v0.1.0

* Various fix to ensure reliability when deploying to non us-east-1 regions
* bump AWS providers version
* update Guardrails (will re-create the Lambda function as well)
---------

Co-authored-by: wellsiau-aws and quixoticmonk

Author: quixoticmonk

README.md

@@ -99,7 +99,7 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.0 |
 | <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~>2.2.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.47.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.72.0 |
 | <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 1.11.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >=3.4.0 |
 
@@ -108,9 +108,8 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 | Name | Version |
 |------|---------|
 | <a name="provider_archive"></a> [archive](#provider\_archive) | ~>2.2.0 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.47.0 |
-| <a name="provider_aws.cloudfront_waf"></a> [aws.cloudfront\_waf](#provider\_aws.cloudfront\_waf) | >= 5.47.0 |
-| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | >= 1.11.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.72.0 |
+| <a name="provider_aws.cloudfront_waf"></a> [aws.cloudfront\_waf](#provider\_aws.cloudfront\_waf) | >= 5.72.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >=3.4.0 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 | <a name="provider_time"></a> [time](#provider\_time) | n/a |
@@ -125,6 +124,8 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 
 | Name | Type |
 |------|------|
+| [aws_bedrock_guardrail.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/bedrock_guardrail) | resource |
+| [aws_bedrock_guardrail_version.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/bedrock_guardrail_version) | resource |
 | [aws_cloudfront_origin_request_policy.runtask_cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
 | [aws_cloudwatch_event_rule.runtask_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.runtask_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
@@ -172,8 +173,6 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 | [aws_sfn_state_machine.runtask_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
 | [aws_wafv2_web_acl.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [aws_wafv2_web_acl_logging_configuration.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration) | resource |
-| [awscc_bedrock_guardrail.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/bedrock_guardrail) | resource |
-| [awscc_bedrock_guardrail_version.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/bedrock_guardrail_version) | resource |
 | [random_string.solution_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [random_uuid.runtask_cloudfront](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
 | [random_uuid.runtask_hmac](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |

VERSION

@@ -1 +1 @@
-v0.0.4
+v0.1.0

bedrock.tf

@@ -1,92 +1,82 @@
-resource "awscc_bedrock_guardrail" "runtask_fulfillment" {
-  name                      = "${local.solution_prefix}-guardrail"
+resource "aws_bedrock_guardrail" "runtask_fulfillment" {
+  name                      = "${local.solution_prefix}-guardrails"
   blocked_input_messaging   = "Unfortunately we are unable to provide response for this input"
   blocked_outputs_messaging = "Unfortunately we are unable to provide response for this input"
   description               = "Basic Bedrock Guardrail for sensitive info exfiltration"
 
   # detect and filter harmful user inputs and FM-generated outputs
-  content_policy_config = {
-    filters_config = [
-      {
-        input_strength  = "HIGH"
-        output_strength = "HIGH"
-        type            = "SEXUAL"
-      },
-      {
-        input_strength  = "HIGH"
-        output_strength = "HIGH"
-        type            = "VIOLENCE"
-      },
-      {
-        input_strength  = "HIGH"
-        output_strength = "HIGH"
-        type            = "HATE"
-      },
-      {
-        input_strength  = "HIGH"
-        output_strength = "HIGH"
-        type            = "INSULTS"
-      },
-      {
-        input_strength  = "HIGH"
-        output_strength = "HIGH"
-        type            = "MISCONDUCT"
-      },
-      {
-        input_strength  = "NONE"
-        output_strength = "NONE"
-        type            = "PROMPT_ATTACK"
-      }
-    ]
+  content_policy_config {
+    filters_config {
+      input_strength  = "HIGH"
+      output_strength = "HIGH"
+      type            = "HATE"
+    }
+    filters_config {
+      input_strength  = "HIGH"
+      output_strength = "HIGH"
+      type            = "INSULTS"
+    }
+    filters_config {
+      input_strength  = "HIGH"
+      output_strength = "HIGH"
+      type            = "MISCONDUCT"
+    }
+    filters_config {
+      input_strength  = "NONE"
+      output_strength = "NONE"
+      type            = "PROMPT_ATTACK"
+    }
+    filters_config {
+      input_strength  = "HIGH"
+      output_strength = "HIGH"
+      type            = "SEXUAL"
+    }
+    filters_config {
+      input_strength  = "HIGH"
+      output_strength = "HIGH"
+      type            = "VIOLENCE"
+    }
   }
 
   # block / mask potential PII information
-  sensitive_information_policy_config = {
-    pii_entities_config = [
-      {
-        action = "BLOCK"
-        type   = "DRIVER_ID"
-      },
-      {
-        action = "BLOCK"
-        type   = "PASSWORD"
-      },
-      {
-        action = "ANONYMIZE"
-        type   = "EMAIL"
-      },
-      {
-        action = "ANONYMIZE"
-        type   = "USERNAME"
-      },
-      {
-        action = "BLOCK"
-        type   = "AWS_ACCESS_KEY"
-      },
-      {
-        action = "BLOCK"
-        type   = "AWS_SECRET_KEY"
-      },
-    ]
+  sensitive_information_policy_config {
+    pii_entities_config {
+      action = "BLOCK"
+      type   = "DRIVER_ID"
+    }
+    pii_entities_config {
+      action = "BLOCK"
+      type   = "PASSWORD"
+    }
+    pii_entities_config {
+      action = "ANONYMIZE"
+      type   = "EMAIL"
+    }
+    pii_entities_config {
+      action = "ANONYMIZE"
+      type   = "USERNAME"
+    }
+    pii_entities_config {
+      action = "BLOCK"
+      type   = "AWS_ACCESS_KEY"
+    }
+    pii_entities_config {
+      action = "BLOCK"
+      type   = "AWS_SECRET_KEY"
+    }
   }
 
   # block select word / profanity
-  word_policy_config = {
-    managed_word_lists_config = [{
+  word_policy_config {
+    managed_word_lists_config {
       type = "PROFANITY"
-    }]
-  }
-
-  tags = [for k, v in local.combined_tags :
-    {
-      key : k,
-      value : v
     }
-  ]
+  }
 
+  tags = local.combined_tags
 }
 
-resource "awscc_bedrock_guardrail_version" "runtask_fulfillment" {
-  guardrail_identifier = awscc_bedrock_guardrail.runtask_fulfillment.guardrail_id
-  description          = "Initial version"
+resource "aws_bedrock_guardrail_version" "runtask_fulfillment" {
+  guardrail_arn = aws_bedrock_guardrail.runtask_fulfillment.guardrail_arn
+  description   = "Initial version"
 }

cloudfront.tf

@@ -190,6 +190,7 @@ resource "aws_cloudwatch_log_group" "runtask_waf" {
 
 resource "aws_cloudwatch_log_resource_policy" "runtask_waf" {
   count           = local.waf_deployment
+  provider        = aws.cloudfront_waf
   policy_document = data.aws_iam_policy_document.runtask_waf_log[count.index].json
   policy_name     = "aws-waf-logs-${local.solution_prefix}-runtask_waf_acl"
 }

data.tf

@@ -249,7 +249,7 @@ data "aws_iam_policy_document" "runtask_waf_log" {
     resources = ["${aws_cloudwatch_log_group.runtask_waf[count.index].arn}:*"]
     condition {
       test     = "ArnLike"
-      values   = ["arn:aws:logs:${data.aws_region.current_region.name}:${data.aws_caller_identity.current_account.account_id}:*"]
+      values   = ["arn:aws:logs:${data.aws_region.cloudfront_region.name}:${data.aws_caller_identity.current_account.account_id}:*"]
       variable = "aws:SourceArn"
     }
     condition {

examples/basic/README.md

@@ -38,15 +38,15 @@ Follow the steps below to deploy the module and attach it to your HCP Terraform
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.56.1 |
-| <a name="requirement_tfe"></a> [tfe](#requirement\_tfe) | ~>0.38.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.72.1 |
+| <a name="requirement_tfe"></a> [tfe](#requirement\_tfe) | ~> 0.38.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.56.1 |
-| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | ~>0.38.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.72.1 |
+| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | ~> 0.38.0 |
 
 ## Modules
 
@@ -59,7 +59,7 @@ Follow the steps below to deploy the module and attach it to your HCP Terraform
 | Name | Type |
 |------|------|
 | [tfe_organization_run_task.bedrock_plan_analyzer](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/organization_run_task) | resource |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/region) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [tfe_organization.hcp_tf_org](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/organization) | data source |
 
 ## Inputs

examples/basic/providers.tf

@@ -3,12 +3,12 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.56.1"
+      version = ">= 5.72.1"
     }
 
     tfe = {
       source  = "hashicorp/tfe"
-      version = "~>0.38.0"
+      version = "~> 0.38.0"
     }
   }
 }
@@ -22,6 +22,10 @@ provider "aws" {
   region = "us-east-1" # for Cloudfront WAF only, must be in us-east-1
 }
 
+provider "awscc" {
+  region = var.region
+}
+
 provider "tfe" {
   token = var.hcp_tf_token
 }

lambda.tf

@@ -166,8 +166,8 @@ resource "aws_lambda_function" "runtask_fulfillment" {
     variables = {
       CW_LOG_GROUP_NAME         = local.cloudwatch_log_group_name
       BEDROCK_LLM_MODEL         = var.bedrock_llm_model
-      BEDROCK_GUARDRAIL_ID      = awscc_bedrock_guardrail.runtask_fulfillment.guardrail_id
-      BEDROCK_GUARDRAIL_VERSION = awscc_bedrock_guardrail_version.runtask_fulfillment.version
+      BEDROCK_GUARDRAIL_ID      = aws_bedrock_guardrail.runtask_fulfillment.guardrail_id
+      BEDROCK_GUARDRAIL_VERSION = aws_bedrock_guardrail_version.runtask_fulfillment.version
     }
   }
   tags = local.combined_tags

providers.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.47.0"
+      version = ">= 5.72.0"
     }
     awscc = {
       source  = "hashicorp/awscc"