Skip to content

feat(bedrock): Add enhanced action fields to bedrock_guardrail resource #43702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

tuffant21
Copy link
Contributor

@tuffant21 tuffant21 commented Aug 4, 2025

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

No changes to security controls (access controls, encryption, logging) in this pull request.

Description

This PR adds enhanced action fields to the aws_bedrock_guardrail resource to support more granular control over input and output actions for PII entities and regex configurations.

Changes include:

  • Add input_action, output_action, input_enabled, output_enabled fields to pii_entities_config and regexes_config
  • Maintain backwards compatibility with existing action field (required)
  • Add comprehensive test coverage for enhanced actions
  • Update documentation for all language variants (Terraform, Python CDK, TypeScript CDK)
  • Follow consistent naming patterns using names.Attr* constants

This enhancement allows users to specify different actions for input vs output processing and enable/disable processing for each direction independently, providing more flexibility in guardrail configuration.

Relations

Closes #42253

References

Output from Acceptance Testing

% make testacc TESTS=TestAccBedrockGuardrail_enhancedActions PKG=bedrock

make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.5 test ./internal/service/bedrock/... -v -count 1 -parallel 20 -run='TestAccBedrockGuardrail_enhancedActions'  -timeout 360m -vet=off
2025/08/04 16:30:22 Creating Terraform AWS Provider (SDKv2-style)...
2025/08/04 16:30:22 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockGuardrail_enhancedActions
=== PAUSE TestAccBedrockGuardrail_enhancedActions
=== CONT  TestAccBedrockGuardrail_enhancedActions
--- PASS: TestAccBedrockGuardrail_enhancedActions (15.00s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/bedrock    21.303s

- Add input_action, output_action, input_enabled, output_enabled fields to pii_entities_config and regexes_config
- Maintain backwards compatibility with existing action field (required)
- Add comprehensive test coverage for enhanced actions
- Update documentation for all language variants (Terraform, Python CDK, TypeScript CDK)
- Follow consistent naming patterns using names.Attr* constants

Closes: Support for AWS CLI enhanced guardrail action fields
Ref: https://docs.aws.amazon.com/bedrock/latest/APIReference/API_GuardrailPiiEntityConfig.html
Ref: https://docs.aws.amazon.com/bedrock/latest/APIReference/API_GuardrailRegexConfig.html
@tuffant21 tuffant21 requested a review from a team as a code owner August 4, 2025 19:21
Copy link
Contributor

github-actions bot commented Aug 4, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

Copy link
Contributor

github-actions bot commented Aug 4, 2025

✅ Thank you for correcting the previously detected issues! The maintainers appreciate your efforts to make the review process as smooth as possible.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. provider Pertains to the provider itself, rather than any interaction with AWS. service/bedrock Issues and PRs that pertain to the bedrock service. size/L Managed by automation to categorize the size of a PR. labels Aug 4, 2025
The action field is still required by the AWS API even when using
the new enhanced action fields (input_action, output_action, etc).
- Create .changelog/43702.txt with proper enhancement entry
- Remove direct CHANGELOG.md modifications per process guidelines
@ewbankkit ewbankkit added enhancement Requests to existing resources that expand the functionality or scope. and removed provider Pertains to the provider itself, rather than any interaction with AWS. needs-triage Waiting for first response or review from a maintainer. labels Aug 5, 2025
@ewbankkit ewbankkit self-assigned this Aug 5, 2025
@github-actions github-actions bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Aug 5, 2025
ewbankkit
ewbankkit previously approved these changes Aug 5, 2025
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccBedrockGuardrail_' PKG=bedrock ACCTEST_PARALLELISM=3
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.24.5 test ./internal/service/bedrock/... -v -count 1 -parallel 3  -run=TestAccBedrockGuardrail_ -timeout 360m -vet=off
2025/08/05 15:53:48 Creating Terraform AWS Provider (SDKv2-style)...
2025/08/05 15:53:48 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccBedrockGuardrail_tags
=== PAUSE TestAccBedrockGuardrail_tags
=== RUN   TestAccBedrockGuardrail_tags_null
=== PAUSE TestAccBedrockGuardrail_tags_null
=== RUN   TestAccBedrockGuardrail_tags_EmptyMap
=== PAUSE TestAccBedrockGuardrail_tags_EmptyMap
=== RUN   TestAccBedrockGuardrail_tags_AddOnUpdate
=== PAUSE TestAccBedrockGuardrail_tags_AddOnUpdate
=== RUN   TestAccBedrockGuardrail_tags_EmptyTag_OnCreate
=== PAUSE TestAccBedrockGuardrail_tags_EmptyTag_OnCreate
=== RUN   TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Add
=== PAUSE TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Add
=== RUN   TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Replace
=== PAUSE TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Replace
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_providerOnly
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_providerOnly
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_nonOverlapping
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_nonOverlapping
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_overlapping
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_overlapping
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_updateToProviderOnly
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_updateToProviderOnly
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_updateToResourceOnly
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_updateToResourceOnly
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_emptyResourceTag
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_emptyResourceTag
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_emptyProviderOnlyTag
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_emptyProviderOnlyTag
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_nullOverlappingResourceTag
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_nullOverlappingResourceTag
=== RUN   TestAccBedrockGuardrail_tags_DefaultTags_nullNonOverlappingResourceTag
=== PAUSE TestAccBedrockGuardrail_tags_DefaultTags_nullNonOverlappingResourceTag
=== RUN   TestAccBedrockGuardrail_tags_ComputedTag_OnCreate
=== PAUSE TestAccBedrockGuardrail_tags_ComputedTag_OnCreate
=== RUN   TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Add
=== PAUSE TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Add
=== RUN   TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Replace
=== PAUSE TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Replace
=== RUN   TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_DefaultTag
=== PAUSE TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_DefaultTag
=== RUN   TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_ResourceTag
=== PAUSE TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_ResourceTag
=== RUN   TestAccBedrockGuardrail_basic
=== PAUSE TestAccBedrockGuardrail_basic
=== RUN   TestAccBedrockGuardrail_disappears
=== PAUSE TestAccBedrockGuardrail_disappears
=== RUN   TestAccBedrockGuardrail_kmsKey
=== PAUSE TestAccBedrockGuardrail_kmsKey
=== RUN   TestAccBedrockGuardrail_update
=== PAUSE TestAccBedrockGuardrail_update
=== RUN   TestAccBedrockGuardrail_crossRegion
=== PAUSE TestAccBedrockGuardrail_crossRegion
=== RUN   TestAccBedrockGuardrail_enhancedActions
=== PAUSE TestAccBedrockGuardrail_enhancedActions
=== CONT  TestAccBedrockGuardrail_tags
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_nullOverlappingResourceTag
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_providerOnly
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_nullOverlappingResourceTag (18.48s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_updateToResourceOnly
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_updateToResourceOnly (25.12s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_emptyProviderOnlyTag
--- PASS: TestAccBedrockGuardrail_tags (56.02s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_emptyResourceTag
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_providerOnly (56.09s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_overlapping
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_emptyProviderOnlyTag (16.19s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_updateToProviderOnly
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_emptyResourceTag (16.42s)
=== CONT  TestAccBedrockGuardrail_basic
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_updateToProviderOnly (25.23s)
=== CONT  TestAccBedrockGuardrail_enhancedActions
--- PASS: TestAccBedrockGuardrail_basic (15.18s)
=== CONT  TestAccBedrockGuardrail_crossRegion
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_overlapping (41.46s)
=== CONT  TestAccBedrockGuardrail_disappears
--- PASS: TestAccBedrockGuardrail_enhancedActions (14.49s)
=== CONT  TestAccBedrockGuardrail_tags_EmptyTag_OnCreate
--- PASS: TestAccBedrockGuardrail_crossRegion (15.04s)
=== CONT  TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Replace
--- PASS: TestAccBedrockGuardrail_disappears (12.32s)
=== CONT  TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Add
--- PASS: TestAccBedrockGuardrail_tags_EmptyTag_OnCreate (27.94s)
=== CONT  TestAccBedrockGuardrail_tags_EmptyMap
--- PASS: TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Replace (25.03s)
=== CONT  TestAccBedrockGuardrail_tags_AddOnUpdate
--- PASS: TestAccBedrockGuardrail_tags_EmptyMap (15.79s)
=== CONT  TestAccBedrockGuardrail_kmsKey
--- PASS: TestAccBedrockGuardrail_tags_EmptyTag_OnUpdate_Add (38.00s)
=== CONT  TestAccBedrockGuardrail_update
--- PASS: TestAccBedrockGuardrail_tags_AddOnUpdate (25.98s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_nonOverlapping
=== NAME  TestAccBedrockGuardrail_update
    guardrail_test.go:151: Step 2/3 error: Error running apply: exit status 1
        
        Error: Provider produced inconsistent result after apply
        
        When applying changes to aws_bedrock_guardrail.test, provider
        "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected
        new value: .topic_policy_config[0].tier_config: was null, but now
        cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"tier_name":cty.StringVal("CLASSIC")})}).
        
        This is a bug in the provider, which should be reported in the provider's own
        issue tracker.
        
        Error: Provider produced inconsistent result after apply
        
        When applying changes to aws_bedrock_guardrail.test, provider
        "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected
        new value: .content_policy_config[0].tier_config: was null, but now
        cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"tier_name":cty.StringVal("CLASSIC")})}).
        
        This is a bug in the provider, which should be reported in the provider's own
        issue tracker.
--- FAIL: TestAccBedrockGuardrail_update (21.08s)
=== CONT  TestAccBedrockGuardrail_tags_null
--- PASS: TestAccBedrockGuardrail_kmsKey (34.60s)
=== CONT  TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Replace
--- PASS: TestAccBedrockGuardrail_tags_null (15.24s)
=== CONT  TestAccBedrockGuardrail_tags_ComputedTag_OnCreate
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_nonOverlapping (40.56s)
=== CONT  TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_ResourceTag
--- PASS: TestAccBedrockGuardrail_tags_ComputedTag_OnCreate (19.12s)
=== CONT  TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Add
--- PASS: TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Replace (28.14s)
=== CONT  TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_DefaultTag
--- PASS: TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_ResourceTag (33.81s)
=== CONT  TestAccBedrockGuardrail_tags_DefaultTags_nullNonOverlappingResourceTag
--- PASS: TestAccBedrockGuardrail_tags_ComputedTag_OnUpdate_Add (28.41s)
--- PASS: TestAccBedrockGuardrail_tags_IgnoreTags_Overlap_DefaultTag (31.16s)
--- PASS: TestAccBedrockGuardrail_tags_DefaultTags_nullNonOverlappingResourceTag (15.79s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/bedrock	249.387s
FAIL
make: *** [testacc] Error 1

Failure is unrelated to this change.

Copy link
Member

@jar-b jar-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@ewbankkit
Copy link
Contributor

@tuffant21 Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit d937625 into hashicorp:main Aug 6, 2025
42 checks passed
Copy link
Contributor

github-actions bot commented Aug 6, 2025

Warning

This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

@github-actions github-actions bot added this to the v6.8.0 milestone Aug 6, 2025
Copy link
Contributor

github-actions bot commented Aug 7, 2025

This functionality has been released in v6.8.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions github-actions bot removed the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Aug 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/bedrock Issues and PRs that pertain to the bedrock service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bedrock Guardrail New Action Support
3 participants