From 342c92063741b50530a1ca2de95ec64f75df8763 Mon Sep 17 00:00:00 2001
From: nsxshota <nsxshota@amazon.co.jp>
Date: Tue, 21 Nov 2023 16:26:19 +0900
Subject: [PATCH] add: Bedrock Kendra policy statement

---
 deploy/scripts/cdk/lib/construct/network.ts | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/deploy/scripts/cdk/lib/construct/network.ts b/deploy/scripts/cdk/lib/construct/network.ts
index 22f12d4ec..275fab545 100644
--- a/deploy/scripts/cdk/lib/construct/network.ts
+++ b/deploy/scripts/cdk/lib/construct/network.ts
@@ -148,13 +148,32 @@ export class Network extends Construct {
         'logs:PutLogEvents',
       ],
     });
+    // Bedrock roll
+    const BedrockPolicyStatement = new iam.PolicyStatement({
+      sid: 'allowBedrockAccess',
+      resources: ['*'],
+      actions: [
+        'bedrock:*',
+      ],
+    });
+    // Kendra roll
+    const KendraPolicyStatement = new iam.PolicyStatement({
+      sid: 'allowKendraAccess',
+      resources: ['*'],
+      actions: [
+        'kendra:*'
+      ],
+    });
 
     this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', {
       assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
     });
+    // ECS Exec Policyの付与
     this.backendTaskRole.addToPolicy(ECSExecPolicyStatement);
     // KendraとBedrockのアクセス権付与
-    // this.backendTaskRole.addToPolicy();
+    this.backendTaskRole.addToPolicy(KendraPolicyStatement);
+    this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
+
     
 
     this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', {