Skip to content

Commit 7b0c9c2

Browse files
author
ievgeniia ieromenko
committed
added automated key rotation
1 parent 0aacf69 commit 7b0c9c2

File tree

7 files changed

+17
-1622
lines changed

7 files changed

+17
-1622
lines changed

aws_sra_examples/solutions/genai/bedrock_guardrails/lambda/src/app.py

Lines changed: 5 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -19,15 +19,10 @@
1919
import boto3
2020
import cfnresponse
2121
import sra_bedrock
22-
import sra_cloudwatch
23-
import sra_config
2422
import sra_dynamodb
25-
import sra_iam
2623
import sra_kms
2724
import sra_lambda
28-
import sra_repo
2925
import sra_s3
30-
import sra_sns
3126
import sra_sqs
3227
import sra_ssm_params
3328
import sra_sts
@@ -162,22 +157,14 @@ def load_kms_key_policies() -> dict:
162157

163158
# Instantiate sra class objects
164159
ssm_params = sra_ssm_params.SRASSMParams()
165-
iam = sra_iam.SRAIAM()
166160
dynamodb = sra_dynamodb.SRADynamoDB()
167161
sts = sra_sts.SRASTS()
168-
repo = sra_repo.SRARepo()
169162
s3 = sra_s3.SRAS3()
170163
lambdas = sra_lambda.SRALambda()
171-
sns = sra_sns.SRASNS()
172-
config = sra_config.SRAConfig()
173-
cloudwatch = sra_cloudwatch.SRACloudWatch()
174164
kms = sra_kms.SRAKMS()
175165
bedrock = sra_bedrock.SRABedrock()
176166
sqs = sra_sqs.SRASQS()
177167

178-
# propagate solution name to class objects
179-
cloudwatch.SOLUTION_NAME = SOLUTION_NAME
180-
181168

182169
def get_resource_parameters(event: dict) -> None:
183170
"""Get resource parameters from event.
@@ -489,9 +476,7 @@ def create_kms_key(acct: str, region: str) -> None:
489476
# Deploy KMS keys
490477

491478
kms.KMS_CLIENT = sts.assume_role(acct, sts.CONFIGURATION_ROLE, "kms", region)
492-
search_bedrock_guardrails_kms_key, bedrock_guardrails_key_alias, bedrock_guardrails_key_id, bedrock_guardrails_key_arn = kms.check_alias_exists(
493-
kms.KMS_CLIENT, f"alias/{GUARDRAILS_KEY_ALIAS}"
494-
)
479+
search_bedrock_guardrails_kms_key, _, bedrock_guardrails_key_id, _ = kms.check_alias_exists(kms.KMS_CLIENT, f"alias/{GUARDRAILS_KEY_ALIAS}")
495480
if search_bedrock_guardrails_kms_key is False:
496481
LOGGER.info(f"alias/{GUARDRAILS_KEY_ALIAS} not found.")
497482
if DRY_RUN is False:
@@ -516,6 +501,8 @@ def create_kms_key(acct: str, region: str) -> None:
516501
kms.KMS_CLIENT, json.dumps(kms_key_policy), SOLUTION_NAME, "Key for Bedrock Guardrails Encryption"
517502
)
518503
LOGGER.info(f"Created Bedrock Guardrails KMS key: {bedrock_guardrails_key_id}")
504+
kms.enable_key_rotation(kms.KMS_CLIENT, bedrock_guardrails_key_id)
505+
LOGGER.info(f"Enabled automatic rotation of: {bedrock_guardrails_key_id}")
519506
LIVE_RUN_DATA[f"KMSKeyCreate-{acct}-{region}"] = "Created SRA Bedrock Guardrails KMS key"
520507
CFN_RESPONSE_DATA["deployment_info"]["action_count"] += 1
521508
CFN_RESPONSE_DATA["deployment_info"]["resources_deployed"] += 1
@@ -587,13 +574,13 @@ def check_sqs_queue() -> str:
587574
"""Add sqs queue record if DLQ exists.
588575
589576
Returns:
590-
str: sns topic arn
577+
str: sqs topic arn
591578
"""
592579
global DRY_RUN_DATA
593580
global LIVE_RUN_DATA
594581
global CFN_RESPONSE_DATA
595582

596-
sns.SNS_CLIENT = sts.assume_role(sts.MANAGEMENT_ACCOUNT, sts.CONFIGURATION_ROLE, "sns", sts.HOME_REGION)
583+
sqs.SQS_CLIENT = sts.assume_role(sts.MANAGEMENT_ACCOUNT, sts.CONFIGURATION_ROLE, "sqs", sts.HOME_REGION)
597584
queue_search = sqs.find_sqs_queue(f"{SOLUTION_NAME}-DLQ")
598585
if queue_search is None:
599586
LOGGER.info(f"{SOLUTION_NAME}-DLQ doesn't exist")

0 commit comments

Comments
 (0)