chore: wip

chrisbbreuer · chrisbbreuer · commit 70533168481f · 2023-12-09T19:51:03.000-08:00
diff --git a/storage/framework/.stacks/core/cloud/src/cloud/ai.ts b/storage/framework/.stacks/core/cloud/src/cloud/ai.ts
@@ -20,14 +20,27 @@ export class AiStack {
       description: 'Layer with aws-sdk',
     })
 
-    // Defining the Node.js Lambda function
+    const aiRole = new iam.Role(scope, 'AiRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    })
+
+    // Granting the Lambda permission to invoke the AI model
+    aiRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ['bedrock:InvokeModel'],
+        resources: config.ai.models?.map(model => `arn:aws:bedrock:us-east-1:${props.env.account}:foundation-model/${model}`),
+        effect: iam.Effect.ALLOW,
+      }),
+    )
+
     const aiLambda = new lambda.Function(scope, 'LambdaFunction', {
       functionName: `${props.slug}-${props.appEnv}-ai`,
       description: 'Lambda function to invoke the AI model',
       runtime: lambda.Runtime.NODEJS_20_X,
       handler: 'index.handler',
       code: lambda.Code.fromAsset('src/cloud/lambda'), // path relative to the cloud root package dir
       layers: [awsSdkLayer],
+      role: aiRole,
     })
 
     const api = new lambda.FunctionUrl(scope, 'AiLambdaUrl', {
@@ -38,14 +51,6 @@ export class AiStack {
       },
     })
 
-    // Granting the Lambda permission to invoke the AI model
-    aiLambda.role?.addToPrincipalPolicy(
-      new iam.PolicyStatement({
-        actions: ['bedrock:InvokeModel'],
-        resources: config.ai.models?.map(model => `arn:aws:bedrock:us-east-1:${props.env.account}:foundation-model/${model}`),
-      }),
-    )
-
     new Output(scope, 'AiApiUrl', {
       value: api.url,
     })
