aws-samples · wadabee · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025
diff --git a/packages/cdk/bin/generative-ai-use-cases.ts b/packages/cdk/bin/generative-ai-use-cases.ts
@@ -7,6 +7,9 @@ import { createStacks } from '../lib/create-stacks';
 const app = new cdk.App();
 const params = getParams(app);
 if (params.tag?.key && params.tag?.value) {
-  cdk.Tags.of(app).add(params.tag.key, params.tag.value);
+  cdk.Tags.of(app).add(params.tag.key, params.tag.value, {
+    // Exclude OpenSearchServerless Collection from tagging
+    excludeResourceTypes: ['AWS::OpenSearchServerless::Collection'],
+  });
 }
 createStacks(app, params);
diff --git a/packages/cdk/custom-resources/apply-tags.js b/packages/cdk/custom-resources/apply-tags.js
@@ -0,0 +1,80 @@
+const AWS = require('aws-sdk');
+
+exports.handler = async (event, context) => {
+  console.log('Event:', JSON.stringify(event, null, 2));
+
+  try {
+    const { collectionId, region, tagsHash } = event.ResourceProperties;
+    const tags = JSON.parse(tagsHash);
+
+    // Skip for Delete operation
+    if (event.RequestType === 'Delete') {
+      return await sendResponse(event, context, 'SUCCESS', {}, 'ApplyTagsResource');
+    }
+
+    // Create OpenSearch Serverless client
+    const opensearchserverless = new AWS.OpenSearchServerless({ region });
+    const collectionArn = `arn:aws:aoss:${region}::collection/${collectionId}`;
+
+    // Convert tags to the required format
+    const tagList = Object.entries(tags).map(([Key, Value]) => ({ Key, Value }));
+
+    console.log(`Applying tags to collection ${collectionId}: ${JSON.stringify(tagList)}`);
+
+    // Apply tags
+    await opensearchserverless.tagResource({
+      resourceArn: collectionArn,
+      tags: tagList
+    }).promise();
+
+    console.log(`Successfully applied tags to ${collectionArn}`);
+
+    return await sendResponse(event, context, 'SUCCESS', {}, 'ApplyTagsResource');
+  } catch (error) {
+    console.error('Error:', error);
+    return await sendResponse(event, context, 'FAILED', {}, 'ApplyTagsResource');
+  }
+};
+
+// Function to send response to CloudFormation
+async function sendResponse(event, context, status, data, physicalId) {
+  const responseBody = JSON.stringify({
+    Status: status,
+    Reason: `See CloudWatch Log Stream: ${context.logStreamName}`,
+    PhysicalResourceId: physicalId || context.logStreamName,
+    StackId: event.StackId,
+    RequestId: event.RequestId,
+    LogicalResourceId: event.LogicalResourceId,
+    Data: data,
+  });
+
+  return await new Promise((resolve, reject) => {
+    const https = require('https');
+    const url = require('url');
+    const parsedUrl = url.parse(event.ResponseURL);
+
+    const options = {
+      hostname: parsedUrl.hostname,
+      port: 443,
+      path: parsedUrl.path,
+      method: 'PUT',
+      headers: {
+        'Content-Type': '',
+        'Content-Length': responseBody.length,
+      },
+    };
+
+    const request = https.request(options, (response) => {
+      console.log(`Status code: ${response.statusCode}`);
+      resolve();
+    });
+
+    request.on('error', (error) => {
+      console.log('send() error:', error);
+      resolve(); // Still resolve to avoid CF waiting
+    });
+
+    request.write(responseBody);
+    request.end();
+  });
+}
diff --git a/packages/cdk/lib/rag-knowledge-base-stack.ts b/packages/cdk/lib/rag-knowledge-base-stack.ts
@@ -146,6 +146,13 @@ export class RagKnowledgeBaseStack extends Stack {
       ragKnowledgeBaseBinaryVector,
       crossAccountBedrockRoleArn,
     } = props.params;
+
+    // Define the common tags to be applied to resources
+    const commonTags = {
+      CostCenter: 'DataAnalytics',
+      Project: 'GenAI',
+      Environment: env.toLowerCase(),
+    };
 
     if (typeof embeddingModelId !== 'string') {
       throw new Error(
@@ -192,6 +199,7 @@ export class RagKnowledgeBaseStack extends Stack {
       description: 'GenU Collection',
       type: 'VECTORSEARCH',
       standbyReplicas: ragKnowledgeBaseStandbyReplicas ? 'ENABLED' : 'DISABLED',
+      // Do not specify tags here to avoid CloudFormation replacement errors
     });
 
     const ossIndex = new OpenSearchServerlessIndex(this, 'OssIndex', {
@@ -290,6 +298,44 @@ export class RagKnowledgeBaseStack extends Stack {
     collection.node.addDependency(accessPolicy);
     collection.node.addDependency(networkPolicy);
     collection.node.addDependency(encryptionPolicy);
+
+    // Since we need to apply tags directly through AWS SDK instead of CloudFormation
+    // We'll use a custom resource to apply tags after the collection is created
+    // This avoids CloudFormation attempting to replace the collection when adding tags
+    if (Object.keys(commonTags).length > 0) {
+      // Add tag applier custom resource
+      const tagApplier = new lambda.SingletonFunction(this, 'TagApplier', {
+        runtime: LAMBDA_RUNTIME_NODEJS,
+        code: lambda.Code.fromAsset('custom-resources'),
+        handler: 'apply-tags.handler',
+        uuid: 'E2488E36-B465-4D1F-9D1C-89FB99F1CC01',
+        lambdaPurpose: 'ApplyTagsToResources',
+        timeout: cdk.Duration.minutes(5),
+      });
+
+      // Custom resource to apply tags after collection creation
+      const applyTagsResource = new cdk.CustomResource(this, 'ApplyTags', {
+        serviceToken: tagApplier.functionArn,
+        resourceType: 'Custom::ApplyTags',
+        properties: {
+          tagsHash: JSON.stringify(commonTags),
+          collectionId: collection.ref,
+          region: this.region,
+        },
+      });
+
+      // Ensure tag application happens after collection creation
+      applyTagsResource.node.addDependency(collection);
+
+      // Grant permissions to apply tags
+      tagApplier.addToRolePolicy(
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          resources: [`arn:aws:aoss:${this.region}:*:collection/${collection.ref}`],
+          actions: ['aoss:TagResource', 'aoss:ListTagsForResource'],
+        })
+      );
+    }
 
     const accessLogsBucket = new s3.Bucket(this, 'DataSourceAccessLogsBucket', {
       blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,

diff --git a/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap b/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap
@@ -155,6 +155,114 @@ exports[`GenerativeAiUseCases matches the snapshot 2`] = `
       },
       "Type": "AWS::OpenSearchServerless::AccessPolicy",
     },
+    "ApplyTags": {
+      "DeletionPolicy": "Delete",
+      "DependsOn": [
+        "Collection",
+      ],
+      "Properties": {
+        "ServiceToken": {
+          "Fn::GetAtt": [
+            "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01E87E9E73",
+            "Arn",
+          ],
+        },
+        "collectionId": {
+          "Ref": "Collection",
+        },
+        "region": "us-east-1",
+        "tagsHash": "{"CostCenter":"DataAnalytics","Project":"GenAI","Environment":""}",
+      },
+      "Type": "Custom::ApplyTags",
+      "UpdateReplacePolicy": "Delete",
+    },
+    "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01E87E9E73": {
+      "DependsOn": [
+        "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRoleDefaultPolicy0493DEDD",
+        "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRole61085692",
+      ],
+      "Properties": {
+        "Code": {
+          "S3Bucket": "cdk-hnb659fds-assets-123456890123-us-east-1",
+          "S3Key": "HASH-REPLACED.zip",
+        },
+        "Handler": "apply-tags.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRole61085692",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs22.x",
+        "Timeout": 300,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRole61085692": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": [
+          {
+            "Fn::Join": [
+              "",
+              [
+                "arn:",
+                {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRoleDefaultPolicy0493DEDD": {
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "aoss:TagResource",
+                "aoss:ListTagsForResource",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:aoss:us-east-1:*:collection/",
+                    {
+                      "Ref": "Collection",
+                    },
+                  ],
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRoleDefaultPolicy0493DEDD",
+        "Roles": [
+          {
+            "Ref": "ApplyTagsToResourcesE2488E36B4654D1F9D1C89FB99F1CC01ServiceRole61085692",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "Collection": {
       "DependsOn": [
         "AccessPolicy",