Resource awscc_bedrock_knowledge_base cannot be created.

[DraqunTheWorker]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.46.0"
    }
    awscc = {
      source  = "hashicorp/awscc"
      version = ">= 0.74.0"
    }
  }
}

Affected Resource(s)

• awscc_bedrock_knowledge_base

Terraform Configuration Files

information about resources gained from https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/bedrock_knowledge_base

data "aws_bedrock_foundation_model" "this" {
  model_id = "amazon.titan-embed-text-v1"
}

resource "awscc_bedrock_knowledge_base" "this" {
  knowledge_base_configuration = {
    type = "VECTOR"
    vector_knowledge_base_configuration = {
      embedding_model_arn = data.aws_bedrock_foundation_model.this.model_arn
    }
  }
  name                         = "${var.name_prefix}-knowledge-base"
  role_arn                     = resource.aws_iam_role.this.arn
  storage_configuration        = {
    type = "OPENSEARCH_SERVERLESS"
  }
}

resource "aws_iam_role" "this" {
  name = "${var.name_prefix}-bedrock-execution-role-4-knowledge-base"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Principal = {
          Service = "bedrock.amazonaws.com"
        }
        Effect = "Allow"
      },
    ]
  })
}

resource "aws_iam_role_policy" "this" {
  name = "${var.name_prefix}-bedrock-execution-role-policy"
  role = aws_iam_role.this.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "bedrock:InvokeAPI"
        ]
        Effect = "Allow"
        Resource = "*"
      },
    ]
  })
}

Console Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.bedrock_dev_app.module.bedrock.awscc_bedrock_knowledge_base.this will be created
  + resource "awscc_bedrock_knowledge_base" "this" {
      + created_at                   = (known after apply)
      + description                  = (known after apply)
      + failure_reasons              = (known after apply)
      + id                           = (known after apply)
      + knowledge_base_arn           = (known after apply)
      + knowledge_base_configuration = {
          + type                                = "VECTOR"
          + vector_knowledge_base_configuration = {
              + embedding_model_arn = "arn:aws:bedrock:eu-central-1::foundation-model/amazon.titan-embed-text-v1"
            }
        }
      + knowledge_base_id            = (known after apply)
      + name                         = "dgiebas-kb-knowledge-base"
      + role_arn                     = "arn:aws:iam::905418311635:role/dgiebas-kb-bedrock-execution-role-4-knowledge-base"
      + status                       = (known after apply)
      + storage_configuration        = {
          + opensearch_serverless_configuration = (known after apply)
          + pinecone_configuration              = (known after apply)
          + rds_configuration                   = (known after apply)
          + type                                = "OPENSEARCH_SERVERLESS"
        }
      + tags                         = (known after apply)
      + updated_at                   = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.bedrock_dev_app.module.bedrock.awscc_bedrock_knowledge_base.this: Creating...
╷
│ Error: AWS SDK Go Service Operation Unsuccessful
│ 
│   with module.bedrock_dev_app.module.bedrock.awscc_bedrock_knowledge_base.this,
│   on modules/bedrock/resources.tf line 1, in resource "awscc_bedrock_knowledge_base" "this":
│    1: resource "awscc_bedrock_knowledge_base" "this" {
│ 
│ Calling Cloud Control API service CreateResource operation returned: operation error CloudControl: CreateResource, https response error StatusCode: 400, RequestID: 9bf31952-705c-4a3d-ba56-bf85de60c914,
│ TypeNotFoundException: The type 'AWS::Bedrock::KnowledgeBase' cannot be found.
╵

Debug Output

Panic Output

Expected Behavior

I would expect a knowledge base to be created.

Actual Behavior

To be honest, I don't know how to describe it. Status code 400 doesn't mean much to me, especially when the resource is described in accordance with the documentation.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[ewbankkit]

@DraqunTheWorker Thanks for raising this issue 👏 . AWS::Bedrock::KnowledgeBase is not available in the eu-central-1 Region (yet). We generate the provider from the CloudFormation resource definitions in us-east-1.

[DraqunTheWorker]

Hi. This explains a lot, because I thought I was crazy and couldn't read the documentation correctly. I'll check it in us-east-1 and give you a feedback.

Best regards.

[DraqunTheWorker]

Hi. Changing region resolved the problem. Have another in that place :) Anyway. thanks for help. Best regards.

[DraqunTheWorker]

@ewbankkit Hi. It seems to me that there is still something wrong with my code (or with provider ;)).

Below is the actual code for the awscc_bedrock_knowledge_base resource. When trying to create the resource I get the following trace

│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: The knowledge base storage configuration provided is invalid... Request failed:
│ [security_exception] 403 Forbidden (Service: BedrockAgent, Status Code: 400, Request ID: 16ceb9d0-e676-40a9-9968-e76b3b1f4310). ErrorCode: InvalidRequest

The code below appears to be correct. I have the region set to ‘us-east-1’. I am wondering where I have made a mistake. Is there the slightest working example of using this resource somewhere? I have gone through github and have not found the use of this resource at all. I would appreciate the slightest hint where the error might be.

# knowledge_base.tf

resource "awscc_bedrock_knowledge_base" "this" {
  name        = "${var.name_prefix}-knowledge-base"
  description = "${var.name_prefix} knowledge base."
  role_arn    = var.iam_role_arn

  storage_configuration = {
    type = "OPENSEARCH_SERVERLESS"
    opensearch_serverless_configuration = {
      collection_arn    = var.vector_knowledge_base_arn
      vector_index_name = "${lower(var.name_prefix)}-test-index"
      field_mapping = {
        metadata_field = "${join("_", split("-", upper(var.name_prefix)))}_METADATA"
        text_field     = "${join("_", split("-", upper(var.name_prefix)))}_TEXT_CHUNK"
        vector_field   = "${lower(var.name_prefix)}-default-vector"
      }
    }
  }
  knowledge_base_configuration = {
    type = "VECTOR"
    vector_knowledge_base_configuration = {
      embedding_model_arn = data.aws_bedrock_foundation_model.this.model_arn
    }
  }
}

# opensearch.tf

resource "awscc_opensearchserverless_collection" "this" {
  name = local.collection_name
  type = "VECTORSEARCH"

  tags = [
    { key = "Owner", value = var.owner },
    { key = "Environment", value = var.env },
    { key = "Terraform", value = "True" }
  ]
  depends_on = [aws_opensearchserverless_security_policy.encryption_policy]
}

resource "aws_opensearchserverless_security_policy" "encryption_policy" {
  name = "${var.name_prefix}-oss-encryption-policy"
  type = "encryption"
  policy = jsonencode({
    Rules = [
      {
        Resource = [
          "collection/${local.collection_name}"
        ],
        ResourceType = "collection"
      }
    ],
    AWSOwnedKey = true
  })
}

Thanks for all. Best regards.

[quixoticmonk]

Does the knowledge base have access to the collection ( [security_exception] 403 Forbidden ) ? aoss:APIAccessAll would be needed if it is not already there. https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-oss permissions.

[DraqunTheWorker]

Hi. Thanks for your answer.

All my roles like that

resource "aws_iam_role" "this" {
  name = "${var.name_prefix}-bedrock-execution-role-4-knowledge-base"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Principal = {
          Service = "bedrock.amazonaws.com"
        }
        Effect = "Allow"
      },
    ]
  })
}

resource "aws_iam_role_policy" "this" {
  name = "${var.name_prefix}-bedrock-execution-role-policy"
  role = aws_iam_role.this.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "bedrock:ListFoundationModels",
          "bedrock:ListCustomModels"
        ],
        Effect = "Allow"
        Resource : "*"
      },
      {
        Action = [
          "bedrock:InvokeAPI"
        ]
        Effect   = "Allow"
        Resource = [data.aws_bedrock_foundation_model.this.model_arn]
      },
    ]
  })
}

so it looks like there is some lack here. I'll check your proposal and come back with feedback.

Best regards.