Bedrock Builder
Note: This documentation is also available in a rendered format here.
Deploys a secure Bedrock Agent with Knowledge Bases, Action Groups, Vector Stores, Lambda functions, and Guardrails for building AI-powered conversational workflows. Common scenarios include building Q&A chatbots over internal documents, automating business workflows with AI agents, or adding retrieval-augmented generation to your applications.
Deployed Resources
This module deploys and integrates the following resources:
- Bedrock Agent — Amazon Bedrock Agent(s) for automating workflows using Foundation Models. Includes Agent Alias for versioned access.
- Agent Execution Role — IAM role with Bedrock Execution Policy for accessing Knowledge Bases, Foundation Models, and Guardrails.
- Agent KMS Key — Encrypts Agent resources. Auto-generated if not provided in config.
- Lambda Functions (Optional) — Functions for Agent Action Groups and Knowledge Base custom transformations. May be VPC-bound with configurable security groups.
- Lambda Layers (Optional) — Shared code layers for Lambda functions.
- Action Group(s) — Agent Action Groups linking Lambda functions or API schemas to the Agent. Supports existing Lambda ARNs or
generated-function:references. - Knowledge Base(s) (Optional) — Bedrock Knowledge Bases with S3 and SharePoint data sources, multiple parsing strategies (default, BDA, Foundation Model, custom), and chunking configurations.
- Vector Store(s) (Optional) — OpenSearch Serverless collections or Aurora Serverless clusters for Knowledge Base vector storage.
- Bedrock Guardrail (Optional) — Content filters, contextual grounding, PII entity detection, and regex-based sensitive information filtering.
Related Modules
- Bedrock Settings — Configure Bedrock model invocation audit logging before deploying agents
- Bedrock AgentCore Runtime — Deploy custom agent runtimes as an alternative to managed Bedrock Agents
- DataOps Lambda — Deploy Lambda functions independently that can be referenced as Action Group handlers via ARN
- Roles — Create IAM roles for agent execution or Lambda function access
Security/Compliance Details
This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.
- Encryption at Rest:
- Agent resources encrypted with customer-managed KMS keys (auto-generated if not provided)
- OpenSearch Serverless collections use encryption-at-rest security policies
- Aurora Serverless clusters encrypted with KMS
- Encryption in Transit:
- All Bedrock API communications use TLS
- OpenSearch and Aurora connections encrypted in transit
- Least Privilege:
- Agent execution role scoped to specific Knowledge Bases, Foundation Models, and Guardrails
- Lambda execution roles scoped to required services only
- OpenSearch Serverless uses data access policies for fine-grained control
- Network Isolation:
- Lambda functions and Aurora clusters can be VPC-bound with configurable security groups
- OpenSearch Serverless collections support VPC endpoints
- No public connectivity to VPC-bound resources
- Content Safety:
- Guardrails provide content filters and contextual grounding checks
- PII entity detection and regex-based sensitive information filtering
AWS Service Endpoints
The following VPC endpoints may be required for VPC-bound resources (Lambda functions, Aurora Serverless, OpenSearch Serverless) if public AWS service endpoint connectivity is unavailable (e.g., private subnets without NAT gateway, firewalled environments, or PrivateLink-only architectures):
| AWS Service | Endpoint Service Name | Type |
|---|---|---|
| Bedrock Runtime | com.amazonaws.{region}.bedrock-runtime |
Interface |
| Bedrock Agent | com.amazonaws.{region}.bedrock-agent |
Interface |
| Lambda | com.amazonaws.{region}.lambda |
Interface |
| KMS | com.amazonaws.{region}.kms |
Interface |
| CloudWatch Logs | com.amazonaws.{region}.logs |
Interface |
| STS | com.amazonaws.{region}.sts |
Interface |
| S3 | com.amazonaws.{region}.s3 |
Gateway |
| OpenSearch Serverless | com.amazonaws.{region}.aoss |
Interface |
| RDS | com.amazonaws.{region}.rds |
Interface |
Additional VPC endpoints may be required depending on the AWS services accessed by your custom Lambda function code.
Configuration
MDAA Config
Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:
bedrock-builder: # Module Name can be customized
module_path: '@aws-mdaa/bedrock-builder' # Must match module NPM package name
module_configs:
- ./bedrock-builder.yaml # Filename/path can be customized
Module Config Samples and Variants
Copy the contents of the relevant sample config below into the ./bedrock-builder.yaml file referenced in the MDAA config snippet above.
Minimal Configuration
Deploys a single Bedrock Agent with a foundation model. Start here for a quick proof-of-concept agent before adding knowledge bases, action groups, or guardrails.
# Contents available via above link
# Minimal Bedrock Builder module configuration.
# Deploys a single Bedrock Agent with a foundation model.
# See CONFIGURATION.md for role reference options (name, arn, id).
# Admin roles granted access to Bedrock agent resources
dataAdminRoles:
- name: 'Admin'
# (Optional) Bedrock agent with a foundation model
agents:
test-agent:
# Reference to role used as execution role on the agent.
# Must have assume-role trust with bedrock.amazonaws.com.
role:
name: agent-execution-role
# Foundation model identifier for agent reasoning
foundationModel: 'anthropic.claude-3-sonnet-20240229-v1:0'
# Agent instructions defining behavior
instruction: 'You are a helpful assistant.'
Comprehensive Configuration
Deploys Bedrock agents with action groups, knowledge bases backed by Aurora and OpenSearch vector stores, Lambda functions, guardrails with content and sensitive information filters, and S3/SharePoint data sources with multiple parsing and chunking strategies. Use this as a reference when you need full control over agent orchestration, RAG pipelines, and content safety policies.
sample-config-comprehensive.yaml
# Contents available via above link
# Sample config for the Bedrock Builder module.
# Deploys Bedrock agents with action groups, knowledge bases backed by
# Aurora and OpenSearch vector stores, Lambda functions, guardrails
# with content and sensitive information filters, and S3/SharePoint
# data sources with multiple parsing and chunking strategies.
# See CONFIGURATION.md for role reference options (name, arn, id).
# Admin roles granted access to Bedrock agent resources including
# KMS keys and S3 buckets. Roles can be referenced by name, arn,
# or id.
dataAdminRoles:
- name: 'Admin'
- arn: 'arn:{{partition}}:iam::{{account}}:role/ReadOnlyAdmin'
# (Optional) Existing S3 bucket ARN for agent data storage. If
# omitted, a dedicated bucket is created automatically.
agentBucketArn: 'arn:{{partition}}:s3:::test-agent-bucket'
# (Optional) Existing KMS key ARN for encrypting Bedrock agent
# resources. If omitted, a customer-managed key is created
# automatically.
kmsKeyArn: 'arn:{{partition}}:kms:{{region}}:{{account}}:key/test-key-id'
# (Optional) Lambda functions and layers for Bedrock agent action
# groups. Enables custom business logic, API integrations, and
# business process automation within agents.
lambdaFunctions:
# (Optional) List of Lambda layers to create
layers:
# Layer name
- layerName: test-layer
# Source code directory path containing layer code
src: ./src/layer/
# (Optional) Layer description
description: 'test layer'
# (Optional) If true, src is expected to contain a Dockerfile
# for building the layer
dockerBuild: false
# (Optional) List of Lambda function definitions
functions:
# Lambda function name
- functionName: test-action-group
# (Optional) Optional function description
description: 'Lambda function for Bedrock Agent Action group'
# Source code directory path containing Lambda function code
srcDir: ./src/function
# Lambda function handler (e.g., 'index.handler')
handler: test.lambda_handler
# Lambda runtime (e.g., python3.13, nodejs22.x)
runtime: python3.13
# IAM role ARN for Lambda function execution
roleArn: 'arn:{{partition}}:iam::{{account}}:role/test-lambda-role'
# (Optional) Memory allocation in MB (128-10240)
memorySizeMB: 256
# (Optional) Function timeout in seconds
timeoutSeconds: 60
# (Optional) The size of the function's /tmp directory in MB
# (default: 512 MiB)
ephemeralStorageSizeMB: 1024
# (Optional) Reserved concurrent executions for capacity
# management
reservedConcurrentExecutions: 10
# (Optional) Maximum retry attempts for failed executions
# (0-2)
retryAttempts: 2
# (Optional) Maximum event age in seconds (60-21600)
maxEventAgeSeconds: 3600
# (Optional) When true, srcDir must contain a Dockerfile for
# container image deployment
dockerBuild: false
# (Optional) Environment variables for function configuration
environment:
ENV_VAR_1: 'value1'
ENV_VAR_2: 'value2'
# (Optional) Generated layer names to attach to the function
generatedLayerNames:
- test-layer
# (Optional) Existing layer version ARNs mapped by name
layerArns:
external-layer: 'arn:{{partition}}:lambda:{{region}}:{{account}}:layer:ext-layer:1'
# (Optional) Principal ARN granted Lambda invoke permissions
grantInvoke: 'arn:{{partition}}:iam::{{account}}:role/invoker-role'
# (Optional) Additional resource permissions mapped by SID
additionalResourcePermissions:
crossAccountInvoke:
# AWS principal ARN for Lambda function access
principal: 'arn:{{partition}}:iam::{{account}}:role/cross-account-role'
# Lambda action (e.g., lambda:InvokeFunction)
action: lambda:InvokeFunction
# (Optional) Optional source account restriction for
# cross-account security
sourceAccount: '{{account}}'
# (Optional) Optional source resource ARN restriction for
# fine-grained access control
sourceArn: 'arn:{{partition}}:s3:::test-source-bucket'
# (Optional) VPC configuration for network deployment
vpcConfig:
# VPC ID for Lambda function deployment
vpcId: vpc-testvpc
# Subnet IDs for Lambda function ENI placement
subnetIds:
- subnet-test1
- subnet-test2
# (Optional) Optional security group ID. If omitted, a new
# security group is created.
securityGroupId: sg-test123
# (Optional) Optional egress rules for the Lambda function
# security group
securityGroupEgressRules:
# (Optional) IPv4 CIDR block rules
ipv4:
# CIDR block specification for network access control
- cidr: 10.0.0.0/16
# IP protocol (e.g., tcp, udp)
protocol: tcp
# Port number
port: 443
# (Optional) The ending port number for a port range
toPort: 443
# (Optional) Description of the rule
description: 'Allow HTTPS egress'
# (Optional) CDK Nag rule suppressions for this
# specific security group rule
suppressions:
- id: AwsSolutions-EC23
reason: 'Test CIDR egress rule suppression'
# (Optional) Prefix list rules
prefixList:
# Prefix list identifier for managed IP range access
- prefixList: pl-test123
protocol: tcp
port: 443
# (Optional) The ending port number for a port range
toPort: 443
# (Optional) Description of the rule
description: 'Allow HTTPS via prefix list'
# (Optional) CDK Nag rule suppressions for this
# specific security group rule
suppressions:
- id: AwsSolutions-EC23
reason: 'Test prefix list egress rule suppression'
# (Optional) Security group rules for cross-security
# group traffic
sg:
# Security group identifier
- sgId: sg-peer123
protocol: tcp
port: 5432
# (Optional) The ending port number for a port range
toPort: 5432
# (Optional) Description of the rule
description: 'Allow PostgreSQL to peer SG'
# (Optional) CDK Nag rule suppressions for this
# specific security group rule
suppressions:
- id: AwsSolutions-EC23
reason: 'Test SG peer egress rule suppression'
# (Optional) EventBridge configuration for event-driven
# execution
eventBridge:
# (Optional) Maximum age in seconds that EventBridge will
# attempt to deliver an event (60-86400)
maxEventAgeSeconds: 3600
# (Optional) Maximum number of retry attempts EventBridge
# will make (0-185)
retryAttempts: 3
# (Optional) Collection of named S3 EventBridge rules
s3EventBridgeRules:
test-s3-rule:
# Array of S3 bucket names that trigger the rule
buckets:
- test-source-bucket
# (Optional) Array of S3 object key prefixes for
# filtering
prefixes:
- incoming/
# (Optional) ARN of the custom EventBridge event bus
eventBusArn: 'arn:{{partition}}:events:{{region}}:{{account}}:event-bus/test-bus'
# (Optional) Collection of named general EventBridge rules
eventBridgeRules:
test-schedule-rule:
# (Optional) Human-readable description of the rule
description: 'Scheduled processing rule'
# (Optional) Schedule expression for time-based
# triggering (cron or rate syntax)
scheduleExpression: 'rate(1 hour)'
test-event-pattern-rule:
# (Optional) Human-readable description of the rule
description: 'Event pattern based rule'
# (Optional) ARN of the custom EventBridge event bus
eventBusArn: 'arn:{{partition}}:events:{{region}}:{{account}}:event-bus/test-bus'
# (Optional) EventBridge event pattern for rule
# matching and filtering
eventPattern:
# (Optional) Service that sourced the event
source:
- 'aws.s3'
# (Optional) Identifies the fields and values in
# the detail field
detailType:
- 'Object Created'
# (Optional) The 12-digit number identifying an
# AWS account
account:
- '{{account}}'
# (Optional) AWS region where the event originated
region:
- '{{region}}'
# (Optional) ARNs that identify resources involved
# in the event
resources:
- 'arn:{{partition}}:s3:::test-bucket'
# (Optional) Event timestamp
time:
- '2024-01-01T00:00:00Z'
# (Optional) Event version (default: 0)
version:
- '0'
# (Optional) Unique event identifier for tracing
id:
- 'test-event-id'
# (Optional) A JSON object at the discretion of the
# service originating the event
detail:
bucket:
name:
- test-bucket
# (Optional) Custom input payload for the rule target
input: '{"action": "process"}'
# (Optional) CloudWatch metric filters for custom metric
# extraction
metricFilters:
# Unique name for the metric filter
- filterName: error-filter
# CloudWatch Logs filter pattern for matching log events
filterPattern: 'ERROR'
# Metric transformations defining how matched data is
# converted to metrics
metricTransformations:
# CloudWatch metric name for the transformed metric
- metricName: ErrorCount
# CloudWatch metric namespace for metric organization
metricNamespace: TestApp/Errors
# Metric value extraction pattern
metricValue: '1'
# (Optional) Default value when filter pattern does
# not match
defaultValue: 0
# (Optional) CloudWatch metric unit
unit: Count
# (Optional) Metric dimensions for segmentation
dimensions:
FunctionName: '{{functionName}}'
# (Optional) CloudWatch alarms for monitoring and alerting
alarms:
# Unique name for the alarm
- alarmName: test-error-alarm
# Comparison operator
comparisonOperator: GreaterThanOrEqualToThreshold
# Number of consecutive periods the metric must breach
evaluationPeriods: 3
# Threshold value for alarm comparison
threshold: 5
# (Optional) Human-readable alarm description
alarmDescription: 'Alert on high error rate'
# (Optional) Whether alarm actions are enabled during
# state changes
actionsEnabled: true
# (Optional) SNS topic ARNs for ALARM state notifications
alarmActions:
- 'arn:{{partition}}:sns:{{region}}:{{account}}:test-alarm-topic'
# (Optional) SNS topic ARNs for OK state notifications
okActions:
- 'arn:{{partition}}:sns:{{region}}:{{account}}:test-ok-topic'
# (Optional) SNS topic ARNs for INSUFFICIENT_DATA state
# notifications
insufficientDataActions:
- 'arn:{{partition}}:sns:{{region}}:{{account}}:test-insufficient-topic'
# (Optional) Metric name for single metric alarms
metricName: ErrorCount
# (Optional) Metric namespace. AWS/* namespaces bypass
# validation.
namespace: TestApp/Errors
# (Optional) Evaluation period in seconds
period: 300
# (Optional) Statistic for metric aggregation
statistic: Sum
# (Optional) Datapoints that must breach threshold
# (M out of N evaluation)
datapointsToAlarm: 2
# (Optional) Missing data treatment (notBreaching,
# breaching, ignore, missing)
treatMissingData: notBreaching
# (Optional) CloudWatch metric unit
unit: Count
# (Optional) Metric dimensions. Supports
# {{functionName}} placeholder.
dimensions:
FunctionName: '{{functionName}}'
# Alarm using metric math (mutually exclusive with
# metricName in the same alarm)
- alarmName: test-math-alarm
comparisonOperator: GreaterThanThreshold
evaluationPeriods: 1
threshold: 100
# (Optional) Metric data queries for metric math alarms.
# Mutually exclusive with metricName.
metrics:
# Unique identifier for the query
- id: m1
# (Optional) CloudWatch metric name. Mutually
# exclusive with expression.
metricName: Invocations
# (Optional) CloudWatch metric namespace
namespace: AWS/Lambda
# (Optional) Evaluation period in seconds
period: 300
# (Optional) Statistic for metric aggregation
statistic: Sum
# (Optional) Whether this metric data should be
# returned in query results
returnData: false
# (Optional) Human-readable label
label: 'Total Invocations'
# (Optional) CloudWatch metric unit
unit: Count
# (Optional) Metric dimensions for filtering
dimensions:
FunctionName: '{{functionName}}'
- id: m2
metricName: Errors
namespace: AWS/Lambda
period: 300
statistic: Sum
returnData: false
- id: error_rate
# (Optional) Metric math expression. Mutually
# exclusive with metricName.
expression: '(m2/m1)*100'
# (Optional) Human-readable label
label: 'Error Rate %'
returnData: true
# (Optional) CloudWatch Logs Insights saved queries for log
# analysis
logInsightsQueries:
# Unique name for the saved query
- queryName: error-query
# CloudWatch Logs Insights query string
queryString: |
fields @timestamp, @message
| filter @message like /ERROR/
| sort @timestamp desc
# (Optional) Optional log group names for cross-function
# queries. Defaults to the function's log group.
logGroupNames:
- /aws/lambda/test-function
- functionName: test-custom-transformer
srcDir: ./src/function
handler: test.lambda_handler
runtime: python3.13
roleArn: 'arn:{{partition}}:iam::{{account}}:role/test-lambda-role'
description: For custom parsing and chunking logic
- functionName: test-custom-router1
srcDir: ./src/function
handler: test.lambda_handler
runtime: python3.13
roleArn: 'arn:{{partition}}:iam::{{account}}:role/test-lambda-role'
description: For custom chat routing logic
grantInvoke: 'arn:{{partition}}:iam::{{account}}:role/role-in-another-account'
# (Optional) Bedrock agent configurations with foundation models,
# action groups, knowledge base integration, and guardrails.
agents:
test-agent:
# (Optional) Agent alias name for version management
agentAliasName: test-alias
# Reference to role used as execution role on all agent(s).
# The role must have assume-role trust with
# bedrock.amazonaws.com.
role:
id: generated-role-id:agent-execution-role
# Foundation model identifier for agent reasoning
foundationModel: 'anthropic.claude-3-sonnet-20240229-v1:0'
# (Optional) Agent description
description: 'This is a Test Agent'
# (Optional) Auto-prepare DRAFT version after changes
autoPrepare: true
# Agent instructions defining behavior and interaction patterns
instruction: |
You are a helpful assistant
You are allowed to use associated Knowledge Base to answer questions
Provide responses in markdown format with source citations
# (Optional) Idle session timeout in seconds
idleSessionTtlInSeconds: 400
# (Optional) Knowledge base associations for RAG capabilities
knowledgeBases:
# Knowledge base association description
- description: 'This is a Test Knowledge Base'
# Knowledge base identifier
id: '<kb-id>'
# (Optional) Knowledge base state (controls usage during
# invocation)
knowledgeBaseState: ENABLED
# (Optional) Guardrail association for safety and content
# filtering
guardrail:
# Guardrail identifier
id: 'arn:{{partition}}:bedrock:{{region}}:{{account}}:guardrail/test-guardrail'
# (Optional) Guardrail version
version: '1'
# (Optional) Action groups for task execution and API
# integration
actionGroups:
- # Action group name
actionGroupName: 'test-action-group'
# (Optional) Action group description
description: 'This is a Test Action Group'
# (Optional) Action group state (ENABLED or DISABLED)
actionGroupState: ENABLED
# Action group executor (e.g. Lambda function)
actionGroupExecutor:
# The ARN of the Lambda function containing the business
# logic that is carried out upon invoking the action
lambda: arn:{{partition}}:lambda:{{region}}:{{account}}:function:existing-lambda-function
# (Optional) API schema for external API integration
apiSchema:
# (Optional) Relative path to JSON/YAML OpenAPI schema
# file
openApiSchemaPath: ./api-schema/test-schema.yaml
# (Optional) The JSON or YAML-formatted payload defining
# the OpenAPI schema for the action group
payload: |
openapi: "3.0.0"
info:
title: "Test API"
version: "1.0.0"
# (Optional) S3 location containing the OpenAPI schema
s3:
# (Optional) The name of the S3 bucket
s3BucketName: test-schema-bucket
# (Optional) The S3 object key for the schema resource
s3ObjectKey: schemas/test-schema.yaml
# Action group using functionSchema and customControl
- actionGroupName: 'test-function-action-group'
description: 'Action group using function schema'
actionGroupExecutor:
# (Optional) To return the action group invocation results
# directly in the InvokeInlineAgent response, specify
# RETURN_CONTROL
customControl: RETURN_CONTROL
# (Optional) Function schema for structured function
# invocation (alternative to apiSchema)
functionSchema:
# A list of functions that each define an action in the
# action group
functions:
# A name for the function
- name: testFunction
# (Optional) A description of the function and its
# purpose
description: 'A test function'
# (Optional) Contains information if user confirmation
# is required to invoke the function
requireConfirmation: 'ENABLED'
# (Optional) Prompt override configuration for advanced prompt
# engineering
promptOverrideConfiguration:
# Prompt configurations for overriding agent sequence steps
promptConfigurations:
# (Optional) The step in the agent sequence that this
# prompt configuration applies to
- promptType: ORCHESTRATION
# (Optional) Specifies whether to override the default
# prompt template. Set to OVERRIDDEN to use custom
# basePromptTemplate.
promptCreationMode: DEFAULT
# (Optional) Specifies whether to allow the agent to
# carry out the step (ENABLED or DISABLED)
promptState: ENABLED
# (Optional) The agent's foundation model
foundationModel: 'anthropic.claude-3-sonnet-20240229-v1:0'
# (Optional) Defines the prompt template with which to
# replace the default prompt template
basePromptTemplate: 'You are a helpful assistant. $instruction$'
# (Optional) Specifies whether to override the default
# parser Lambda function (DEFAULT or OVERRIDDEN)
parserMode: DEFAULT
# (Optional) Additional inference parameters beyond the
# base set, passed via Converse or ConverseStream
# operations
additionalModelRequestFields:
top_k: 50
# (Optional) Contains inference parameters to use when
# the agent invokes a foundation model
inferenceConfiguration:
# (Optional) The maximum number of tokens allowed in
# the generated response
maximumLength: 2048
# (Optional) The likelihood of the model selecting
# higher-probability options (0.0-1.0)
temperature: 0.7
# (Optional) The percentage of most-likely candidates
# the model considers (0.0-1.0)
topP: 0.9
# (Optional) The number of most-likely candidates from
# which the model chooses the next token
topK: 50
# (Optional) A list of stop sequences
stopSequences:
- '\n\nHuman:'
# (Optional) The ARN of the Lambda function to use when
# parsing the raw foundation model output
overrideLambda: 'arn:{{partition}}:lambda:{{region}}:{{account}}:function:parser-lambda'
# (Optional) Vector store configurations for knowledge bases
# (OpenSearch Serverless or Aurora). Provides vector database
# storage for semantic search and retrieval-augmented generation.
vectorStores:
test-vector-store:
# (Optional) Vector store type
# (enum: AURORA_SERVERLESS, OPENSEARCH_SERVERLESS)
vectorStoreType: 'AURORA_SERVERLESS'
# VPC ID for vector store network isolation
vpcId: test-vpc-id
# Subnet IDs for vector store deployment
subnetIds:
- 'test-subnet-id1'
- 'test-subnet-id2'
# (Optional) Minimum Aurora Capacity Units for serverless
# scaling (enum: 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, 384)
minCapacity: 1
# (Optional) Maximum Aurora Capacity Units for serverless
# scaling (enum: 1, 2, 4, 8, 16, 32, 64, 128, 192, 256, 384)
maxCapacity: 8
# (Optional) PostgreSQL engine version
engineVersion: '15.5'
# (Optional) Database port for Aurora PostgreSQL connectivity
port: 5432
test-vector-store2:
# (Optional) Vector store type
# (enum: AURORA_SERVERLESS, OPENSEARCH_SERVERLESS)
vectorStoreType: 'OPENSEARCH_SERVERLESS'
vpcId: test-vpc-id
subnetIds:
- 'test-subnet-id1'
- 'test-subnet-id2'
# Standby replica configuration
# (enum: DISABLE, ENABLE)
standbyReplicas: ENABLE
# (Optional) Existing OpenSearch Serverless VPC endpoint
ossVpce:
# Existing VPC endpoint ID
vpceId: 'vpce-0123456789abcdef0'
# Security group ID associated with the VPC endpoint
securityGroupId: 'sg-0123456789abcdef0'
# (Optional) Knowledge base configurations with S3/SharePoint data
# sources and custom parsing strategies. Enables document ingestion,
# embedding generation, and retrieval for RAG applications.
knowledgeBases:
test-knowledge-base:
# Bedrock embedding model ID for vector generation
embeddingModel: 'amazon.titan-embed-text-v2:0'
# Vector store reference name
vectorStore: test-vector-store
# (Optional) Vector field size for embedding dimensionality
vectorFieldSize: 1024
# IAM role reference for knowledge base execution
role:
id: generated-role-id:kb-execution-role
# (Optional) Supplemental S3 bucket for advanced parsing
# workflows. For multimodal documents, mandatory to provide
# location to store images extracted from your data source.
supplementalBucketName: 'supplemental-image-storage-bucket'
# (Optional) S3 data sources for cloud document integration
s3DataSources:
test-ds-default-parsing:
# S3 bucket name containing source documents
bucketName: 'customer-docs-bucket'
# (Optional) S3 key prefix to scope document ingestion
prefix: 'support-documents/'
# (Optional) Enable automatic data source sync
# (default: false)
enableSync: true
# (Optional) Enable multi-account sync (default: false)
enableMultiSync: true
# (Optional) IAM role ARN for sync Lambda
syncLambdaRoleArn: 'arn:{{partition}}:iam::{{account}}:role/test-sync-role'
test-ds-bda-parsing:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents-2/'
# (Optional) Vector ingestion configuration for parsing
# and chunking
vectorIngestionConfiguration:
# (Optional) Parsing configuration for document
# processing
parsingConfiguration:
# Parsing strategy
# (enum: BEDROCK_DATA_AUTOMATION,
# BEDROCK_FOUNDATION_MODEL)
parsingStrategy: 'BEDROCK_DATA_AUTOMATION'
# (Optional) Bedrock Data Automation parsing config
bedrockDataAutomationConfiguration:
# Parsing modality for multimodal data processing
parsingModality: 'MULTIMODAL'
# (Optional) Chunking configuration for the data source
chunkingConfiguration:
# Chunking strategy
# (enum: FIXED_SIZE, HIERARCHICAL, NONE, SEMANTIC)
chunkingStrategy: 'FIXED_SIZE'
# (Optional) Fixed size chunking configuration
fixedSizeChunkingConfiguration:
# Maximum token count per chunk
maxTokens: 512
# Overlap percentage between adjacent chunks
overlapPercentage: 20
# Data source with hierarchical chunking strategy
test-ds-hierarchical-chunking:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents-hierarchical/'
vectorIngestionConfiguration:
chunkingConfiguration:
chunkingStrategy: 'HIERARCHICAL'
# (Optional) Hierarchical chunking configuration
hierarchicalChunkingConfiguration:
# Token overlap between hierarchical chunks
overlapTokens: 50
# Hierarchical chunking level configurations
levelConfigurations:
# Maximum token count for this hierarchical level
- maxTokens: 1024
- maxTokens: 256
# Data source with semantic chunking strategy
test-ds-semantic-chunking:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents-semantic/'
vectorIngestionConfiguration:
chunkingConfiguration:
chunkingStrategy: 'SEMANTIC'
# (Optional) Semantic chunking configuration
semanticChunkingConfiguration:
# Breakpoint percentile threshold for semantic
# boundary detection
breakpointPercentileThreshold: 95
# Buffer size for semantic context preservation
bufferSize: 1
# Maximum token count per semantic chunk
maxTokens: 300
test-ds-foundation-model-parsing:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents-3/'
vectorIngestionConfiguration:
parsingConfiguration:
parsingStrategy: 'BEDROCK_FOUNDATION_MODEL'
# (Optional) Bedrock Foundation Model parsing config
bedrockFoundationModelConfiguration:
# Foundation model ARN for document parsing
modelArn: 'anthropic.claude-3-sonnet-20240229-v1:0'
# (Optional) Parsing modality for multimodal
# foundation model processing
parsingModality: 'MULTIMODAL'
# (Optional) Custom parsing instructions for the
# foundation model
parsingPromptText: 'Extract key information from this document'
test-ds-custom-parsing:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents-4/'
vectorIngestionConfiguration:
parsingConfiguration:
parsingStrategy: 'BEDROCK_DATA_AUTOMATION'
bedrockDataAutomationConfiguration:
parsingModality: 'MULTIMODAL'
chunkingConfiguration:
chunkingStrategy: 'NONE'
# (Optional) Custom transformation configuration for
# data being ingested into the knowledge base
customTransformationConfiguration:
# S3 bucket for intermediate storage
intermediateStorageBucket: 'custom-transform-intermediate-bucket'
# S3 prefix for intermediate storage
intermediateStoragePrefix: 'path/to/data/objects'
# Lambda ARNs for custom transformation
transformLambdaArns:
- 'arn:{{partition}}:lambda:{{region}}:{{account}}:function:test-custom-transformer'
- generated-function:test-custom-transformer
# (Optional) SharePoint data sources for enterprise document
# integration
sharepointDataSources:
test-sharepoint-ds-default-parsing:
# SharePoint data source connection configuration
dataSource:
# Authentication type
authType: OAUTH2_SHAREPOINT_APP_ONLY_CLIENT_CREDENTIALS
# Secrets Manager ARN for SharePoint credentials
credentialsSecretArn: 'arn:{{partition}}:secretsmanager:{{region}}:{{account}}:secret:/test/sharepoint/secret-qeTtB0'
# SharePoint domain
domain: mycompany.sharepoint.com
# SharePoint host type
hostType: ONLINE
# SharePoint site URLs to ingest
siteUrls:
- 'https://mycompany.sharepoint.com/sites/mysite'
# Azure AD tenant ID
tenantId: '2b5901be-9f28-4fa4-b565-706cbbc699c5'
test-sharepoint-ds-bda-parsing:
dataSource:
authType: OAUTH2_SHAREPOINT_APP_ONLY_CLIENT_CREDENTIALS
credentialsSecretArn: 'arn:{{partition}}:secretsmanager:{{region}}:{{account}}:secret:/test/sharepoint/secret-qeTtB0'
domain: mycompany.sharepoint.com
hostType: ONLINE
siteUrls:
- 'https://mycompany.sharepoint.com/sites/mysite'
tenantId: '2b5901be-9f28-4fa4-b565-706cbbc699c5'
vectorIngestionConfiguration:
parsingConfiguration:
parsingStrategy: 'BEDROCK_DATA_AUTOMATION'
bedrockDataAutomationConfiguration:
parsingModality: 'MULTIMODAL'
chunkingConfiguration:
chunkingStrategy: 'FIXED_SIZE'
fixedSizeChunkingConfiguration:
maxTokens: 512
overlapPercentage: 20
test-sharepoint-ds-fm-parsing:
dataSource:
authType: OAUTH2_SHAREPOINT_APP_ONLY_CLIENT_CREDENTIALS
credentialsSecretArn: 'arn:{{partition}}:secretsmanager:{{region}}:{{account}}:secret:/test/sharepoint/secret-qeTtB0'
domain: mycompany.sharepoint.com
hostType: ONLINE
siteUrls:
- 'https://mycompany.sharepoint.com/sites/mysite'
tenantId: '2b5901be-9f28-4fa4-b565-706cbbc699c5'
vectorIngestionConfiguration:
parsingConfiguration:
parsingStrategy: 'BEDROCK_FOUNDATION_MODEL'
bedrockFoundationModelConfiguration:
modelArn: 'anthropic.claude-3-sonnet-20240229-v1:0'
parsingModality: 'MULTIMODAL'
parsingPromptText: 'Extract key information from this document'
test-sharepoint-ds-custom-parsing:
dataSource:
authType: OAUTH2_SHAREPOINT_APP_ONLY_CLIENT_CREDENTIALS
credentialsSecretArn: 'arn:{{partition}}:secretsmanager:{{region}}:{{account}}:secret:/test/sharepoint/secret-qeTtB0'
domain: mycompany.sharepoint.com
hostType: ONLINE
siteUrls:
- 'https://mycompany.sharepoint.com/sites/mysite'
tenantId: '2b5901be-9f28-4fa4-b565-706cbbc699c5'
vectorIngestionConfiguration:
parsingConfiguration:
parsingStrategy: 'BEDROCK_DATA_AUTOMATION'
bedrockDataAutomationConfiguration:
parsingModality: 'MULTIMODAL'
chunkingConfiguration:
chunkingStrategy: 'NONE'
customTransformationConfiguration:
intermediateStorageBucket: 'custom-transform-intermediate-bucket'
intermediateStoragePrefix: 'path/to/data/objects'
transformLambdaArns:
- 'arn:{{partition}}:lambda:{{region}}:{{account}}:function:test-custom-transformer'
- generated-function:test-custom-transformer
test-knowledge-base2:
embeddingModel: 'amazon.titan-embed-text-v2:0'
vectorStore: test-vector-store2
vectorFieldSize: 1024
role:
id: generated-role-id:kb-execution-role
supplementalBucketName: 'supplemental-image-storage-bucket'
s3DataSources:
test-ds-default-parsing:
bucketName: 'customer-docs-bucket'
prefix: 'support-documents/'
enableSync: true
# (Optional) Guardrail configurations for AI safety, content
# filtering, and responsible AI deployment.
guardrails:
enterprise-guardrail:
# (Optional) Guardrail description
description: 'Enterprise content safety guardrail'
# Content filter configuration across safety categories
contentFilters:
# (Optional) Hate content filter with input/output strength
# (enum: LOW, MEDIUM, HIGH)
hate:
inputStrength: 'MEDIUM'
outputStrength: 'MEDIUM'
# (Optional) Insults content filter
insults:
inputStrength: 'HIGH'
outputStrength: 'HIGH'
# (Optional) Misconduct content filter
misconduct:
inputStrength: 'HIGH'
outputStrength: 'HIGH'
# (Optional) Prompt attack content filter
promptAttack:
inputStrength: 'HIGH'
outputStrength: 'HIGH'
# (Optional) Sexual content filter
sexual:
inputStrength: 'HIGH'
outputStrength: 'HIGH'
# (Optional) Violence content filter
violence:
inputStrength: 'MEDIUM'
outputStrength: 'MEDIUM'
# (Optional) Custom message when user input is blocked
blockedInputMessaging: 'Your input contains restricted content'
# (Optional) Custom message when model output is blocked
blockedOutputsMessaging: 'Response blocked due to policy restrictions'
# (Optional) Contextual grounding filters for response accuracy
contextualGroundingFilters:
# (Optional) Grounding threshold (0.0-1.0) for source
# material adherence
grounding: 0.95
# (Optional) Relevance threshold (0.0-1.0) for query
# relevance
relevance: 0.90
# (Optional) Sensitive information filters for PII and custom
# regex patterns
sensitiveInformationFilters:
# (Optional) PII entity filter configurations
piiEntities:
# Configure guardrail type when the PII entity is
# detected
- type: EMAIL
# Configure guardrail action when the PII entity is
# detected
action: ANONYMIZE
# (Optional) Specifies the action to take when harmful
# content is detected in the input (BLOCK, ANONYMIZE,
# NONE)
inputAction: ANONYMIZE
# (Optional) Specifies whether to enable guardrail
# evaluation on the input
inputEnabled: true
# (Optional) Specifies the action to take when harmful
# content is detected in the output (BLOCK, ANONYMIZE,
# NONE)
outputAction: ANONYMIZE
# (Optional) Indicates whether guardrail evaluation is
# enabled on the output
outputEnabled: true
- type: PHONE
action: BLOCK
# (Optional) Custom regex pattern filters
regexes:
# The name of the regular expression
- name: 'account-number'
# The regular expression pattern
pattern: '\d{10,12}'
# The guardrail action when matching regex is detected
action: ANONYMIZE
# (Optional) Description of the regular expression
description: 'Matches account numbers'
# (Optional) Specifies the action to take when harmful
# content is detected in the input (BLOCK, NONE)
inputAction: BLOCK
# (Optional) Specifies whether to enable guardrail
# evaluation on the input
inputEnabled: true
# (Optional) Specifies the action to take when harmful
# content is detected in the output (BLOCK, NONE)
outputAction: BLOCK
# (Optional) Specifies whether to enable guardrail
# evaluation on the output
outputEnabled: true