fix(bedrock): inference profiles permissions (#994)

* fix(bedrock): modify iam policies and add sonnet 3 7

---------

Co-authored-by: krokoko <[email protected]>

Author: aws-rafams

.gitignore

@@ -145,6 +145,12 @@ The ARN of the Bedrock invokable abstraction.
 
 > `readonly` `static` **ANTHROPIC\_CLAUDE\_3\_5\_SONNET\_V2\_0**: [`BedrockFoundationModel`](BedrockFoundationModel.md)
 
+***
+
+### ANTHROPIC\_CLAUDE\_3\_7\_SONNET\_V1\_0
+
+> `readonly` `static` **ANTHROPIC\_CLAUDE\_3\_7\_SONNET\_V1\_0**: [`BedrockFoundationModel`](BedrockFoundationModel.md)
+
 *************************************************************************
                            ANTHROPIC
 *************************************************************************

.npmignore

@@ -151,7 +151,7 @@ export class CrossRegionInferenceProfile implements IInvokable, IInferenceProfil
   grantProfileUsage(grantee: IGrantable): Grant {
     const grant = Grant.addToPrincipal({
       grantee: grantee,
-      actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'],
+      actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel*'],
       resourceArns: [this.inferenceProfileArn],
     });
     return grant;

.projen/tasks.json

@@ -138,6 +138,11 @@ export class BedrockFoundationModel implements IInvokable {
   /****************************************************************************
    *                            ANTHROPIC
    ***************************************************************************/
+  public static readonly ANTHROPIC_CLAUDE_3_7_SONNET_V1_0 = new BedrockFoundationModel(
+    'anthropic.claude-3-7-sonnet-20250219-v1:0',
+    { supportsAgents: true, supportsCrossRegion: true },
+  );
+
   public static readonly ANTHROPIC_CLAUDE_3_5_SONNET_V2_0 = new BedrockFoundationModel(
     'anthropic.claude-3-5-sonnet-20241022-v2:0',
     { supportsAgents: true, supportsCrossRegion: true },
@@ -293,7 +298,7 @@ export class BedrockFoundationModel implements IInvokable {
   public grantInvoke(grantee: IGrantable): Grant {
     const grant = Grant.addToPrincipal({
       grantee: grantee,
-      actions: ['bedrock:InvokeModel'],
+      actions: ['bedrock:InvokeModel*', 'bedrock:GetFoundationModel'],
       resourceArns: [this.invokableArn],
     });
     return grant;
@@ -315,7 +320,7 @@ export class BedrockFoundationModel implements IInvokable {
 
     return Grant.addToPrincipal({
       grantee: grantee,
-      actions: ['bedrock:InvokeModel'],
+      actions: ['bedrock:InvokeModel*', 'bedrock:GetFoundationModel'],
       resourceArns: [invokableArn],
     });
   }

apidocs/namespaces/bedrock/classes/BedrockFoundationModel.md

@@ -1,15 +1,15 @@
 {
   "version": "39.0.0",
   "files": {
-    "fc1142f404eb5443446b22592dc6d75ae8c80055bfb9474da78f4254ae394a4f": {
+    "ea52821b2f897f4747652193704dc57b09f387d548e94159a698de2d27cca5ca": {
       "source": {
         "path": "aws-cdk-bedrock-guardrails-integ-test.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-eu-central-1": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-central-1",
-          "objectKey": "fc1142f404eb5443446b22592dc6d75ae8c80055bfb9474da78f4254ae394a4f.json",
+          "objectKey": "ea52821b2f897f4747652193704dc57b09f387d548e94159a698de2d27cca5ca.json",
           "region": "eu-central-1",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-eu-central-1"
         }

package.json

@@ -49,7 +49,10 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": "bedrock:InvokeModel",
+       "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:GetFoundationModel"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::Join": [
@@ -178,7 +181,10 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": "bedrock:InvokeModel",
+       "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:GetFoundationModel"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::Join": [
@@ -196,7 +202,7 @@
       {
        "Action": [
         "bedrock:GetInferenceProfile",
-        "bedrock:InvokeModel"
+        "bedrock:InvokeModel*"
        ],
        "Effect": "Allow",
        "Resource": {
@@ -368,7 +374,10 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": "bedrock:InvokeModel",
+       "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:GetFoundationModel"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::Join": [
@@ -386,7 +395,7 @@
       {
        "Action": [
         "bedrock:GetInferenceProfile",
-        "bedrock:InvokeModel"
+        "bedrock:InvokeModel*"
        ],
        "Effect": "Allow",
        "Resource": {

src/cdk-lib/bedrock/inference-profiles/cross-region-inference-profile.ts

@@ -1,15 +1,15 @@
 {
   "version": "39.0.0",
   "files": {
-    "edce2cdca448655b4baa3a3f25397547640d54472ced24d6b7c09954e1b4a72c": {
+    "7e760cbfec7bfb0f842abf3934b793e311a38bd24c9810f722b3e1b8ac300b23": {
       "source": {
         "path": "aws-cdk-bedrock-agents-integ-test.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-eu-central-1": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-central-1",
-          "objectKey": "edce2cdca448655b4baa3a3f25397547640d54472ced24d6b7c09954e1b4a72c.json",
+          "objectKey": "7e760cbfec7bfb0f842abf3934b793e311a38bd24c9810f722b3e1b8ac300b23.json",
           "region": "eu-central-1",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-eu-central-1"
         }

src/cdk-lib/bedrock/models.ts

@@ -49,7 +49,10 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": "bedrock:InvokeModel",
+       "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:GetFoundationModel"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::Join": [
@@ -220,7 +223,10 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": "bedrock:InvokeModel",
+       "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:GetFoundationModel"
+       ],
        "Effect": "Allow",
        "Resource": {
         "Fn::Join": [

test/integ/inference-profiles.integ.snapshot/aws-cdk-bedrock-guardrails-integ-test.assets.json

@@ -0,0 +1,20 @@
+{
+  "version": "39.0.0",
+  "files": {
+    "1f9354e3c8c90e6a6e4f3adf164e2746481f44ff6494e937f784a37964b01274": {
+      "source": {
+        "path": "Claude37Test.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-us-east-1": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-us-east-1",
+          "objectKey": "1f9354e3c8c90e6a6e4f3adf164e2746481f44ff6494e937f784a37964b01274.json",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-us-east-1"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}