From d373664435d93f2213dca3a5f1e33b9876988376 Mon Sep 17 00:00:00 2001
From: Darin Webb <darin@code.org>
Date: Wed, 15 Apr 2026 16:00:04 -0500
Subject: [PATCH] allow multiple regions for bedrock invoke permissions

---
 cicd/1-setup/cicd-dependencies.template.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/cicd/1-setup/cicd-dependencies.template.yml b/cicd/1-setup/cicd-dependencies.template.yml
index 9244af3..9c4a6a8 100644
--- a/cicd/1-setup/cicd-dependencies.template.yml
+++ b/cicd/1-setup/cicd-dependencies.template.yml
@@ -175,10 +175,13 @@ Resources:
                   - bedrock:InvokeModel
                   - bedrock:GetInferenceProfile
                 Resource:
-                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/anthropic.claude-v2"
-                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"
-                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/anthropic.claude-3-5-sonnet-20240620-v1:0"
-                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0"
+                  # Foundation model ARNs use wildcard region because inference profiles
+                  # route requests across multiple regions (e.g. us.* profiles route to
+                  # us-east-1, us-east-2, and us-west-2).
+                  - "arn:aws:bedrock:*::foundation-model/anthropic.claude-v2"
+                  - "arn:aws:bedrock:*::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"
+                  - "arn:aws:bedrock:*::foundation-model/anthropic.claude-3-5-sonnet-20240620-v1:0"
+                  - "arn:aws:bedrock:*::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0"
                   - !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:inference-profile/us.anthropic.*sonnet*"
 
   ECSServiceAutoScalingRole: