Refactor BDA blueprint configuration and remove unused permissions

- Consolidate blueprints_path and aws_managed_blueprints into single blueprints list
- Support mixed list of file paths and ARNs in blueprints variable
- Add glob pattern expansion in service layer for blueprint files
- Remove InvokeModel and InvokeModelWithResponseStream permissions (not needed for BDA)

Author: laurencegoolsby

infra/app-flask/app-config/env-config/document_data_extraction.tf

@@ -3,8 +3,13 @@ locals {
     name                   = "${var.app_name}-${var.environment}"
     input_bucket_name      = "${var.app_name}-${var.environment}-bda-input"
     output_bucket_name     = "${var.app_name}-${var.environment}-bda-output"
-    blueprints_path        = "./document-data-extraction-blueprints/"
-    aws_managed_blueprints = null
+
+    # List of blueprint file paths or ARNs
+    # File paths are relative to the service directory
+    # ARNs reference AWS-managed or existing custom blueprints
+    blueprints = [
+      "./document-data-extraction-blueprints/*"
+    ]
 
     # BDA can only be deployed to us-east-1, us-west-2, and us-gov-west-1
     bda_region = "us-east-1"

infra/app-flask/service/document_data_extraction.tf

@@ -2,6 +2,14 @@
 locals {
   document_data_extraction_config = local.environment_config.document_data_extraction_config
 
+  expanded_blueprints = local.document_data_extraction_config != null ? flatten([
+    for bp in local.document_data_extraction_config.blueprints :
+    # if it's a glob pattern (contains *), expand it
+    can(regex("\\*", bp)) ? [
+      for file in fileset(path.module, bp) : "${path.module}/${file}"
+    ] : [bp]  # Otherwise use as-is (for ARNs or explicit paths)
+  ]) : []
+
   document_data_extraction_environment_variables = local.document_data_extraction_config != null ? {
     DDE_INPUT_LOCATION  = "s3://${local.prefix}${local.document_data_extraction_config.input_bucket_name}"
     DDE_OUTPUT_LOCATION = "s3://${local.prefix}${local.document_data_extraction_config.output_bucket_name}"
@@ -55,19 +63,8 @@ module "dde" {
 
 
   standard_output_configuration = local.document_data_extraction_config.standard_output_configuration
-  aws_managed_blueprints        = local.document_data_extraction_config.aws_managed_blueprints
+  blueprints                    = local.expanded_blueprints
   tags                          = local.tags
 
-  blueprints_map = {
-    # JPG/PNG can be processed as DOCUMENT or IMAGE types, but IMAGE types can only 
-    # have a single custom blueprint so generally the blueprints will be for the DOCUMENT type
-    for blueprint in fileset(local.document_data_extraction_config.blueprints_path, "*") :
-    split(".", blueprint)[0] => {
-      schema = file("${local.document_data_extraction_config.blueprints_path}/${blueprint}")
-      type   = "DOCUMENT"
-      tags   = local.tags
-    }
-  }
-
   name = "${local.prefix}${local.document_data_extraction_config.name}"
 }

infra/modules/document-data-extraction/resources/access_control.tf

@@ -6,8 +6,6 @@ resource "aws_iam_policy" "bedrock_access" {
 data "aws_iam_policy_document" "bedrock_access" {
   statement {
     actions = [
-      "bedrock:InvokeModel",
-      "bedrock:InvokeModelWithResponseStream",
       "bedrock:InvokeDataAutomationAsync",
       "bedrock:GetDataAutomationProject",
       "bedrock:GetBlueprint",

infra/modules/document-data-extraction/resources/main.tf

@@ -7,15 +7,35 @@ locals {
     }
   ]
 
+  blueprint_arns = [
+    for bp in var.blueprints : bp
+    if startswith(bp, "arn:")
+  ]
+
+  blueprint_files = [
+    for bp in var.blueprints : bp
+    if !startswith(bp, "arn:")
+  ]
+
+  # create map of custom blueprints from files
+  custom_blueprints_map = {
+    for file_path in local.blueprint_files :
+    replace(basename(file_path), ".json", "") => {
+      schema = file(file_path)
+      type   = "DOCUMENT"
+      tags   = var.tags
+    }
+  }
+
   all_blueprints = concat(
     # custom blueprints created from json schemas
     [for k, v in awscc_bedrock_blueprint.bda_blueprint : {
       blueprint_arn   = v.blueprint_arn
       blueprint_stage = v.blueprint_stage
     }],
     # aws managed blueprints referenced by arn
-    var.aws_managed_blueprints != null ? [
-      for arn in var.aws_managed_blueprints : {
+    length(local.blueprint_arns) > 0 ? [
+      for arn in local.blueprint_arns : {
         blueprint_arn   = arn
         blueprint_stage = "LIVE"
       }
@@ -35,7 +55,7 @@ resource "awscc_bedrock_data_automation_project" "bda_project" {
 }
 
 resource "awscc_bedrock_blueprint" "bda_blueprint" {
-  for_each = var.blueprints_map
+  for_each = local.custom_blueprints_map
 
   blueprint_name = "${var.name}-${each.key}"
   schema         = each.value.schema

infra/modules/document-data-extraction/resources/variables.tf

@@ -3,7 +3,7 @@ variable "name" {
   type        = string
 }
 
-variable "aws_managed_blueprints" {
+variable "blueprints" {
   description = "List of AWS managed blueprint ARNs (stage defaults to LIVE)"
   type        = list(string)
   default     = null
@@ -117,12 +117,3 @@ variable "tags" {
   default     = {}
 
 }
-
-variable "blueprints_map" {
-  description = "the map of unique blueprints with keys as blueprint identifiers and values as blueprint objects"
-  type = map(object({
-    schema = string
-    type   = string
-    tags   = map(string)
-  }))
-}