From 548f1b00a34de661b44024e143b79c8a71140568 Mon Sep 17 00:00:00 2001
From: Madhu Nunna <madnunna@amazon.com>
Date: Thu, 5 Mar 2026 10:36:30 -0800
Subject: [PATCH] fix: prevent OSS policy name exceeding 32-char limit

When policy_suffix defaulted to kb_name, policy names were constructed
as '{kb_name}-sp-{kb_name}', doubling the name and exceeding the 32-char
OpenSearch Serverless limit.

Fix uses self.suffix (already generated for uniqueness) as the default
policy_suffix, and truncates the kb_name prefix in policy names to
guarantee all generated names stay within the 32-char constraint.

Fixes #582
---
 .../utils/knowledge_base_helper.py                    | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/rag/bedrock-prompt-flow-kb-rag-app/utils/knowledge_base_helper.py b/rag/bedrock-prompt-flow-kb-rag-app/utils/knowledge_base_helper.py
index 6a84d2ef9..1f53cb61e 100644
--- a/rag/bedrock-prompt-flow-kb-rag-app/utils/knowledge_base_helper.py
+++ b/rag/bedrock-prompt-flow-kb-rag-app/utils/knowledge_base_helper.py
@@ -103,7 +103,10 @@ def create_or_retrieve_knowledge_base(
         """
         kb_id = None
         ds_id = None
-        policy_suffix = policy_suffix or kb_name.lower()
+        policy_suffix = policy_suffix or str(self.suffix)
+        # OSS security policy names must be <= 32 chars. Pattern is "{prefix}-sp-{suffix}" (4 chars overhead).
+        # Truncate kb_name prefix used in policy names only; the actual KB name passed to Bedrock is unchanged.
+        kb_name_prefix = kb_name[:32 - 4 - len(policy_suffix)]
         kbs_available = self.bedrock_agent_client.list_knowledge_bases(
             maxResults=100,
         )
@@ -133,9 +136,9 @@ def create_or_retrieve_knowledge_base(
                 valid_embeddings_str = str(valid_embedding_models)
                 raise ValueError(f"Invalid embedding model. Your embedding model should be one of {valid_embeddings_str}")
             # self.embedding_model = embedding_model
-            encryption_policy_name = f"{kb_name}-sp-{policy_suffix}"
-            network_policy_name = f"{kb_name}-np-{policy_suffix}"
-            access_policy_name = f'{kb_name}-ap-{policy_suffix}'
+            encryption_policy_name = f"{kb_name_prefix}-sp-{policy_suffix}"
+            network_policy_name = f"{kb_name_prefix}-np-{policy_suffix}"
+            access_policy_name = f'{kb_name_prefix}-ap-{policy_suffix}'
             kb_execution_role_name = f'AmazonBedrockExecutionRoleForKnowledgeBase_{policy_suffix}'
             fm_policy_name = f'AmazonBedrockFoundationModelPolicyForKnowledgeBase_{policy_suffix}'
             s3_policy_name = f'AmazonBedrockS3PolicyForKnowledgeBase_{policy_suffix}'