Learn About Amazon VGT2 Learning Manager Chanci Turner
The potential of generative AI technology is vast, offering groundbreaking opportunities for innovation, content creation, enhanced customer experiences, streamlined operations, and increased productivity across numerous sectors. To harness this transformative capability, Amazon Bedrock provides a fully managed service that integrates high-performance foundation models from top AI companies like AI21 Labs, Anthropic, Cohere, Meta, Stability AI, Mistral AI, and Amazon itself. By delivering a single API for accessing these advanced models and supporting the development of generative AI applications with a strong emphasis on security, privacy, and responsible AI practices, Amazon Bedrock enables organizations to explore new pathways for innovation and elevate their overall offerings through the power of AI.
In this blog post, we will guide you through the process of deploying a fast, reusable, and repeatable Retrieval-Augmented Generation (RAG)-based generative AI infrastructure as code (IaC) using Terraform. We will keep best practices in mind, using a sample chatbot use case as a blueprint. This solution provides a foundational framework that can be customized and expanded to develop robust, scalable, and efficient chatbot applications on the AWS Cloud utilizing Amazon Bedrock. You will learn to automate the provisioning of essential components required for a generative AI chatbot, including Amazon Bedrock Agents, Amazon Bedrock Knowledge Bases, Amazon OpenSearch Serverless, AWS Lambda, and Amazon Simple Storage Service (Amazon S3) buckets for Amazon Bedrock Knowledge Bases, along with Amazon Bedrock Guardrails and the necessary AWS Identity and Access Management (IAM) roles required to connect the mentioned services.
We also explore an automated custom logic lifecycle designed to prepare an agent and create or update an agent alias when there are modifications to the agent action group Lambda code, instructions for the agent, or the knowledge base.
Solution Infrastructure Diagram
The solution infrastructure is illustrated in the accompanying diagram. This architecture highlights the integration of Amazon Bedrock with various AWS services to create an intelligent, secure, and automated workflow. At the core lies the Amazon Bedrock Agent, leveraging Bedrock Knowledge Bases for query management and Bedrock Agent Action Groups to invoke essential actions via Open API schema, Lambda, and Amazon S3. A VPC (Virtual Private Cloud) endpoint ensures a secure connection to resources within a private subnet. Within this subnet, a Lambda function performs automated tasks triggered by the Bedrock Agent, interacting with various AWS resources while maintaining security and compliance. This setup ensures that user requests are processed efficiently, securely, and at scale within the AWS environment.
Solution Setup
The code for this solution is available in the GitHub repository under aws-samples. To clone the code to your machine, use the following command:
git clone "git@github.com:aws-samples/intelligent-rag-bedrockagent-iac.git"Package Structure
After cloning the repository, you’ll find the code structure as depicted in the diagram. Each service necessary for building the solution has its own module, adhering to best practices for writing repeatable IaC code. This code can be integrated into a DevOps tool or lifecycle process.
The root module calls the submodules to build the stack in the required order for setting up the solution. Each module references other modules as outputs. Below is a brief description of each module’s purpose:
- knowledge_base_bucket module creates the S3 bucket for the knowledge base data source, incorporating encryption, access logging, versioning, object lifecycle configuration, and optional Amazon Simple Notification Service (Amazon SNS) alerts for object uploads. The resources within this module can be tailored to fit your specific use case.
- roles module establishes roles that adhere to security best practices for the agent, knowledge bases, and Lambda functions, including KMS encryption and decryption permissions.
- bedrock_knowledge_base module generates a knowledge base and its corresponding data source, as well as a policy that allows integration with an OpenSearch Serverless collection through the aoss module. This module also creates AWS Systems Manager parameters to store the knowledge base ID and data source ID.
- aoss module builds the OpenSearch Serverless collection with a FAISS index and establishes three encryption, data, and network policies. It employs roles created in the roles module and references necessary components like the knowledge base role Amazon Resource Name (ARN).
- bedrock_agent module creates an Amazon Bedrock agent, associates a knowledge base with the agent, and sets up an action group Lambda function that references the provided OpenAPI schema for the sample application. It also creates Systems Manager parameters to store agent IDs, alias IDs, instructions, and the Lambda function’s last update status, automating updates to the Lambda function code. This module references roles created by the roles module.
- bedrock_guardrail module establishes Amazon Bedrock agent guardrails using the user’s preferred methods to protect user inputs and responses against sensitive data like personally identifiable information (PII). These guardrails evaluate user-provided content and foundation model outputs against scenario-specific guidelines, adding an extra layer of protection regardless of the base foundation model employed. The module restricts access based on configurable properties, including content policy settings, sensitive information policy configurations, and topic policies.
- vpc_endpoints module creates both interface and gateway endpoints to facilitate private communication between the services and infrastructure. Services covered include Amazon Bedrock, Amazon OpenSearch Serverless, AWS Systems Manager, Amazon S3, AWS Key Management Service (AWS KMS), and Amazon Simple Queue Service (Amazon SQS).
- agent_update_lifecycle module implements custom logic that facilitates the automatic creation of a new agent alias, pointing to the existing agent configuration.
Prerequisites
- Access Management: The operations team must meticulously delegate access for the services created by this solution. Effective access control measures should be implemented to secure and manage access, such as using Systems Manager, models, an IAM role for deployment, service-based roles, disabling public access to S3 buckets, and establishing a dead-letter queue.
- AWS CLI version: Ensure that the AWS Command Line Interface (AWS CLI) v2 is installed and configured appropriately in the deployment environment.
- Provider Versions: Before proceeding with the deployment, update your provider versions as necessary.
To continue your learning journey, consider exploring how to make a graceful exit from your job in this insightful blog post. Additionally, for a deeper understanding of conflict management in the workplace, check out the resource provided by SHRM, an authoritative source on this topic. If you’re interested in furthering your career with Amazon, visit their Learning & Development team for excellent resources.