From 7bf37cf4474eb2dbe528287d88c8ee53f1e74384 Mon Sep 17 00:00:00 2001
From: nsxshota <nsxshota@amazon.co.jp>
Date: Fri, 24 Nov 2023 19:14:37 +0900
Subject: [PATCH] add RAG policy to TaskExeRole

---
 deploy/scripts/cdk/lib/construct/iam.ts | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/deploy/scripts/cdk/lib/construct/iam.ts b/deploy/scripts/cdk/lib/construct/iam.ts
index 07d046232..0a40cf340 100644
--- a/deploy/scripts/cdk/lib/construct/iam.ts
+++ b/deploy/scripts/cdk/lib/construct/iam.ts
@@ -46,6 +46,17 @@ export class EcsIAM extends Construct {
         'kendra:*'
       ],
     });
+    // Create Rag Policy
+    const RagAccessPolicy = new iam.Policy(this, 'RAGFullAccess', {
+      statements: [KendraPolicyStatement,BedrockPolicyStatement],
+    })
+    // Secrets ManagerからDB認証情報を取ってくるためのPolicy
+    const SecretsManagerPolicy = new iam.Policy(this, 'SMGetPolicy', {
+      statements: [new iam.PolicyStatement({
+        actions: ['secretsmanager:GetSecretValue'],
+        resources: [props.rdsCluster.secret!.secretArn],
+      })],
+    })
 
     // FrontEnd Task Role
     this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', {
@@ -60,8 +71,7 @@ export class EcsIAM extends Construct {
     // ECS Exec Policyの付与
     this.backendTaskRole.addToPolicy(ECSExecPolicyStatement);
     // KendraとBedrockのアクセス権付与
-    this.backendTaskRole.addToPolicy(KendraPolicyStatement);
-    this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
+    this.backendTaskRole.attachInlinePolicy(RagAccessPolicy);
 
     // FrontEnd Task ExecutionRole 
     this.frontendTaskExecutionRole = new iam.Role(this, 'frontendTaskExecutionRole', {
@@ -74,9 +84,6 @@ export class EcsIAM extends Construct {
       ],
     });
 
-    // Secrets ManagerからDB認証情報を取ってくる
-    const secretsDB = props.rdsCluster.secret!;
-
     // BackEnd Task ExecutionRole 
     this.backendTaskExecutionRole = new iam.Role(this, 'backendTaskExecutionRole', {
       assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
@@ -88,11 +95,7 @@ export class EcsIAM extends Construct {
       ],
     });
   
-    this.backendTaskExecutionRole.attachInlinePolicy(new iam.Policy(this, 'SMGetPolicy', {
-      statements: [new iam.PolicyStatement({
-        actions: ['secretsmanager:GetSecretValue'],
-        resources: [secretsDB.secretArn],
-      })],
-    }));
+    this.backendTaskExecutionRole.attachInlinePolicy(SecretsManagerPolicy);
+    this.backendTaskExecutionRole.attachInlinePolicy(RagAccessPolicy);
   }
 }
\ No newline at end of file