Move slackBotManagedPolicy from Functions to IamResources

kris-szlapa · kris-szlapa · commit 4c032eeff04a · 2025-07-29T13:57:14.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -127,7 +127,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress wildcard permissions for SlackBot managed policy
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/Functions/SlackBotManagedPolicy/Resource",
+    "/EpsAssistMeStack/IamResources/SlackBotManagedPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
diff --git a/packages/cdk/resources/Functions.ts b/packages/cdk/resources/Functions.ts
@@ -1,6 +1,6 @@
 import {Construct} from "constructs"
 import {LambdaFunction} from "../constructs/LambdaFunction"
-import {PolicyStatement, ManagedPolicy} from "aws-cdk-lib/aws-iam"
+import {ManagedPolicy} from "aws-cdk-lib/aws-iam"
 import {StringParameter} from "aws-cdk-lib/aws-ssm"
 import {Secret} from "aws-cdk-lib/aws-secretsmanager"
 
@@ -17,6 +17,7 @@ export interface FunctionsProps {
   logRetentionInDays: number
   logLevel: string
   createIndexManagedPolicy: ManagedPolicy
+  slackBotManagedPolicy: ManagedPolicy
   slackBotTokenParameter: StringParameter
   slackSigningSecretParameter: StringParameter
   guardrailId: string
@@ -47,36 +48,6 @@ export class Functions extends Construct {
       additionalPolicies: [props.createIndexManagedPolicy]
     })
 
-    // Create managed policies for SlackBot Lambda
-    const slackBotManagedPolicy = new ManagedPolicy(this, "SlackBotManagedPolicy", {
-      description: "Policy for SlackBot Lambda to access Bedrock, SSM, and Lambda",
-      statements: [
-        new PolicyStatement({
-          actions: ["bedrock:InvokeModel"],
-          resources: [`arn:aws:bedrock:${props.region}::foundation-model/${RAG_MODEL_ID}`]
-        }),
-        new PolicyStatement({
-          actions: ["bedrock:Retrieve", "bedrock:RetrieveAndGenerate"],
-          resources: [`arn:aws:bedrock:${props.region}:${props.account}:knowledge-base/*`]
-        }),
-        new PolicyStatement({
-          actions: ["ssm:GetParameter"],
-          resources: [
-            `arn:aws:ssm:${props.region}:${props.account}:parameter${props.slackBotTokenParameter.parameterName}`,
-            `arn:aws:ssm:${props.region}:${props.account}:parameter${props.slackSigningSecretParameter.parameterName}`
-          ]
-        }),
-        new PolicyStatement({
-          actions: ["lambda:InvokeFunction"],
-          resources: [`arn:aws:lambda:${props.region}:${props.account}:function:*`]
-        }),
-        new PolicyStatement({
-          actions: ["bedrock:ApplyGuardrail"],
-          resources: [`arn:aws:bedrock:${props.region}:${props.account}:guardrail/*`]
-        })
-      ]
-    })
-
     // Lambda function to handle Slack bot interactions
     const slackBotLambda = new LambdaFunction(this, "SlackBotLambda", {
       stackName: props.stackName,
@@ -85,7 +56,7 @@ export class Functions extends Construct {
       entryPoint: "app.py",
       logRetentionInDays: props.logRetentionInDays,
       logLevel: props.logLevel,
-      additionalPolicies: [slackBotManagedPolicy],
+      additionalPolicies: [props.slackBotManagedPolicy],
       environmentVariables: {
         "RAG_MODEL_ID": RAG_MODEL_ID,
         "SLACK_SLASH_COMMAND": SLACK_SLASH_COMMAND,
diff --git a/packages/cdk/resources/IamResources.ts b/packages/cdk/resources/IamResources.ts
@@ -9,16 +9,21 @@ import {Bucket} from "aws-cdk-lib/aws-s3"
 
 // Amazon Titan embedding model for vector generation
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
+// Claude model for RAG responses
+const RAG_MODEL_ID = "anthropic.claude-3-sonnet-20240229-v1:0"
 
 export interface IamResourcesProps {
   region: string
   account: string
   kbDocsBucket: Bucket
+  slackBotTokenParameterName: string
+  slackSigningSecretParameterName: string
 }
 
 export class IamResources extends Construct {
   public readonly bedrockExecutionRole: Role
   public readonly createIndexManagedPolicy: ManagedPolicy
+  public readonly slackBotManagedPolicy: ManagedPolicy
 
   constructor(scope: Construct, id: string, props: IamResourcesProps) {
     super(scope, id)
@@ -104,5 +109,38 @@ export class IamResources extends Construct {
       description: "Policy for Lambda to create OpenSearch index"
     })
     this.createIndexManagedPolicy.addStatements(createIndexPolicy)
+
+    // Create managed policy for SlackBot Lambda function
+    const slackBotPolicy = new PolicyStatement()
+    slackBotPolicy.addActions("bedrock:InvokeModel")
+    slackBotPolicy.addResources(`arn:aws:bedrock:${props.region}::foundation-model/${RAG_MODEL_ID}`)
+
+    const slackBotKnowledgeBasePolicy = new PolicyStatement()
+    slackBotKnowledgeBasePolicy.addActions("bedrock:Retrieve", "bedrock:RetrieveAndGenerate")
+    slackBotKnowledgeBasePolicy.addResources(`arn:aws:bedrock:${props.region}:${props.account}:knowledge-base/*`)
+
+    const slackBotSSMPolicy = new PolicyStatement()
+    slackBotSSMPolicy.addActions("ssm:GetParameter")
+    slackBotSSMPolicy.addResources(
+      `arn:aws:ssm:${props.region}:${props.account}:parameter${props.slackBotTokenParameterName}`,
+      `arn:aws:ssm:${props.region}:${props.account}:parameter${props.slackSigningSecretParameterName}`
+    )
+
+    const slackBotLambdaPolicy = new PolicyStatement()
+    slackBotLambdaPolicy.addActions("lambda:InvokeFunction")
+    slackBotLambdaPolicy.addResources(`arn:aws:lambda:${props.region}:${props.account}:function:*`)
+
+    const slackBotGuardrailPolicy = new PolicyStatement()
+    slackBotGuardrailPolicy.addActions("bedrock:ApplyGuardrail")
+    slackBotGuardrailPolicy.addResources(`arn:aws:bedrock:${props.region}:${props.account}:guardrail/*`)
+
+    this.slackBotManagedPolicy = new ManagedPolicy(this, "SlackBotManagedPolicy", {
+      description: "Policy for SlackBot Lambda to access Bedrock, SSM, and Lambda"
+    })
+    this.slackBotManagedPolicy.addStatements(slackBotPolicy)
+    this.slackBotManagedPolicy.addStatements(slackBotKnowledgeBasePolicy)
+    this.slackBotManagedPolicy.addStatements(slackBotSSMPolicy)
+    this.slackBotManagedPolicy.addStatements(slackBotLambdaPolicy)
+    this.slackBotManagedPolicy.addStatements(slackBotGuardrailPolicy)
   }
 }
diff --git a/packages/cdk/stacks/EpsAssistMeStack.ts b/packages/cdk/stacks/EpsAssistMeStack.ts
@@ -56,7 +56,9 @@ export class EpsAssistMeStack extends Stack {
     const iamResources = new IamResources(this, "IamResources", {
       region,
       account,
-      kbDocsBucket: storage.kbDocsBucket.bucket
+      kbDocsBucket: storage.kbDocsBucket.bucket,
+      slackBotTokenParameterName: secrets.slackBotTokenParameter.parameterName,
+      slackSigningSecretParameterName: secrets.slackSigningSecretParameter.parameterName
     })
 
     // Create OpenSearch Resources
@@ -75,6 +77,7 @@ export class EpsAssistMeStack extends Stack {
       logRetentionInDays,
       logLevel,
       createIndexManagedPolicy: iamResources.createIndexManagedPolicy,
+      slackBotManagedPolicy: iamResources.slackBotManagedPolicy,
       slackBotTokenParameter: secrets.slackBotTokenParameter,
       slackSigningSecretParameter: secrets.slackSigningSecretParameter,
       guardrailId: "", // Will be set after vector KB is created

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ export const nagSuppressions = (stack: Stack) => {`
`127`	`127`	`// Suppress wildcard permissions for SlackBot managed policy`
`128`	`128`	`safeAddNagSuppression(`
`129`	`129`	`stack,`
`130`		`- "/EpsAssistMeStack/Functions/SlackBotManagedPolicy/Resource",`
	`130`	`+ "/EpsAssistMeStack/IamResources/SlackBotManagedPolicy/Resource",`
`131`	`131`	`[`
`132`	`132`	`{`
`133`	`133`	`id: "AwsSolutions-IAM5",`