r/aws_bedrockagent_knowledge_base: Additional knowledge_base_configuration and storage_configuration options

.changelog/37220.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Add `storage_configuration.mongo_db_atlas_configuration` argument
+```

.changelog/44060.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Add `storage_configuration.opensearch_managed_cluster_configuration` argument
+```

.changelog/44388.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Add `knowledge_base_configuration.kendra_knowledge_base_configuration` argument
+```
+
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Make `knowledge_base_configuration.vector_knowledge_base_configuration` and ``storage_configuration` optional
+```

.changelog/45465.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Add `knowledge_base_configuration.sql_knowledge_base_configuration` and `storage_configuration.neptune_analytics_configuration` arguments
+```
+
+```release-note:bug
+resource/aws_bedrockagent_knowledge_base: Mark `knowledge_base_configuration.vector_knowledge_base_configuration.embedding_model_configuration` and `knowledge_base_configuration.vector_knowledge_base_configuration.supplemental_data_storage_configuration` as `ForceNew`
+```

.changelog/45468.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_bedrockagent_knowledge_base: Add `storage_configuration.s3_vectors_configuration` block
+```

docs/acc-test-environment-variables.md

@@ -110,6 +110,7 @@ Environment variables (beyond standard AWS Go SDK ones) used by acceptance testi
 | `TF_AWS_CONTROLTOWER_CONTROL_OU_NAME`                           | Organizational unit name to be targeted by the Control Tower control.                                                                                                                            |
 | `TF_AWS_CONTROLTOWER_BASELINE_ENABLE_BASELINE_ARN`              | Enable baseline ARN.                                                                                                                                                                             |
 | `TF_AWS_DATAEXCHANGE_DATA_SET_ID`                               | ID of DataExchange Data Set to use for testing.                                                                                                                                                  |
+| `TF_AWS_KENDRA_INDEX_ARN`                               | ARN of Kendra Index to use for testing.                                                                                                                                                  |
 | `TF_AWS_LICENSE_MANAGER_GRANT_HOME_REGION`                      | Region where a License Manager license is imported.                                                                                                                                              |
 | `TF_AWS_LICENSE_MANAGER_GRANT_LICENSE_ARN`                      | ARN for a License Manager license imported into the current account.                                                                                                                             |
 | `TF_AWS_LICENSE_MANAGER_GRANT_PRINCIPAL`                        | ARN of a principal to share the License Manager license with. Either a root user, Organization, or Organizational Unit.                                                                          |

internal/acctest/configs.go

@@ -728,240 +728,70 @@ resource "aws_subnet" "test" {
 	)
 }
 
-func ConfigBedrockAgentKnowledgeBaseRDSBase(rName, model string) string {
-	return ConfigCompose(
-		ConfigVPCWithSubnetsEnableDNSHostnames(rName, 2), //nolint:mnd // 2 subnets required
-		fmt.Sprintf(`
-data "aws_partition" "current" {}
+func ConfigBedrockAgentKnowledgeBaseS3VectorsBase(rName string) string {
+	return fmt.Sprintf(`
 data "aws_region" "current" {}
+data "aws_partition" "current" {}
 
-resource "aws_iam_role" "test" {
-  name               = %[1]q
-  path               = "/service-role/"
-  assume_role_policy = <<POLICY
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-		"Action": "sts:AssumeRole",
-		"Principal": {
-		"Service": "bedrock.amazonaws.com"
-		},
-		"Effect": "Allow"
-	}]
-}
-POLICY
-}
-
-# See https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html.
-resource "aws_iam_role_policy" "test" {
-  name   = %[1]q
-  role   = aws_iam_role.test.name
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "bedrock:ListFoundationModels",
-        "bedrock:ListCustomModels"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "bedrock:InvokeModel"
-      ],
-      "Resource": [
-        "arn:${data.aws_partition.current.partition}:bedrock:${data.aws_region.current.region}::foundation-model/%[2]s"
-      ]
+data "aws_iam_policy_document" "assume_role_bedrock" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["bedrock.amazonaws.com"]
     }
-  ]
-}
-POLICY
-}
-
-resource "aws_iam_role_policy_attachment" "rds_data_full_access" {
-  role       = aws_iam_role.test.name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_partition.current.partition}:policy/AmazonRDSDataFullAccess"
-}
-
-resource "aws_iam_role_policy_attachment" "secrets_manager_read_write" {
-  role       = aws_iam_role.test.name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_partition.current.partition}:policy/SecretsManagerReadWrite"
-}
-
-data "aws_rds_orderable_db_instance" "test" {
-  engine                     = "aurora-postgresql"
-  engine_latest_version      = true
-  preferred_instance_classes = ["db.serverless"]
-}
-
-resource "aws_rds_cluster" "test" {
-  cluster_identifier          = %[1]q
-  master_username             = "test"
-  manage_master_user_password = true
-  database_name               = "test"
-  skip_final_snapshot         = true
-  engine                      = data.aws_rds_orderable_db_instance.test.engine
-  engine_version              = data.aws_rds_orderable_db_instance.test.engine_version
-  enable_http_endpoint        = true
-  vpc_security_group_ids      = [aws_security_group.test.id]
-  db_subnet_group_name        = aws_db_subnet_group.test.name
-
-  serverlessv2_scaling_configuration {
-    max_capacity = 1.0
-    min_capacity = 0.5
+    actions = ["sts:AssumeRole"]
   }
 }
 
-resource "aws_rds_cluster_instance" "test" {
-  cluster_identifier  = aws_rds_cluster.test.id
-  instance_class      = "db.serverless"
-  engine              = aws_rds_cluster.test.engine
-  engine_version      = aws_rds_cluster.test.engine_version
-  publicly_accessible = true
-}
-
-resource "aws_db_subnet_group" "test" {
-  name       = %[1]q
-  subnet_ids = aws_subnet.test[*].id
-}
-
-resource "aws_internet_gateway" "test" {
-  vpc_id = aws_vpc.test.id
-
-  tags = {
-    Name = %[1]q
+data "aws_iam_policy_document" "bedrock" {
+  statement {
+    effect    = "Allow"
+    actions   = ["bedrock:InvokeModel"]
+    resources = ["*"]
   }
-}
-
-resource "aws_default_route_table" "test" {
-  default_route_table_id = aws_vpc.test.default_route_table_id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.test.id
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:ListBucket", "s3:GetObject"]
+    resources = ["*"]
   }
-
-  tags = {
-    Name = %[1]q
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3vectors:GetIndex",
+      "s3vectors:QueryVectors",
+      "s3vectors:PutVectors",
+      "s3vectors:GetVectors",
+      "s3vectors:DeleteVectors"
+    ]
+    resources = ["*"]
   }
 }
 
-resource "aws_security_group" "test" {
-  name   = %[1]q
-  vpc_id = aws_vpc.test.id
-
-  ingress {
-    from_port   = 5432
-    to_port     = 5432
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = %[1]q
-  }
+resource "aws_iam_role" "test" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_bedrock.json
+  name               = %[1]q
 }
 
-data "aws_secretsmanager_secret_version" "test" {
-  secret_id     = aws_rds_cluster.test.master_user_secret[0].secret_arn
-  version_stage = "AWSCURRENT"
-  depends_on    = [aws_rds_cluster.test]
-}
-
-resource "null_resource" "db_setup" {
-  depends_on = [aws_rds_cluster_instance.test, aws_rds_cluster.test, data.aws_secretsmanager_secret_version.test]
-
-  provisioner "local-exec" {
-    command = <<EOT
-      sleep 60
-      export PGPASSWORD=$(aws secretsmanager get-secret-value --secret-id '${aws_rds_cluster.test.master_user_secret[0].secret_arn}' --version-stage AWSCURRENT --region ${data.aws_region.current.region} --query SecretString --output text | jq -r '."password"')
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE EXTENSION IF NOT EXISTS vector;"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE SCHEMA IF NOT EXISTS bedrock_integration;"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE SCHEMA IF NOT EXISTS bedrock_new;"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE ROLE bedrock_user WITH PASSWORD '$PGPASSWORD' LOGIN;"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "GRANT ALL ON SCHEMA bedrock_integration TO bedrock_user;"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE TABLE bedrock_integration.bedrock_kb (id uuid PRIMARY KEY, embedding vector(1536), chunks text, metadata json, custom_metadata jsonb);"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE INDEX ON bedrock_integration.bedrock_kb USING hnsw (embedding vector_cosine_ops);"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE INDEX ON bedrock_integration.bedrock_kb USING gin (to_tsvector('simple', chunks));"
-      psql -h ${aws_rds_cluster.test.endpoint} -U ${aws_rds_cluster.test.master_username} -d ${aws_rds_cluster.test.database_name} -c "CREATE INDEX ON bedrock_integration.bedrock_kb USING gin (custom_metadata);"
-    EOT
-  }
-}
-`, rName, model))
+resource "aws_iam_role_policy" "test" {
+  role   = aws_iam_role.test.name
+  policy = data.aws_iam_policy_document.bedrock.json
 }
 
-func ConfigBedrockAgentKnowledgeBaseRDSUpdateBase(rName, model string) string {
-	return ConfigCompose(
-		ConfigBedrockAgentKnowledgeBaseRDSBase(rName, model), //nolint:mnd
-		fmt.Sprintf(`
-resource "aws_iam_role" "test_update" {
-  name               = "%[1]s-update"
-  path               = "/service-role/"
-  assume_role_policy = <<POLICY
-{
-	"Version": "2012-10-17",
-	"Statement": [{
-		"Action": "sts:AssumeRole",
-		"Principal": {
-		"Service": "bedrock.amazonaws.com"
-		},
-		"Effect": "Allow"
-	}]
-}
-POLICY
-}
-
-# See https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html.
-resource "aws_iam_role_policy" "test_update" {
-  name   = "%[1]s-update"
-  role   = aws_iam_role.test_update.name
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "bedrock:ListFoundationModels",
-        "bedrock:ListCustomModels"
-      ],
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "bedrock:InvokeModel"
-      ],
-      "Resource": [
-        "arn:${data.aws_partition.current.partition}:bedrock:${data.aws_region.current.region}::foundation-model/%[2]s"
-      ]
-    }
-  ]
-}
-POLICY
+resource "aws_s3vectors_vector_bucket" "test" {
+  vector_bucket_name = %[1]q
+  force_destroy      = true
 }
 
-resource "aws_iam_role_policy_attachment" "rds_data_full_access_update" {
-  role       = aws_iam_role.test_update.name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_partition.current.partition}:policy/AmazonRDSDataFullAccess"
-}
+resource "aws_s3vectors_index" "test" {
+  index_name         = %[1]q
+  vector_bucket_name = aws_s3vectors_vector_bucket.test.vector_bucket_name
 
-resource "aws_iam_role_policy_attachment" "secrets_manager_read_write_update" {
-  role       = aws_iam_role.test_update.name
-  policy_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_partition.current.partition}:policy/SecretsManagerReadWrite"
+  data_type       = "float32"
+  dimension       = 256
+  distance_metric = "euclidean"
 }
-`, rName, model))
+`, rName)
 }
 
 // ConfigRandomPassword returns the configuration for an ephemeral resource that