Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(stepfunctions-tasks): bedrock createModelCustomizationJob integration #31913

Open
wants to merge 75 commits into
base: main
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
75 commits
Select commit Hold shift + click to select a range
a976a46
feat: add createModelCustomizationJob class
badmintoncryer Feb 8, 2024
79dfc84
test: add integ test
badmintoncryer Feb 8, 2024
3798cb7
test: integ test
badmintoncryer Feb 8, 2024
8a5d70d
fix: permission
badmintoncryer Feb 9, 2024
bde1a4f
test: update integ test
badmintoncryer Feb 9, 2024
3aa76b6
test: update integ test
badmintoncryer Feb 9, 2024
dfa9f8c
docs: readme
badmintoncryer Feb 9, 2024
8686dcc
fix: jsii problem
badmintoncryer Feb 10, 2024
e5d3e3f
test: add unit test
badmintoncryer Feb 10, 2024
e6d6e37
test: add unit test
badmintoncryer Feb 10, 2024
b661fad
chore: add default docs
badmintoncryer Feb 10, 2024
b7a8345
fix: iam policy and update comments
badmintoncryer Apr 1, 2024
548c706
chore: remove space
badmintoncryer Apr 1, 2024
0351161
docs: update readme
badmintoncryer Apr 1, 2024
a414a5a
test: update integ test
badmintoncryer Apr 2, 2024
c034b66
test: fix unit test
badmintoncryer Apr 2, 2024
509203a
docs: fix readme
badmintoncryer Apr 2, 2024
83bcf27
fix: readme
badmintoncryer Apr 2, 2024
9568cba
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 4, 2024
a4831da
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 4, 2024
41a0b71
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 4, 2024
d591952
fix: iam policy
badmintoncryer Apr 7, 2024
102067e
test: fix test
badmintoncryer Apr 7, 2024
fb63238
fix: unit test
badmintoncryer Apr 7, 2024
41370b6
docs: update readme
badmintoncryer Apr 8, 2024
b91224a
test: update integ test (temp)
badmintoncryer Apr 8, 2024
f921e0e
fix: remove principal
badmintoncryer Apr 8, 2024
caf77fd
fix: integ test
badmintoncryer Apr 8, 2024
5caff6f
chore: remove unnecessary line
badmintoncryer Apr 8, 2024
3a65136
chore: udpate integ test
badmintoncryer Apr 8, 2024
8b54f06
fix: add key policy
badmintoncryer Apr 9, 2024
423dd4b
test: update integ test
badmintoncryer Apr 9, 2024
bd13141
test: add snapshot
badmintoncryer Apr 9, 2024
3b035c0
feat: validate existance of s3 vpc endpoint
badmintoncryer Apr 12, 2024
e826b0f
fix: subnet specification
badmintoncryer Apr 12, 2024
3e141ab
chore: refactor
badmintoncryer Apr 12, 2024
90f4fca
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 13, 2024
58d8e7d
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 13, 2024
9368362
chore: from vpcConfig to vpc
badmintoncryer Apr 13, 2024
46af288
fix: unit test
badmintoncryer Apr 13, 2024
b02a71d
test: update integ test
badmintoncryer Apr 13, 2024
6fee400
fix: readme
badmintoncryer Apr 13, 2024
293c392
feat: use vpcConfig instead of vpc
badmintoncryer Apr 14, 2024
67acafe
test: update integ test
badmintoncryer Apr 14, 2024
ea3c9af
feat: remove vpc props from vpcConfig
badmintoncryer Apr 14, 2024
a7aff64
test: update integ test
badmintoncryer Apr 14, 2024
c5fcd41
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 14, 2024
f33659a
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 14, 2024
8639c66
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 14, 2024
377e00c
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 14, 2024
f07163f
fix: readme
badmintoncryer Apr 14, 2024
4ba01ba
Update packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/bedrock/creat…
badmintoncryer Apr 14, 2024
fd5b087
chore: use grant method
badmintoncryer Apr 25, 2024
18e8f23
Revert "chore: use grant method"
badmintoncryer Apr 25, 2024
4d79d75
update sbapshots
badmintoncryer Jul 4, 2024
51e8280
Merge remote-tracking branch 'origin/main' into createModelCustomizat…
badmintoncryer Jul 11, 2024
65a0dad
update snapshot
badmintoncryer Jul 14, 2024
1c68985
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Jul 14, 2024
22ab29d
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Jul 20, 2024
066b0d5
fix unit test
badmintoncryer Jul 20, 2024
7694a20
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Jul 28, 2024
5647ea2
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Aug 7, 2024
2ac1f5c
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Aug 14, 2024
09240f4
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Aug 23, 2024
3697bf6
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Oct 24, 2024
c209f7f
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Oct 26, 2024
baff6fc
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Oct 28, 2024
ce714e8
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Oct 29, 2024
684c475
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Nov 6, 2024
8fa1b48
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Nov 27, 2024
ac37e8d
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Nov 28, 2024
0a05f2e
update
badmintoncryer Dec 18, 2024
7493c0b
update unit test
badmintoncryer Dec 18, 2024
87f8370
update snapshot
badmintoncryer Dec 21, 2024
068c110
Merge branch 'main' into createModelCustomizationJob
badmintoncryer Jan 13, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: iam policy and update comments
badmintoncryer committed Jul 4, 2024
commit b7a8345c63918854112aeda02f774eddbd721a30
Original file line number Diff line number Diff line change
@@ -47,10 +47,14 @@ export interface ITag {
export interface IBedrockCreateModelCustomizationJobVpcConfig {
/**
* VPC configuration security groups
*
* The maximum number of security groups is 5.
*/
readonly securityGroups: ec2.ISecurityGroup[];
/**
* VPC configuration subnets
*
* The maximum number of subnets is 16.
*/
readonly subnets: ec2.ISubnet[];
}
@@ -63,37 +67,48 @@ export interface BedrockCreateModelCustomizationJobProps extends sfn.TaskStateBa
* The base model.
*/
readonly baseModel: bedrock.IModel;

/**
* A unique, case-sensitive identifier to ensure that the API request completes no more than one time.
* If this token matches a previous request, Amazon Bedrock ignores the request, but does not return an error.
*
* The maximum length is 256 characters and it needs to satisfy the regular expression ^[a-zA-Z0-9](-*[a-zA-Z0-9])*$.
* @see https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html
*
* @default - no client request token
*/
readonly clientRequestToken?: string;

/**
* The customization type.
*
* @default FINE_TUNING
*/
readonly customizationType?: CustomizationType;

/**
* The custom model is encrypted at rest using this key.
*
* @default - no encryption
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the linked docs, By default, Amazon Bedrock encrypts custom models with AWS owned keys. - can we specify that as the default here?

*/
readonly kmsKey?: kms.IKey;
readonly customModelKmsKey?: kms.IKey;

/**
* A name for the resulting custom model.
*
* The maximum length is 63 characters and it needs to satisfy the regular expression ^([0-9a-zA-Z][_-]?)+$.
*/
readonly customModelName: string;

/**
* Tags to attach to the resulting custom model.
*
* The maximum number of tags is 200.
*
* @default - no tags
*/
readonly customModelTags?: ITag[];

/**
* Parameters related to tuning the model.
*
@@ -102,44 +117,56 @@ export interface BedrockCreateModelCustomizationJobProps extends sfn.TaskStateBa
* @default - use default hyperparameters
*/
readonly hyperParameters?: { [key: string]: string };

/**
* A name for the fine-tuning job.
*
* The maximum length is 63 characters and it needs to satisfy the regular expression ^[a-zA-Z0-9](-*[a-zA-Z0-9\+\-\.])*$.
*/
readonly jobName: string;

/**
* Tags to attach to the job.
* The maximum number of tags is 200.
*
* @default - no tags
*/
readonly jobTags?: ITag[];

/**
* The S3 URI where the output data is stored.
*
* @see https://docs.aws.amazon.com/bedrock/latest/APIReference/API_OutputDataConfig.html
*/
readonly outputDataS3Uri: string;

/**
* The IAM role that Amazon Bedrock can assume to perform tasks on your behalf.
*
* For example, during model training, Amazon Bedrock needs your permission to read input data from an S3 bucket,
* write model artifacts to an S3 bucket.
* To pass this role to Amazon Bedrock, the caller of this API must have the iam:PassRole permission.
*
* @default - use auto generated role
*/
readonly role?: iam.IRole;

/**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I like the simplified BucketConfiguration interface here, I see that TrainingDataConfig already differs from ValidationDataConfig and OutputDataConfig with additional prop invocationLogsConfig.

To avoid making breaking changes in the future in case new sub-properties are added, can we make a base interface BucketConfiguration (maybe called DataBucketConfiguration) and create interfaces extending it for each of outputData, trainingData and validationData ?

* The S3 URI where the training data is stored.
*
* @see https://docs.aws.amazon.com/bedrock/latest/APIReference/API_TrainingDataConfig.html
*/
readonly trainingDataS3Uri: string;

/**
* The S3 URI where the validation data is stored.
*
* The maximum number of validation data S3 URIs is 10.
*
* @see https://docs.aws.amazon.com/bedrock/latest/APIReference/API_Validator.html
*/
readonly validationDataS3Uri: string[];
/**
* The IAM role that Amazon Bedrock can assume to perform tasks on your behalf.
*
* For example, during model training, Amazon Bedrock needs your permission to read input data from an S3 bucket,
* write model artifacts to an S3 bucket.
* To pass this role to Amazon Bedrock, the caller of this API must have the iam:PassRole permission.
*
* @default - use auto generated role
*/
readonly role?: iam.IRole;

/**
* Configuration parameters for the private Virtual Private Cloud (VPC) that contains the resources you are using for this job.
*
@@ -158,8 +185,8 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {
sfn.IntegrationPattern.RUN_JOB,
];

protected readonly taskMetrics: sfn.TaskMetricsConfig | undefined;
protected readonly taskPolicies: iam.PolicyStatement[] | undefined;
protected readonly taskMetrics?: sfn.TaskMetricsConfig;
protected readonly taskPolicies?: iam.PolicyStatement[];

private readonly integrationPattern: sfn.IntegrationPattern;
private _role: iam.IRole;
@@ -193,6 +220,11 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {
return this._role;
}

/**
* Configure the IAM role for the bedrock create model customization job
*
* @see https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-code-samples.html
*/
private renderBedrockCreateModelCustomizationJobRole(): iam.IRole {
if (this.props.role) {
return this.props.role;
@@ -214,57 +246,57 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {
],
resources: ['*'],
}),
] : []),
new iam.PolicyStatement({
actions: ['ec2:CreateNetworkInterface'],
resources: [
stack.formatArn({
new iam.PolicyStatement({
actions: ['ec2:CreateNetworkInterface'],
resources: [
stack.formatArn({
service: 'ec2',
resource: 'network-interface',
resourceName: '*',
}),
stack.formatArn({
service: 'ec2',
resource: 'security-group',
resourceName: '*',
}),
stack.formatArn({
service: 'ec2',
resource: 'subnet',
resourceName: '*',
}),
],
}),
new iam.PolicyStatement({
actions: ['ec2:CreateTags'],
resources: [stack.formatArn({
service: 'ec2',
resource: 'network-interface',
resourceName: '*',
}),
stack.formatArn({
service: 'ec2',
resource: 'security-group',
resourceName: '*',
}),
stack.formatArn({
service: 'ec2',
resource: 'subnet',
resourceName: '*',
}),
],
}),
new iam.PolicyStatement({
actions: ['ec2:CreateTags'],
resources: [stack.formatArn({
service: 'ec2',
resource: 'network-interface',
resourceName: '*',
})],
conditions: {
StringEquals: {
'ec2:CreateAction': 'CreateNetworkInterface',
})],
conditions: {
StringEquals: {
'ec2:CreateAction': 'CreateNetworkInterface',
},
},
},
}),
new iam.PolicyStatement({
actions: [
'ec2:CreateNetworkInterfacePermission',
'ec2:DeleteNetworkInterface',
'ec2:DeleteNetworkInterfacePermission',
],
resources: ['*'],
conditions: {
StringEquals: {
'ec2:Subnet': [
...(this.props.vpcConfig
? this.props.vpcConfig.subnets.map((subnet) => subnet.subnetId)
: []),
],
}),
new iam.PolicyStatement({
actions: [
'ec2:CreateNetworkInterfacePermission',
'ec2:DeleteNetworkInterface',
'ec2:DeleteNetworkInterfacePermission',
],
resources: ['*'],
conditions: {
StringEquals: {
'ec2:Subnet': [
...(this.props.vpcConfig
? this.props.vpcConfig.subnets.map((subnet) => subnet.subnetId)
: []),
],
},
},
},
}),
}),
] : []),
new iam.PolicyStatement({
actions: ['s3:GetObject'],
resources: [
@@ -309,12 +341,12 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {
actions: ['iam:PassRole'],
resources: [this._role.roleArn],
}),
...(this.props.kmsKey
...(this.props.customModelKmsKey
? [
new iam.PolicyStatement({
// TODO - this should be more specific
actions: ['kms:*'],
resources: [this.props.kmsKey.keyArn],
resources: [this.props.customModelKmsKey.keyArn],
}),
]
: []),
@@ -324,19 +356,19 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {

private validateStringLength(name: string, min: number, max: number, value?: string): void {
if (value !== undefined && !Token.isUnresolved(value) && (value.length < min || value.length > max)) {
throw new Error(`${name} must be between ${min} and ${max} characters long`);
throw new Error(`${name} must be between ${min} and ${max} characters long, got: ${value.length}`);
}
}

private validatePattern(name: string, pattern: RegExp, value?: string): void {
if (value !== undefined && !Token.isUnresolved(value) && !pattern.test(value)) {

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
that depends on
library input
may run slow on strings starting with '0' and with many repetitions of '-'.
throw new Error(`${name} must match the pattern ${pattern.toString()}`);
throw new Error(`${name} must match the pattern ${pattern.toString()}, got: ${value}`);
}
}

private validateArrayLength(name: string, min: number, max: number, value?: any[]): void {
if (value !== undefined && (value.length < min || value.length > max)) {
throw new Error(`${name} must be between ${min} and ${max} items long`);
throw new Error(`${name} must be between ${min} and ${max} items long, got: ${value.length}`);
}
}

@@ -370,7 +402,7 @@ export class BedrockCreateModelCustomizationJob extends sfn.TaskStateBase {
BaseModelIdentifier: this.props.baseModel.modelArn,
ClientRequestToken: this.props.clientRequestToken,
CustomizationType: this.props.customizationType,
CustomModelKmsKeyId: this.props.kmsKey?.keyArn,
CustomModelKmsKeyId: this.props.customModelKmsKey?.keyArn,
CustomModelName: this.props.customModelName,
CustomModelTags: this.props.customModelTags?.map((tag) => ({ Key: tag.key, Value: tag.value })),
HyperParameters: this.props.hyperParameters,