {
        "aws:cdk:path": "CdktestStack/myBedrockGuardrail"
      }
    },
    "CDKMetadata": {
      "Type": "AWS::CDK::Metadata",
      "Properties": {
        "Analytics": "v2:deflate64:H4sIAAAAAAAA/yXFMQ6DMAwAwLewJ6ZBqGJn6E4fgJzESE5oItmkDBV/Z+gtN4B7juA6PNWGmO3OHn7vA0M2eOrqKUoNGeatvBpKFOTdzFtZSGuTQJcpNRIk7b9uguEBY5eU2UorB38Ilv83+F7OqGYAAAA="
      },
      "Metadata": {
        "aws:cdk:path": "CdktestStack/CDKMetadata/Default"
      }
    }
  },
  "Parameters": {
    "BootstrapVersion": {
      "Type": "AWS::SSM::Parameter::Value<String>",
      "Default": "/cdk-bootstrap/hnb659fds/version",
      "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
    }
  }
}

Kindly note that most of the constructs for aws-cdk-lib/aws-bedrock are L1 constructs generated from CloudFormation specification. So cdk synth should produce the correct CFN template in most of the cases.

Thanks, Ashish

github-actions[bot] commented 11 hours ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.