Open DraqunTheWorker opened 2 months ago
@DraqunTheWorker Thanks for raising this issue π .
AWS::Bedrock::KnowledgeBase
is not available in the eu-central-1
Region (yet).
We generate the provider from the CloudFormation resource definitions in us-east-1
.
Hi. This explains a lot, because I thought I was crazy and couldn't read the documentation correctly. I'll check it in us-east-1 and give you a feedback.
Best regards.
Hi. Changing region resolved the problem. Have another in that place :) Anyway. thanks for help. Best regards.
@ewbankkit Hi. It seems to me that there is still something wrong with my code (or with provider ;)).
Below is the actual code for the awscc_bedrock_knowledge_base resource. When trying to create the resource I get the following trace
β Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: The knowledge base storage configuration provided is invalid... Request failed:
β [security_exception] 403 Forbidden (Service: BedrockAgent, Status Code: 400, Request ID: 16ceb9d0-e676-40a9-9968-e76b3b1f4310). ErrorCode: InvalidRequest
The code below appears to be correct. I have the region set to βus-east-1β. I am wondering where I have made a mistake. Is there the slightest working example of using this resource somewhere? I have gone through github and have not found the use of this resource at all. I would appreciate the slightest hint where the error might be.
# knowledge_base.tf
resource "awscc_bedrock_knowledge_base" "this" {
name = "${var.name_prefix}-knowledge-base"
description = "${var.name_prefix} knowledge base."
role_arn = var.iam_role_arn
storage_configuration = {
type = "OPENSEARCH_SERVERLESS"
opensearch_serverless_configuration = {
collection_arn = var.vector_knowledge_base_arn
vector_index_name = "${lower(var.name_prefix)}-test-index"
field_mapping = {
metadata_field = "${join("_", split("-", upper(var.name_prefix)))}_METADATA"
text_field = "${join("_", split("-", upper(var.name_prefix)))}_TEXT_CHUNK"
vector_field = "${lower(var.name_prefix)}-default-vector"
}
}
}
knowledge_base_configuration = {
type = "VECTOR"
vector_knowledge_base_configuration = {
embedding_model_arn = data.aws_bedrock_foundation_model.this.model_arn
}
}
}
# opensearch.tf
resource "awscc_opensearchserverless_collection" "this" {
name = local.collection_name
type = "VECTORSEARCH"
tags = [
{ key = "Owner", value = var.owner },
{ key = "Environment", value = var.env },
{ key = "Terraform", value = "True" }
]
depends_on = [aws_opensearchserverless_security_policy.encryption_policy]
}
resource "aws_opensearchserverless_security_policy" "encryption_policy" {
name = "${var.name_prefix}-oss-encryption-policy"
type = "encryption"
policy = jsonencode({
Rules = [
{
Resource = [
"collection/${local.collection_name}"
],
ResourceType = "collection"
}
],
AWSOwnedKey = true
})
}
Thanks for all. Best regards.
Does the knowledge base have access to the collection ( [security_exception] 403 Forbidden
) ?
aoss:APIAccessAll
would be needed if it is not already there.
https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html#kb-permissions-oss permissions.
Hi. Thanks for your answer.
All my roles like that
resource "aws_iam_role" "this" {
name = "${var.name_prefix}-bedrock-execution-role-4-knowledge-base"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Principal = {
Service = "bedrock.amazonaws.com"
}
Effect = "Allow"
},
]
})
}
resource "aws_iam_role_policy" "this" {
name = "${var.name_prefix}-bedrock-execution-role-policy"
role = aws_iam_role.this.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"bedrock:ListFoundationModels",
"bedrock:ListCustomModels"
],
Effect = "Allow"
Resource : "*"
},
{
Action = [
"bedrock:InvokeAPI"
]
Effect = "Allow"
Resource = [data.aws_bedrock_foundation_model.this.model_arn]
},
]
})
}
so it looks like there is some lack here. I'll check your proposal and come back with feedback.
Best regards.
Community Note
Terraform CLI and Terraform AWS Cloud Control Provider Version
Affected Resource(s)
Terraform Configuration Files
information about resources gained from https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/bedrock_knowledge_base
Console Output
Debug Output
Panic Output
Expected Behavior
I would expect a knowledge base to be created.
Actual Behavior
To be honest, I don't know how to describe it. Status code 400 doesn't mean much to me, especially when the resource is described in accordance with the documentation.
Steps to Reproduce
terraform apply
Important Factoids
References
0000