File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -191,17 +191,43 @@ data "aws_iam_policy_document" "lambda_permissions_policy" {
191191 effect = " Allow"
192192 resources = " *"
193193 }
194- statement {
195- actions =
196- " logs:CreateLogGroup"
197- " logs:CreateLogStream"
198- " logs:PutLogEvents"
199- " s3:*"
200- " bedrock-agentcore:*"
201- ]
202- effect = " Allow"
203- resources = " *"
204- }
194+ statement {
195+ actions =
196+ " logs:CreateLogGroup"
197+ " logs:CreateLogStream"
198+ " logs:PutLogEvents"
199+ ]
200+ effect = " Allow"
201+ resources =
202+ " arn:aws:logs:${ local . region } :${ local . account_id } :log-group:/aws/lambda/${ aws_lambda_function . s3_agent_lambda_function . function_name } :*"
203+ ]
204+ }
205+ statement {
206+ actions =
207+ " s3:GetObject"
208+ ]
209+ effect = " Allow"
210+ resources =
211+ " ${ aws_s3_bucket . input_bucket . arn } /*"
212+ ]
213+ }
214+ statement {
215+ actions =
216+ " s3:PutObject"
217+ ]
218+ effect = " Allow"
219+ resources =
220+ " ${ aws_s3_bucket . output_bucket . arn } /*"
221+ ]
222+ }
223+ statement {
224+ actions =
225+ " bedrock-agentcore:InvokeAgentRuntime"
226+ ]
227+ effect = " Allow"
228+ resources =
229+ aws_bedrockagentcore_agent_runtime . agentcore_runtime . agent_runtime_arn
230+ ]
205231}
206232
207233resource "aws_iam_role" "lambda_role" {
You can’t perform that action at this time.
0 commit comments