Create OpenSearchResources and OpenSearchCollection constructs

Author: kris-szlapa

packages/cdk/constructs/OpenSearchCollection.ts

@@ -0,0 +1,69 @@
+import {Construct} from "constructs"
+import * as ops from "aws-cdk-lib/aws-opensearchserverless"
+
+export interface OpenSearchCollectionProps {
+  collectionName: string
+  principals: Array<string>
+}
+
+export class OpenSearchCollection extends Construct {
+  public readonly collection: ops.CfnCollection
+  public readonly endpoint: string
+
+  constructor(scope: Construct, id: string, props: OpenSearchCollectionProps) {
+    super(scope, id)
+
+    // Encryption policy for collection (AWS-owned key)
+    const encryptionPolicy = new ops.CfnSecurityPolicy(this, "EncryptionPolicy", {
+      name: `${props.collectionName}-encryption-policy`,
+      type: "encryption",
+      policy: JSON.stringify({
+        Rules: [{ResourceType: "collection", Resource: [`collection/${props.collectionName}`]}],
+        AWSOwnedKey: true
+      })
+    })
+
+    // Network policy for public access (collection & dashboard)
+    const networkPolicy = new ops.CfnSecurityPolicy(this, "NetworkPolicy", {
+      name: `${props.collectionName}-network-policy`,
+      type: "network",
+      policy: JSON.stringify([{
+        Rules: [
+          {ResourceType: "collection", Resource: [`collection/${props.collectionName}`]},
+          {ResourceType: "dashboard", Resource: [`collection/${props.collectionName}`]}
+        ],
+        AllowFromPublic: true
+      }])
+    })
+
+    // OpenSearch collection (VECTORSEARCH type)
+    this.collection = new ops.CfnCollection(this, "Collection", {
+      name: props.collectionName,
+      description: "EPS Assist Vector Store",
+      type: "VECTORSEARCH"
+    })
+
+    // Ensure collection is created after policies
+    this.collection.addDependency(encryptionPolicy)
+    this.collection.addDependency(networkPolicy)
+
+    // Access policy for principals (full access to collection & indexes)
+    const accessPolicy = new ops.CfnAccessPolicy(this, "AccessPolicy", {
+      name: `${props.collectionName}-access-policy`,
+      type: "data",
+      policy: JSON.stringify([{
+        Rules: [
+          {ResourceType: "collection", Resource: ["collection/*"], Permission: ["aoss:*"]},
+          {ResourceType: "index", Resource: ["index/*/*"], Permission: ["aoss:*"]}
+        ],
+        Principal: props.principals
+      }])
+    })
+
+    // Ensure access policy applies after collection creation
+    this.collection.addDependency(accessPolicy)
+
+    // Collection endpoint
+    this.endpoint = `${this.collection.attrId}.${this.collection.stack.region}.aoss.amazonaws.com`
+  }
+}

packages/cdk/nagSuppressions.ts

@@ -225,6 +225,7 @@ export const nagSuppressions = (stack: Stack) => {
         reason: "Lambda needs to invoke itself for Slack Bolt lazy handlers.",
         appliesTo: [
           "Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",
+          "Resource::arn:aws:lambda:eu-west-2:123456789012:function:*",
           "Resource::arn:aws:lambda:eu-west-2:123456789012:function:AmazonBedrock*",
           "Resource::arn:aws:lambda:eu-west-2:591291862413:function:AmazonBedrock*"
         ]

packages/cdk/resources/OpenSearchResources.ts

@@ -0,0 +1,28 @@
+import {Construct} from "constructs"
+import {OpenSearchCollection} from "../constructs/OpenSearchCollection"
+import * as iam from "aws-cdk-lib/aws-iam"
+
+const COLLECTION_NAME = "eps-assist-vector-db"
+
+export interface OpenSearchResourcesProps {
+  bedrockExecutionRole: iam.Role
+  createIndexFunctionRole: iam.Role
+  account: string
+}
+
+export class OpenSearchResources extends Construct {
+  public readonly collection: OpenSearchCollection
+
+  constructor(scope: Construct, id: string, props: OpenSearchResourcesProps) {
+    super(scope, id)
+
+    this.collection = new OpenSearchCollection(this, "OsCollection", {
+      collectionName: COLLECTION_NAME,
+      principals: [
+        props.bedrockExecutionRole.roleArn,
+        props.createIndexFunctionRole.roleArn,
+        `arn:aws:iam::${props.account}:root`
+      ]
+    })
+  }
+}

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -20,9 +20,9 @@ import {Apis} from "../resources/Apis"
 import {Functions} from "../resources/Functions"
 import {Storage} from "../resources/Storage"
 import {Secrets} from "../resources/Secrets"
+import {OpenSearchResources} from "../resources/OpenSearchResources"
 
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
-const COLLECTION_NAME = "eps-assist-vector-db"
 const VECTOR_INDEX_NAME = "eps-assist-os-index"
 const BEDROCK_KB_NAME = "eps-assist-kb"
 
@@ -148,38 +148,6 @@ export class EpsAssistMeStack extends Stack {
     const GUARD_RAIL_ID = guardrail.attrGuardrailId
     const GUARD_RAIL_VERSION = guardrailVersion.attrVersion
 
-    //Define OpenSearchServerless Collection & depends on policies
-    const osCollection = new ops.CfnCollection(this, "osCollection", {
-      name: COLLECTION_NAME,
-      description: "EPS Assist Vector Store",
-      type: "VECTORSEARCH"
-    })
-
-    // Define AOSS vector DB encryption policy with AWSOwned key true
-    const aossEncryptionPolicy = new ops.CfnSecurityPolicy(this, "aossEncryptionPolicy", {
-      name: "eps-assist-encryption-policy",
-      type: "encryption",
-      policy: JSON.stringify({
-        Rules: [{ResourceType: "collection", Resource: ["collection/eps-assist-vector-db"]}],
-        AWSOwnedKey: true
-      })
-    })
-    osCollection.addDependency(aossEncryptionPolicy)
-
-    // Define Vector DB network policy with AllowFromPublic true. include collection & dashboard
-    const aossNetworkPolicy = new ops.CfnSecurityPolicy(this, "aossNetworkPolicy", {
-      name: "eps-assist-network-policy",
-      type: "network",
-      policy: JSON.stringify([{
-        Rules: [
-          {ResourceType: "collection", Resource: ["collection/eps-assist-vector-db"]},
-          {ResourceType: "dashboard", Resource: ["collection/eps-assist-vector-db"]}
-        ],
-        AllowFromPublic: true
-      }])
-    })
-    osCollection.addDependency(aossNetworkPolicy)
-
     // Define createIndexFunction execution role and policy. Managed role 'AWSLambdaBasicExecutionRole'
     const createIndexFunctionRole = new iam.Role(this, "CreateIndexFunctionRole", {
       assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
@@ -210,7 +178,14 @@ export class EpsAssistMeStack extends Stack {
       effect: iam.Effect.ALLOW
     }))
 
-    const endpoint = `${osCollection.attrId}.${region}.aoss.amazonaws.com`
+    // Create OpenSearch Resources
+    const openSearchResources = new OpenSearchResources(this, "OpenSearchResources", {
+      bedrockExecutionRole,
+      createIndexFunctionRole,
+      account
+    })
+
+    const endpoint = openSearchResources.collection.endpoint
 
     // Define a Bedrock knowledge base with type opensearch serverless and titan for embedding model
     const bedrockkb = new CfnKnowledgeBase(this, "EpsKb", {
@@ -226,7 +201,7 @@ export class EpsAssistMeStack extends Stack {
       storageConfiguration: {
         type: "OPENSEARCH_SERVERLESS",
         opensearchServerlessConfiguration: {
-          collectionArn: osCollection.attrArn,
+          collectionArn: openSearchResources.collection.collection.attrArn,
           fieldMapping: {
             vectorField: "bedrock-knowledge-base-default-vector",
             textField: "AMAZON_BEDROCK_TEXT_CHUNK",
@@ -249,7 +224,7 @@ export class EpsAssistMeStack extends Stack {
       slackSigningSecretParameter: secrets.slackSigningSecretParameter,
       guardrailId: GUARD_RAIL_ID,
       guardrailVersion: GUARD_RAIL_VERSION,
-      collectionId: osCollection.attrId,
+      collectionId: openSearchResources.collection.collection.attrId,
       knowledgeBaseId: bedrockkb.attrKnowledgeBaseId,
       region,
       account,
@@ -275,7 +250,7 @@ export class EpsAssistMeStack extends Stack {
         ]
       }])
     })
-    osCollection.addDependency(aossAccessPolicy)
+    openSearchResources.collection.collection.addDependency(aossAccessPolicy)
 
     const vectorIndex = new cr.AwsCustomResource(this, "VectorIndex", {
       installLatestAwsSdk: true,
@@ -287,7 +262,7 @@ export class EpsAssistMeStack extends Stack {
           InvocationType: "RequestResponse",
           Payload: JSON.stringify({
             RequestType: "Create",
-            CollectionName: osCollection.name,
+            CollectionName: openSearchResources.collection.collection.name,
             IndexName: VECTOR_INDEX_NAME,
             Endpoint: endpoint
           })
@@ -302,7 +277,7 @@ export class EpsAssistMeStack extends Stack {
           InvocationType: "RequestResponse",
           Payload: JSON.stringify({
             RequestType: "Delete",
-            CollectionName: osCollection.name,
+            CollectionName: openSearchResources.collection.collection.name,
             IndexName: VECTOR_INDEX_NAME,
             Endpoint: endpoint
           })
@@ -318,12 +293,12 @@ export class EpsAssistMeStack extends Stack {
     })
 
     // Ensure vectorIndex depends on collection
-    vectorIndex.node.addDependency(osCollection)
+    vectorIndex.node.addDependency(openSearchResources.collection.collection)
 
     // add a dependency for bedrock kb on the custom resource. Enables vector index to be created before KB
     bedrockkb.node.addDependency(vectorIndex)
     bedrockkb.node.addDependency(functions.functions.createIndex)
-    bedrockkb.node.addDependency(osCollection)
+    bedrockkb.node.addDependency(openSearchResources.collection.collection)
     bedrockkb.node.addDependency(bedrockExecutionRole)
 
     // Define a bedrock knowledge base data source with S3 bucket