Update DDE and storage modules

- Add support for AWS-managed encryption (Bedrock Data Automation requires AWS-managed encryption)
- Add support for AWS-managed Bedrock Data Automation blueprints

Author: laurencegoolsby

infra/modules/document-data-extraction/resources/README.md

@@ -1,13 +1,20 @@
 # Bedrock Data Automation Terraform Module
 
-This module provisions AWS Bedrock Data Automation resources, including the data automation project, blueprints, and associated IAM role for accessing S3 buckets.
+This module provisions AWS Bedrock Data Automation resources, including the data automation project and blueprints.
+
 
 ## Overview
 
 The module creates:
 - **Bedrock Data Automation Project** - Main project resource for data automation workflows
 - **Bedrock Blueprints** - Custom extraction blueprints configured via a map
-- **IAM Role** - Role for Bedrock service to assume with access to input/output S3 buckets
+
+## Important Notes
+
+- **BDA uses its own internal service role** - This module does not create a custom IAM role for BDA. Bedrock Data Automation uses an AWS-managed internal service role for S3 access.
+- **S3 bucket encryption** - S3 buckets used with BDA should use AWS-managed encryption (AES256), not customer-managed KMS keys.
+- **Lambda permissions** - Any Lambda function invoking BDA must have S3 permissions for both input and output buckets directly attached to its execution role.
+- **No bucket policies needed** - BDA does not require bucket policies allowing the `bedrock.amazonaws.com` service principal.
 
 ## Features
 - Creates resources required for Bedrock Data Automation workflows
@@ -17,14 +24,49 @@ The module creates:
 - Complies with Checkov recommendations for security and compliance
 - Designed for cross-layer usage (see project module conventions)
 
+## Usage
+
+```hcl
+module "bedrock_data_automation" {
+  source = "../../modules/document-data-extraction/resources"
+  
+  name  = "my-app-prod"
+  
+  blueprints_map = {
+    invoice = {
+      schema = file("${path.module}/schemas/invoice.json")
+      type   = "DOCUMENT"
+      tags   = {
+          Environment = "production"
+          ManagedBy   = "terraform"
+      }
+    }
+  }
+  
+  standard_output_configuration = {
+    document = {
+      extraction = {
+        granularity = {
+          types = ["PAGE", "ELEMENT"]
+        }
+      }
+    }
+  }
+  
+  tags = {
+          Environment = "production"
+          ManagedBy   = "terraform"
+  }
+}
+```
+
 ## Inputs
 
 ### Required Variables
 
 | Name  | Description | Type | Required |
 |-------|-------------|------|----------|
 | `name` | Prefix to use for resource names (e.g., "my-app-prod") | `string` | yes |
-| `data_access_policy_arns` | Map of policy ARNs for input and output locations to attach to the BDA role | `map(string)` | yes |
 | `blueprints_map` | Map of unique blueprints with keys as blueprint identifiers and values as blueprint objects | `map(object)` | yes |
 
 #### `blueprints_map` Object Structure
@@ -59,17 +101,16 @@ See `variables.tf` for complete structure details.
 | Name | Description |
 |------|-------------|
 | `bda_project_arn` | The ARN of the Bedrock Data Automation project |
-| `bda_role_name` | The name of the IAM role used by Bedrock Data Automation |
-| `bda_role_arn` | The ARN of the IAM role used by Bedrock Data Automation |
 | `access_policy_arn` | The ARN of the IAM policy for accessing the Bedrock Data Automation project |
-
+| `bda_profile_arn` | The profile ARN for cross-region inference |
+| `bda_blueprint_arns` | List of created blueprint ARNs |
+| `bda_blueprint_names` | List of created blueprint names |
+| `bda_blueprint_arn_to_name` | Map of blueprint ARNs to names |
 
 ## Resources Created
 
 - `awscc_bedrock_data_automation_project.bda_project` - Main BDA project
 - `awscc_bedrock_blueprint.bda_blueprint` - One or more blueprints (created from `blueprints_map`)
-- `aws_iam_role.bda_role` - IAM role for Bedrock service
-- `aws_iam_role_policy_attachment.role_policy_attachments` - Policy attachments for S3 access
 
 ## Project Conventions
 
@@ -95,11 +136,6 @@ module "bedrock_data_automation" {
   
   name = "my-app"
   
-  data_access_policy_arns = {
-    input  = aws_iam_policy.input.arn
-    output = aws_iam_policy.output.arn
-  }
-  
   blueprints_map = {}  # No custom blueprints
 }
 ```
@@ -110,7 +146,6 @@ module "bedrock_data_automation" {
   source = "../../modules/document-data-extraction/resources"
   
   name               = "my-app"
-  data_access_policy_arns = { /* ... */ }
   blueprints_map     = { /* ... */ }
   
   standard_output_configuration = {
@@ -149,8 +184,6 @@ module "bedrock_data_automation" {
 - AWS provider configured
 - AWS Cloud Control provider (awscc) configured
 - Appropriate AWS permissions to create Bedrock and IAM resources
-- KMS keys
-- S3 bucket policies defined for input/output buckets
 
 ## References
 

infra/modules/document-data-extraction/resources/access_control.tf

@@ -9,14 +9,16 @@ data "aws_iam_policy_document" "bedrock_access" {
       "bedrock:InvokeModel",
       "bedrock:InvokeModelWithResponseStream",
       "bedrock:GetDataAutomationProject",
+      "bedrock:GetBlueprint",
       "bedrock:StartDataAutomationJob",
       "bedrock:GetDataAutomationJob",
       "bedrock:ListDataAutomationJobs"
     ]
     effect = "Allow"
     resources = [
       awscc_bedrock_data_automation_project.bda_project.project_arn,
-      "${awscc_bedrock_data_automation_project.bda_project.project_arn}/*"
+      "${awscc_bedrock_data_automation_project.bda_project.project_arn}/*",
+      "arn:aws:bedrock:*:*:blueprint/*"
     ]
   }
 }

infra/modules/document-data-extraction/resources/encryption.tf

@@ -7,58 +7,38 @@ locals {
     }
   ]
 
-  kms_encryption_context = {
-    Environment = lookup(var.tags, "environment", "unknown")
-  }
+  all_blueprints = concat(
+    # custom blueprints created from json schemas
+    [for k, v in awscc_bedrock_blueprint.bda_blueprint : {
+      blueprint_arn   = v.blueprint_arn
+      blueprint_stage = v.blueprint_stage
+    }],
+    # aws managed blueprints referenced by arn
+    var.aws_managed_blueprints != null ? [
+      for arn in var.aws_managed_blueprints : {
+        blueprint_arn   = arn
+        blueprint_stage = "LIVE"
+      }
+    ] : []
+  )
 }
 
 resource "awscc_bedrock_data_automation_project" "bda_project" {
   project_name                  = "${var.name}-project"
   project_description           = "Project for ${var.name}"
-  kms_encryption_context        = local.kms_encryption_context
-  kms_key_id                    = aws_kms_key.bedrock_data_automation.arn
   tags                          = local.bda_tags
   standard_output_configuration = var.standard_output_configuration
-  custom_output_configuration = {
-    blueprints = [for k, v in awscc_bedrock_blueprint.bda_blueprint : {
-      blueprint_arn   = v.blueprint_arn
-      blueprint_stage = v.blueprint_stage
-    }]
-  }
+  custom_output_configuration = length(local.all_blueprints) > 0 ? {
+    blueprints = local.all_blueprints
+  } : null
   override_configuration = var.override_configuration
 }
 
 resource "awscc_bedrock_blueprint" "bda_blueprint" {
   for_each = var.blueprints_map
 
-  blueprint_name         = "${var.name}-${each.key}"
-  schema                 = each.value.schema
-  type                   = each.value.type
-  kms_encryption_context = local.kms_encryption_context
-  kms_key_id             = aws_kms_key.bedrock_data_automation.arn
-  tags                   = local.bda_tags
+  blueprint_name = "${var.name}-${each.key}"
+  schema         = each.value.schema
+  type           = each.value.type
+  tags           = local.bda_tags
 }
-
-resource "aws_iam_role" "bda_role" {
-  name = "${var.name}-bda_role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Service = "bedrock.amazonaws.com"
-        }
-        Action = "sts:AssumeRole"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "role_policy_attachments" {
-  for_each = var.data_access_policy_arns
-
-  role       = aws_iam_role.bda_role.name
-  policy_arn = each.value
-}

infra/modules/document-data-extraction/resources/main.tf

@@ -3,9 +3,10 @@ variable "name" {
   type        = string
 }
 
-variable "data_access_policy_arns" {
-  description = "The set of policy ARNs for the input and output locations to attach to the BDA role."
-  type        = map(string)
+variable "aws_managed_blueprints" {
+  description = "List of AWS managed blueprint ARNs (stage defaults to LIVE)"
+  type        = list(string)
+  default     = null
 }
 
 variable "custom_output_config" {

infra/modules/document-data-extraction/resources/variables.tf

@@ -57,9 +57,12 @@ data "aws_iam_policy_document" "storage_access" {
       "arn:aws:s3:::${var.name}/*"
     ]
   }
-  statement {
-    actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
-    effect    = "Allow"
-    resources = [aws_kms_key.storage.arn]
+  dynamic "statement" {
+    for_each = var.use_aws_managed_encryption ? [] : [1]
+    content {
+      actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
+      effect    = "Allow"
+      resources = [aws_kms_key.storage[0].arn]
+    }
   }
 }

infra/modules/storage/access_control.tf

@@ -1,4 +1,6 @@
 resource "aws_kms_key" "storage" {
+  count = var.use_aws_managed_encryption ? 0 : 1
+
   description = "KMS key for bucket ${var.name}"
   # The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
   deletion_window_in_days = "10"
@@ -10,8 +12,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "storage" {
   bucket = aws_s3_bucket.storage.id
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.storage.arn
-      sse_algorithm     = "aws:kms"
+      kms_master_key_id = var.use_aws_managed_encryption ? null : aws_kms_key.storage[0].arn
+      sse_algorithm     = var.use_aws_managed_encryption ? "AES256" : "aws:kms"
     }
     bucket_key_enabled = true
   }

infra/modules/storage/encryption.tf

@@ -9,4 +9,5 @@ resource "aws_s3_bucket" "storage" {
   # checkov:skip=CKV_AWS_144:Cross region replication not required by default
   # checkov:skip=CKV2_AWS_62:S3 bucket does not need notifications enabled
   # checkov:skip=CKV_AWS_21:Bucket versioning is not needed
+  # checkov:skip=CKV_AWS_145:AWS-managed encryption (AES256) used when use_aws_managed_encryption=true
 }

infra/modules/storage/main.tf

@@ -8,3 +8,9 @@ variable "name" {
   type        = string
   description = "Name of the AWS S3 bucket. Needs to be globally unique across all regions."
 }
+
+variable "use_aws_managed_encryption" {
+  description = "Use AWS-managed encryption (AES256) instead of customer-managed KMS keys"
+  type        = bool
+  default     = false
+}

infra/modules/storage/variables.tf

@@ -7,7 +7,10 @@ locals {
     # Blueprints path is relative to infra/{{app_name}}/service/ directory
     # Contains JSON schema files for custom Bedrock Data Automation blueprints
     # (e.g., not AWS-managed blueprints)
-    blueprints_path    = "./document-data-extraction-blueprints/"
+    blueprints_path = "./document-data-extraction-blueprints/"
+
+    # Optional: List of AWS-managed blueprint ARNs to use for document extraction
+    aws_managed_blueprints = null
 
     # BDA can only be deployed to us-east-1, us-west-2, and us-gov-west-1
     # TODO(https://github.com/navapbc/template-infra/issues/993) Add GovCloud Support