fix: update roles

aws-solutions-library-samples · Sep 11, 2024 · 5489c3a · 5489c3a
1 parent e25d168
commit 5489c3a
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 118 deletions.
diff --git a/lib/osml/model_endpoint/me_test_endpoints.ts b/lib/osml/model_endpoint/me_test_endpoints.ts
@@ -170,7 +170,7 @@ export class METestEndpointsConfig extends BaseConfig {
       BUILD_FROM_SOURCE: false,
       CONTAINER_BUILD_PATH: "lib/osml-models",
       CONTAINER_BUILD_TARGET: "osml_model",
-      CONTAINER_DOCKERFILE: "Dockerfile",
+      CONTAINER_DOCKERFILE: "docker/Dockerfile",
       CONTAINER_URI: "awsosml/osml-models:latest",
       DEPLOY_HTTP_AIRCRAFT_ENDPOINT: true,
       DEPLOY_SM_AIRCRAFT_ENDPOINT: true,

diff --git a/lib/osml/model_endpoint/roles/me_sm_role.ts b/lib/osml/model_endpoint/roles/me_sm_role.ts
@@ -12,7 +12,6 @@ import {
 } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
 
-import { MRDataplaneConfig } from "../../model_runner/mr_dataplane";
 import { OSMLAccount } from "../../osml_account";
 
 /**
@@ -41,11 +40,6 @@ export class MESMRole extends Construct {
   public role: Role;
   public partition: string;
 
-  /**
-   * The Model Runner Dataplane Configuration values to be used for this MRTaskRole
-   */
-  public mrDataplaneConfig: MRDataplaneConfig = new MRDataplaneConfig();
-
   /**
    * Creates a SageMaker execution role for hosting CV models at a SageMaker endpoint.
    * @constructor
@@ -56,10 +50,6 @@ export class MESMRole extends Construct {
   constructor(scope: Construct, id: string, props: MESMRoleProps) {
     super(scope, id);
 
-    // Defining constants for better readability
-    const MR_SERVICE_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/MRService`;
-    const MR_HTTPENDPOINT_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/HTTPEndpoint`;
-
     // Determine the AWS partition based on the provided AWS region
     this.partition = region_info.Fact.find(
       props.account.region,
@@ -133,25 +123,36 @@ export class MESMRole extends Construct {
     const cwLogsPolicyStatement = new PolicyStatement({
       effect: Effect.ALLOW,
       actions: [
-        "logs:PutLogEvents",
-        "logs:GetLogEvents",
-        "logs:DescribeLogStreams",
-        "logs:DescribeLogGroups",
+        "logs:CreateLogDelivery",
+        "logs:CreateLogGroup",
         "logs:CreateLogStream",
-        "logs:CreateLogGroup"
+        "logs:DeleteLogDelivery",
+        "logs:Describe*",
+        "logs:GetLogEvents",
+        "logs:GetLogDelivery",
+        "logs:ListLogDeliveries",
+        "logs:PutLogEvents",
+        "logs:PutResourcePolicy",
+        "logs:UpdateLogDelivery"
       ],
       resources: [
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_HTTPENDPOINT_LOG_GROUP_NAME}:*`,
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_SERVICE_LOG_GROUP_NAME}:*`,
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:/aws/sagemaker/Endpoints/*`
+        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*`
       ]
     });
 
+    // Add permissions to assume roles
+    const stsPolicyStatement = new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ["sts:AssumeRole"],
+      resources: ["*"]
+    });
+
     smExecutionPolicy.addStatements(
       cwLogsPolicyStatement,
       ecrAuthPolicyStatement,
       ecrPolicyStatement,
-      ec2NetworkPolicyStatement
+      ec2NetworkPolicyStatement,
+      stsPolicyStatement
     );
 
     role.addManagedPolicy(smExecutionPolicy);

diff --git a/lib/osml/model_runner/mr_dataplane.ts b/lib/osml/model_runner/mr_dataplane.ts
@@ -156,13 +156,13 @@ export class MRDataplaneConfig extends BaseConfig {
 
   /**
    * The CPU configuration for MR containers.
-   * @default 7168
+   * @default 8192
    */
   public ECS_CONTAINER_CPU: number;
 
   /**
    * The memory configuration for MR containers.
-   * @default 10240
+   * @default 16384
    */
   public ECS_CONTAINER_MEMORY: number;
 
@@ -345,8 +345,8 @@ export class MRDataplaneConfig extends BaseConfig {
       ECS_AUTOSCALING_TASK_IN_INCREMENT: 8,
       ECS_AUTOSCALING_TASK_OUT_COOLDOWN: 3,
       ECS_AUTOSCALING_TASK_OUT_INCREMENT: 8,
-      ECS_CONTAINER_CPU: 7168,
-      ECS_CONTAINER_MEMORY: 10240,
+      ECS_CONTAINER_CPU: 8192,
+      ECS_CONTAINER_MEMORY: 16384,
       ECS_CONTAINER_NAME: "MRContainer",
       ECS_CLUSTER_NAME: "MRCluster",
       ECS_DEFAULT_DESIRE_COUNT: 1,

diff --git a/lib/osml/model_runner/roles/mr_execution_role.ts b/lib/osml/model_runner/roles/mr_execution_role.ts
@@ -15,7 +15,6 @@ import {
 import { Construct } from "constructs";
 
 import { OSMLAccount } from "../../osml_account";
-import { MRDataplaneConfig } from "../mr_dataplane";
 
 /**
  * Defines the properties required for creating an `MRExecutionRole`.
@@ -59,10 +58,6 @@ export class MRExecutionRole extends Construct {
   constructor(scope: Construct, id: string, props: MRExecutionRoleProps) {
     super(scope, id);
 
-    const serviceLogGroupName = `/aws/${
-      new MRDataplaneConfig().CW_METRICS_NAMESPACE
-    }/MRService`;
-
     this.partition = region_info.Fact.find(
       props.account.region,
       region_info.FactName.PARTITION
@@ -97,7 +92,7 @@ export class MRExecutionRole extends Construct {
           "logs:CreateLogGroup"
         ],
         resources: [
-          `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${serviceLogGroupName}:*`
+          `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*`
         ]
       })
     );

diff --git a/lib/osml/model_runner/roles/mr_task_role.ts b/lib/osml/model_runner/roles/mr_task_role.ts
@@ -14,7 +14,6 @@ import {
 import { Construct } from "constructs";
 
 import { OSMLAccount } from "../../osml_account";
-import { MRDataplaneConfig } from "../mr_dataplane";
 
 /**
  * Represents the properties required to define a model runner ECS task role.
@@ -51,11 +50,6 @@ export class MRTaskRole extends Construct {
    */
   public partition: string;
 
-  /**
-   * The Model Runner Dataplane Configuration values to be used for this MRTaskRole
-   */
-  public mrDataplaneConfig: MRDataplaneConfig = new MRDataplaneConfig();
-
   /**
    * Creates an MRTaskRole construct.
    * @param {Construct} scope - The scope/stack in which to define this construct.
@@ -72,29 +66,6 @@ export class MRTaskRole extends Construct {
       region_info.FactName.PARTITION
     )!;
 
-    // Defining constants for better readability
-    const SQS_IMAGE_REQUEST_QUEUE_NAME =
-      this.mrDataplaneConfig.SQS_IMAGE_REQUEST_QUEUE;
-    const SQS_REGION_REQUEST_QUEUE_NAME =
-      this.mrDataplaneConfig.SQS_REGION_REQUEST_QUEUE;
-    const SQS_IMAGE_STATUS_QUEUE_NAME =
-      this.mrDataplaneConfig.SQS_IMAGE_STATUS_QUEUE;
-    const SQS_REGION_STATUS_QUEUE_NAME =
-      this.mrDataplaneConfig.SQS_REGION_STATUS_QUEUE;
-    const SNS_TOPIC_IMAGE_NAME = this.mrDataplaneConfig.SNS_IMAGE_STATUS_TOPIC;
-    const SNS_TOPIC_REGION_NAME =
-      this.mrDataplaneConfig.SNS_REGION_STATUS_TOPIC;
-    const ECS_CLUSTER_NAME = this.mrDataplaneConfig.ECS_CLUSTER_NAME;
-    const DDB_JOB_STATUS_TABLE_NAME =
-      this.mrDataplaneConfig.DDB_JOB_STATUS_TABLE;
-    const DDB_FEATURES_TABLE_NAME = this.mrDataplaneConfig.DDB_FEATURES_TABLE;
-    const DDB_ENDPOINT_PROCESSING_TABLE_NAME =
-      this.mrDataplaneConfig.DDB_ENDPOINT_PROCESSING_TABLE;
-    const DDB_REGION_REQUEST_TABLE_NAME =
-      this.mrDataplaneConfig.DDB_REGION_REQUEST_TABLE;
-    const MR_SERVICE_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/MRService`;
-    const MR_HTTPENDPOINT_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/HTTPEndpoint`;
-
     // Create an AWS IAM role for the Model Runner Fargate ECS task
     const mrTaskRole = new Role(this, "MRTaskRole", {
       roleName: props.roleName,
@@ -158,14 +129,7 @@ export class MRTaskRole extends Construct {
         "sqs:GetQueueAttributes"
       ],
       resources: [
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_REQUEST_QUEUE_NAME}`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_REQUEST_QUEUE_NAME}`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_STATUS_QUEUE_NAME}`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_STATUS_QUEUE_NAME}`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_REQUEST_QUEUE_NAME}DLQ`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_REQUEST_QUEUE_NAME}DLQ`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_STATUS_QUEUE_NAME}DLQ`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_STATUS_QUEUE_NAME}DLQ`
+        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:*`
       ]
     });
 
@@ -189,8 +153,7 @@ export class MRTaskRole extends Construct {
       effect: Effect.ALLOW,
       actions: ["sns:Publish"],
       resources: [
-        `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:${SNS_TOPIC_IMAGE_NAME}`,
-        `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:${SNS_TOPIC_REGION_NAME}`
+        `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:*`
       ]
     });
 
@@ -210,10 +173,7 @@ export class MRTaskRole extends Construct {
         "dynamodb:UpdateTable"
       ],
       resources: [
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_STATUS_TABLE_NAME}`,
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_FEATURES_TABLE_NAME}`,
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_ENDPOINT_PROCESSING_TABLE_NAME}`,
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_REGION_REQUEST_TABLE_NAME}`
+        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*`
       ]
     });
 
@@ -222,8 +182,7 @@ export class MRTaskRole extends Construct {
       effect: Effect.ALLOW,
       actions: ["ecs:DescribeServices", "ecs:UpdateService"],
       resources: [
-        `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:cluster/${ECS_CLUSTER_NAME}`,
-        `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:service/${ECS_CLUSTER_NAME}/*`
+        `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:*`
       ]
     });
 
@@ -239,9 +198,7 @@ export class MRTaskRole extends Construct {
         "logs:CreateLogGroup"
       ],
       resources: [
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_SERVICE_LOG_GROUP_NAME}:*`,
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_HTTPENDPOINT_LOG_GROUP_NAME}:*`,
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:/aws/sagemaker/Endpoints/*`
+        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*`
       ]
     });
 
@@ -258,7 +215,6 @@ export class MRTaskRole extends Construct {
       actions: [
         "sagemaker:ListEndpointConfigs",
         "sagemaker:DescribeEndpointConfig",
-        "sagemaker:UpdateEndpoint",
         "sagemaker:InvokeEndpoint",
         "sagemaker:DescribeEndpoint",
         "sagemaker:ListEndpoints",
@@ -269,13 +225,7 @@ export class MRTaskRole extends Construct {
         "sagemaker:DescribeModelPackageGroup",
         "sagemaker:BatchDescribeModelPackage",
         "sagemaker:ListModelMetadata",
-        "sagemaker:DeleteEndpoint",
-        "sagemaker:CreateModel",
-        "sagemaker:CreateEndpoint",
-        "sagemaker:CreateEndpointConfig",
         "sagemaker:BatchGetRecord",
-        "sagemaker:DeleteEndpointConfig",
-        "sagemaker:UpdateEndpoint",
         "sagemaker:BatchGetMetrics",
         "sagemaker:BatchPutMetrics"
       ],

diff --git a/lib/osml/tile_server/roles/ts_execution_role.ts b/lib/osml/tile_server/roles/ts_execution_role.ts
@@ -14,7 +14,6 @@ import {
 import { Construct } from "constructs";
 
 import { OSMLAccount } from "../../osml_account";
-import { TSDataplaneConfig } from "../ts_dataplane";
 
 /**
  * Represents the properties required to define a Tile Server ECS execution role.
@@ -51,11 +50,6 @@ export class TSExecutionRole extends Construct {
    */
   public partition: string;
 
-  /**
-   * The Tile Server Container Configuration values to be used for this TSExecutionRole
-   */
-  public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig();
-
   /**
    * Creates an TSExecutionRole construct.
    * @param {Construct} scope - The scope/stack in which to define this construct.
@@ -72,9 +66,6 @@ export class TSExecutionRole extends Construct {
       region_info.FactName.PARTITION
     )!;
 
-    // Defining constants for better readability
-    const TS_LOG_GROUP_NAME = `/aws/${this.tsDataplaneConfig.ECS_METRICS_NAMESPACE}/${this.tsDataplaneConfig.CW_LOGGROUP_NAME}`;
-
     // Create an AWS IAM role for the Tile Server Fargate ECS execution role
     const tsExecutionRole = new Role(this, "TSExecutionRole", {
       roleName: props.roleName,
@@ -122,7 +113,7 @@ export class TSExecutionRole extends Construct {
         "logs:CreateLogGroup"
       ],
       resources: [
-        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${TS_LOG_GROUP_NAME}*`
+        `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:*`
       ]
     });
 

diff --git a/lib/osml/tile_server/roles/ts_lambda_role.ts b/lib/osml/tile_server/roles/ts_lambda_role.ts
@@ -15,7 +15,6 @@ import {
 import { Construct } from "constructs";
 
 import { OSMLAccount } from "../../osml_account";
-import { TSDataplaneConfig } from "../ts_dataplane";
 
 /**
  * Represents the properties required to define a tile server lambda sweeper role.
@@ -52,11 +51,6 @@ export class TSLambdaRole extends Construct {
    */
   public partition: string;
 
-  /**
-   * The TSDataplane Configuration class to be used for TSLambdaRole.
-   */
-  public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig();
-
   /**
    * Creates an TSLambdaRole construct.
    * @param {Construct} scope - The scope/stack in which to define this construct.
@@ -67,9 +61,6 @@ export class TSLambdaRole extends Construct {
   constructor(scope: Construct, id: string, props: TSLambdaRoleProps) {
     super(scope, id);
 
-    // Defining constants for better readability
-    const DDB_JOB_TABLE_NAME = this.tsDataplaneConfig.DDB_JOB_TABLE;
-
     // Determine the AWS partition based on the provided AWS region
     this.partition = region_info.Fact.find(
       props.account.region,
@@ -95,7 +86,7 @@ export class TSLambdaRole extends Construct {
       effect: Effect.ALLOW,
       actions: ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem"],
       resources: [
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_TABLE_NAME}`
+        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*`
       ]
     });
 

diff --git a/lib/osml/tile_server/roles/ts_task_role.ts b/lib/osml/tile_server/roles/ts_task_role.ts
@@ -16,7 +16,6 @@ import {
 import { Construct } from "constructs";
 
 import { OSMLAccount } from "../../osml_account";
-import { TSDataplaneConfig } from "../ts_dataplane";
 
 /**
  * Represents the properties required to define a model runner ECS task role.
@@ -53,11 +52,6 @@ export class TSTaskRole extends Construct {
    */
   public partition: string;
 
-  /**
-   * The TSDataplane Configuration class to be used for TSLambdaRole.
-   */
-  public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig();
-
   /**
    * Creates an TSTaskRole construct.
    * @param {Construct} scope - The scope/stack in which to define this construct.
@@ -68,10 +62,6 @@ export class TSTaskRole extends Construct {
   constructor(scope: Construct, id: string, props: TSTaskRoleProps) {
     super(scope, id);
 
-    // Defining constants for better readability
-    const DDB_JOB_TABLE_NAME = this.tsDataplaneConfig.DDB_JOB_TABLE;
-    const SQS_JOB_QUEUE_NAME = this.tsDataplaneConfig.SQS_JOB_QUEUE;
-
     // Determine the AWS partition based on the provided AWS region
     this.partition = region_info.Fact.find(
       props.account.region,
@@ -105,7 +95,7 @@ export class TSTaskRole extends Construct {
         "dynamodb:DescribeTable"
       ],
       resources: [
-        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_TABLE_NAME}`
+        `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*`
       ]
     });
 
@@ -120,8 +110,7 @@ export class TSTaskRole extends Construct {
         "sqs:ListQueues"
       ],
       resources: [
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_JOB_QUEUE_NAME}`,
-        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_JOB_QUEUE_NAME}DLQ`
+        `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:*`
       ]
     });