Conversation
There was a problem hiding this comment.
Pull request overview
Adds a dedicated GitHub OIDC-assumable IAM role and policy that allows a GitHub Actions workflow to call Amazon Bedrock (Anthropic Claude) for PR review automation. Also adds section-header comments above existing blocks in the same file to improve readability.
Changes:
- New
iam_github_portfolio_bedrock_claude_policyIAM policy granting BedrockInvokeModel*,ListFoundationModels,GetFoundationModel,ListInferenceProfiles, andGetInferenceProfileon*. - New
iam_assumable_role_github_bedrock_clauderole trusted by the existingiam_github_oidc_roleand bound to the new policy. - Added top-of-file description block and section-divider comments for the existing Cloudfront and awsing modules.
Comments suppressed due to low confidence (3)
tofu/iam.github_oidc.tofu:122
- The IAM policy grants
bedrock:InvokeModelandbedrock:InvokeModelWithResponseStreamonResource: "*", which allows the role to invoke any foundation model (including expensive ones) in any region. Since this role is intended specifically for "PR review using Bedrock claude", consider scoping theInvokeModel*actions to the specific Claude foundation-model and/or inference-profile ARNs (e.g.arn:aws:bedrock:<region>::foundation-model/anthropic.claude-*and the relevantinference-profile/*ARN). TheList*/Get*actions can remain on*since they do not support resource-level permissions. This better follows the "scoped-down policy" principle referenced in the description comment at the top of this file.
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream",
"bedrock:ListFoundationModels",
"bedrock:GetFoundationModel",
"bedrock:ListInferenceProfiles",
"bedrock:GetInferenceProfile"
],
"Resource": "*"
tofu/iam.github_oidc.tofu:105
- The description reads "IAM policy for GitHub OIDC role to access
${terraform.workspace}-bedrock-claudepolicy", but this policy grants access to Bedrock Claude models, not to another policy resource. Consider rewording, e.g. "IAM policy for GitHub OIDC role to invoke Bedrock Claude models", to avoid confusion when this description is surfaced in the AWS console.
description = "IAM policy for GitHub OIDC role to access ${terraform.workspace}-bedrock-claude policy"
tofu/iam.github_oidc.tofu:103
- Minor naming inconsistency: the module is named
iam_github_portfolio_bedrock_claude_policyand the resource name includesgithub-portfolio-bedrock-claude-policy, but this Bedrock policy is unrelated to the portfolio website (per the section comment "PR review using Bedrock claude"). The sibling resource above isiam_github_portfolio_website_s3_policy, where "portfolio" makes sense. Consider droppingportfoliofrom the module/policy name (e.g.iam_github_bedrock_claude_policy/${workspace}-github-bedrock-claude-policy) to match the role name on line 133 (${workspace}-github-bedrock-claude-role) and the section heading.
module "iam_github_portfolio_bedrock_claude_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = local.vars.iam.version
name = "${terraform.workspace}-github-portfolio-bedrock-claude-policy"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ] | ||
| } | ||
|
|
||
| # ===== awsing OpenTofu deployment ===== |
harik8
force-pushed
the
D-170526
branch
12 times, most recently
from
a3541a6 to
a70fc06
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.