From 5489c3ad97ad77d4466439427cc680779df4bc31 Mon Sep 17 00:00:00 2001 From: drduh Date: Wed, 11 Sep 2024 18:05:02 +0000 Subject: [PATCH] fix: update roles --- lib/osml/model_endpoint/me_test_endpoints.ts | 2 +- lib/osml/model_endpoint/roles/me_sm_role.ts | 39 ++++++------ lib/osml/model_runner/mr_dataplane.ts | 8 +-- .../model_runner/roles/mr_execution_role.ts | 7 +-- lib/osml/model_runner/roles/mr_task_role.ts | 60 ++----------------- .../tile_server/roles/ts_execution_role.ts | 11 +--- lib/osml/tile_server/roles/ts_lambda_role.ts | 11 +--- lib/osml/tile_server/roles/ts_task_role.ts | 15 +---- 8 files changed, 35 insertions(+), 118 deletions(-) diff --git a/lib/osml/model_endpoint/me_test_endpoints.ts b/lib/osml/model_endpoint/me_test_endpoints.ts index 668eba6..3ed0185 100644 --- a/lib/osml/model_endpoint/me_test_endpoints.ts +++ b/lib/osml/model_endpoint/me_test_endpoints.ts @@ -170,7 +170,7 @@ export class METestEndpointsConfig extends BaseConfig { BUILD_FROM_SOURCE: false, CONTAINER_BUILD_PATH: "lib/osml-models", CONTAINER_BUILD_TARGET: "osml_model", - CONTAINER_DOCKERFILE: "Dockerfile", + CONTAINER_DOCKERFILE: "docker/Dockerfile", CONTAINER_URI: "awsosml/osml-models:latest", DEPLOY_HTTP_AIRCRAFT_ENDPOINT: true, DEPLOY_SM_AIRCRAFT_ENDPOINT: true, diff --git a/lib/osml/model_endpoint/roles/me_sm_role.ts b/lib/osml/model_endpoint/roles/me_sm_role.ts index 2bddd0f..5e9f873 100644 --- a/lib/osml/model_endpoint/roles/me_sm_role.ts +++ b/lib/osml/model_endpoint/roles/me_sm_role.ts @@ -12,7 +12,6 @@ import { } from "aws-cdk-lib/aws-iam"; import { Construct } from "constructs"; -import { MRDataplaneConfig } from "../../model_runner/mr_dataplane"; import { OSMLAccount } from "../../osml_account"; /** @@ -41,11 +40,6 @@ export class MESMRole extends Construct { public role: Role; public partition: string; - /** - * The Model Runner Dataplane Configuration values to be used for this MRTaskRole - */ - public mrDataplaneConfig: MRDataplaneConfig = new MRDataplaneConfig(); - /** * Creates a SageMaker execution role for hosting CV models at a SageMaker endpoint. * @constructor @@ -56,10 +50,6 @@ export class MESMRole extends Construct { constructor(scope: Construct, id: string, props: MESMRoleProps) { super(scope, id); - // Defining constants for better readability - const MR_SERVICE_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/MRService`; - const MR_HTTPENDPOINT_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/HTTPEndpoint`; - // Determine the AWS partition based on the provided AWS region this.partition = region_info.Fact.find( props.account.region, @@ -133,25 +123,36 @@ export class MESMRole extends Construct { const cwLogsPolicyStatement = new PolicyStatement({ effect: Effect.ALLOW, actions: [ - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:DescribeLogStreams", - "logs:DescribeLogGroups", + "logs:CreateLogDelivery", + "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:CreateLogGroup" + "logs:DeleteLogDelivery", + "logs:Describe*", + "logs:GetLogEvents", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + "logs:UpdateLogDelivery" ], resources: [ - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_HTTPENDPOINT_LOG_GROUP_NAME}:*`, - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_SERVICE_LOG_GROUP_NAME}:*`, - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:/aws/sagemaker/Endpoints/*` + `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*` ] }); + // Add permissions to assume roles + const stsPolicyStatement = new PolicyStatement({ + effect: Effect.ALLOW, + actions: ["sts:AssumeRole"], + resources: ["*"] + }); + smExecutionPolicy.addStatements( cwLogsPolicyStatement, ecrAuthPolicyStatement, ecrPolicyStatement, - ec2NetworkPolicyStatement + ec2NetworkPolicyStatement, + stsPolicyStatement ); role.addManagedPolicy(smExecutionPolicy); diff --git a/lib/osml/model_runner/mr_dataplane.ts b/lib/osml/model_runner/mr_dataplane.ts index 576614c..433c445 100644 --- a/lib/osml/model_runner/mr_dataplane.ts +++ b/lib/osml/model_runner/mr_dataplane.ts @@ -156,13 +156,13 @@ export class MRDataplaneConfig extends BaseConfig { /** * The CPU configuration for MR containers. - * @default 7168 + * @default 8192 */ public ECS_CONTAINER_CPU: number; /** * The memory configuration for MR containers. - * @default 10240 + * @default 16384 */ public ECS_CONTAINER_MEMORY: number; @@ -345,8 +345,8 @@ export class MRDataplaneConfig extends BaseConfig { ECS_AUTOSCALING_TASK_IN_INCREMENT: 8, ECS_AUTOSCALING_TASK_OUT_COOLDOWN: 3, ECS_AUTOSCALING_TASK_OUT_INCREMENT: 8, - ECS_CONTAINER_CPU: 7168, - ECS_CONTAINER_MEMORY: 10240, + ECS_CONTAINER_CPU: 8192, + ECS_CONTAINER_MEMORY: 16384, ECS_CONTAINER_NAME: "MRContainer", ECS_CLUSTER_NAME: "MRCluster", ECS_DEFAULT_DESIRE_COUNT: 1, diff --git a/lib/osml/model_runner/roles/mr_execution_role.ts b/lib/osml/model_runner/roles/mr_execution_role.ts index d1fc9ac..dba12aa 100644 --- a/lib/osml/model_runner/roles/mr_execution_role.ts +++ b/lib/osml/model_runner/roles/mr_execution_role.ts @@ -15,7 +15,6 @@ import { import { Construct } from "constructs"; import { OSMLAccount } from "../../osml_account"; -import { MRDataplaneConfig } from "../mr_dataplane"; /** * Defines the properties required for creating an `MRExecutionRole`. @@ -59,10 +58,6 @@ export class MRExecutionRole extends Construct { constructor(scope: Construct, id: string, props: MRExecutionRoleProps) { super(scope, id); - const serviceLogGroupName = `/aws/${ - new MRDataplaneConfig().CW_METRICS_NAMESPACE - }/MRService`; - this.partition = region_info.Fact.find( props.account.region, region_info.FactName.PARTITION @@ -97,7 +92,7 @@ export class MRExecutionRole extends Construct { "logs:CreateLogGroup" ], resources: [ - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${serviceLogGroupName}:*` + `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*` ] }) ); diff --git a/lib/osml/model_runner/roles/mr_task_role.ts b/lib/osml/model_runner/roles/mr_task_role.ts index 35e8ab6..f8bdaab 100644 --- a/lib/osml/model_runner/roles/mr_task_role.ts +++ b/lib/osml/model_runner/roles/mr_task_role.ts @@ -14,7 +14,6 @@ import { import { Construct } from "constructs"; import { OSMLAccount } from "../../osml_account"; -import { MRDataplaneConfig } from "../mr_dataplane"; /** * Represents the properties required to define a model runner ECS task role. @@ -51,11 +50,6 @@ export class MRTaskRole extends Construct { */ public partition: string; - /** - * The Model Runner Dataplane Configuration values to be used for this MRTaskRole - */ - public mrDataplaneConfig: MRDataplaneConfig = new MRDataplaneConfig(); - /** * Creates an MRTaskRole construct. * @param {Construct} scope - The scope/stack in which to define this construct. @@ -72,29 +66,6 @@ export class MRTaskRole extends Construct { region_info.FactName.PARTITION )!; - // Defining constants for better readability - const SQS_IMAGE_REQUEST_QUEUE_NAME = - this.mrDataplaneConfig.SQS_IMAGE_REQUEST_QUEUE; - const SQS_REGION_REQUEST_QUEUE_NAME = - this.mrDataplaneConfig.SQS_REGION_REQUEST_QUEUE; - const SQS_IMAGE_STATUS_QUEUE_NAME = - this.mrDataplaneConfig.SQS_IMAGE_STATUS_QUEUE; - const SQS_REGION_STATUS_QUEUE_NAME = - this.mrDataplaneConfig.SQS_REGION_STATUS_QUEUE; - const SNS_TOPIC_IMAGE_NAME = this.mrDataplaneConfig.SNS_IMAGE_STATUS_TOPIC; - const SNS_TOPIC_REGION_NAME = - this.mrDataplaneConfig.SNS_REGION_STATUS_TOPIC; - const ECS_CLUSTER_NAME = this.mrDataplaneConfig.ECS_CLUSTER_NAME; - const DDB_JOB_STATUS_TABLE_NAME = - this.mrDataplaneConfig.DDB_JOB_STATUS_TABLE; - const DDB_FEATURES_TABLE_NAME = this.mrDataplaneConfig.DDB_FEATURES_TABLE; - const DDB_ENDPOINT_PROCESSING_TABLE_NAME = - this.mrDataplaneConfig.DDB_ENDPOINT_PROCESSING_TABLE; - const DDB_REGION_REQUEST_TABLE_NAME = - this.mrDataplaneConfig.DDB_REGION_REQUEST_TABLE; - const MR_SERVICE_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/MRService`; - const MR_HTTPENDPOINT_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.CW_METRICS_NAMESPACE}/HTTPEndpoint`; - // Create an AWS IAM role for the Model Runner Fargate ECS task const mrTaskRole = new Role(this, "MRTaskRole", { roleName: props.roleName, @@ -158,14 +129,7 @@ export class MRTaskRole extends Construct { "sqs:GetQueueAttributes" ], resources: [ - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_REQUEST_QUEUE_NAME}`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_REQUEST_QUEUE_NAME}`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_STATUS_QUEUE_NAME}`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_STATUS_QUEUE_NAME}`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_REQUEST_QUEUE_NAME}DLQ`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_REQUEST_QUEUE_NAME}DLQ`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_IMAGE_STATUS_QUEUE_NAME}DLQ`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_REGION_STATUS_QUEUE_NAME}DLQ` + `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:*` ] }); @@ -189,8 +153,7 @@ export class MRTaskRole extends Construct { effect: Effect.ALLOW, actions: ["sns:Publish"], resources: [ - `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:${SNS_TOPIC_IMAGE_NAME}`, - `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:${SNS_TOPIC_REGION_NAME}` + `arn:${this.partition}:sns:${props.account.region}:${props.account.id}:*` ] }); @@ -210,10 +173,7 @@ export class MRTaskRole extends Construct { "dynamodb:UpdateTable" ], resources: [ - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_STATUS_TABLE_NAME}`, - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_FEATURES_TABLE_NAME}`, - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_ENDPOINT_PROCESSING_TABLE_NAME}`, - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_REGION_REQUEST_TABLE_NAME}` + `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*` ] }); @@ -222,8 +182,7 @@ export class MRTaskRole extends Construct { effect: Effect.ALLOW, actions: ["ecs:DescribeServices", "ecs:UpdateService"], resources: [ - `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:cluster/${ECS_CLUSTER_NAME}`, - `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:service/${ECS_CLUSTER_NAME}/*` + `arn:${this.partition}:ecs:${props.account.region}:${props.account.id}:*` ] }); @@ -239,9 +198,7 @@ export class MRTaskRole extends Construct { "logs:CreateLogGroup" ], resources: [ - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_SERVICE_LOG_GROUP_NAME}:*`, - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_HTTPENDPOINT_LOG_GROUP_NAME}:*`, - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:/aws/sagemaker/Endpoints/*` + `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:*` ] }); @@ -258,7 +215,6 @@ export class MRTaskRole extends Construct { actions: [ "sagemaker:ListEndpointConfigs", "sagemaker:DescribeEndpointConfig", - "sagemaker:UpdateEndpoint", "sagemaker:InvokeEndpoint", "sagemaker:DescribeEndpoint", "sagemaker:ListEndpoints", @@ -269,13 +225,7 @@ export class MRTaskRole extends Construct { "sagemaker:DescribeModelPackageGroup", "sagemaker:BatchDescribeModelPackage", "sagemaker:ListModelMetadata", - "sagemaker:DeleteEndpoint", - "sagemaker:CreateModel", - "sagemaker:CreateEndpoint", - "sagemaker:CreateEndpointConfig", "sagemaker:BatchGetRecord", - "sagemaker:DeleteEndpointConfig", - "sagemaker:UpdateEndpoint", "sagemaker:BatchGetMetrics", "sagemaker:BatchPutMetrics" ], diff --git a/lib/osml/tile_server/roles/ts_execution_role.ts b/lib/osml/tile_server/roles/ts_execution_role.ts index 5b9e313..b9c366c 100644 --- a/lib/osml/tile_server/roles/ts_execution_role.ts +++ b/lib/osml/tile_server/roles/ts_execution_role.ts @@ -14,7 +14,6 @@ import { import { Construct } from "constructs"; import { OSMLAccount } from "../../osml_account"; -import { TSDataplaneConfig } from "../ts_dataplane"; /** * Represents the properties required to define a Tile Server ECS execution role. @@ -51,11 +50,6 @@ export class TSExecutionRole extends Construct { */ public partition: string; - /** - * The Tile Server Container Configuration values to be used for this TSExecutionRole - */ - public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig(); - /** * Creates an TSExecutionRole construct. * @param {Construct} scope - The scope/stack in which to define this construct. @@ -72,9 +66,6 @@ export class TSExecutionRole extends Construct { region_info.FactName.PARTITION )!; - // Defining constants for better readability - const TS_LOG_GROUP_NAME = `/aws/${this.tsDataplaneConfig.ECS_METRICS_NAMESPACE}/${this.tsDataplaneConfig.CW_LOGGROUP_NAME}`; - // Create an AWS IAM role for the Tile Server Fargate ECS execution role const tsExecutionRole = new Role(this, "TSExecutionRole", { roleName: props.roleName, @@ -122,7 +113,7 @@ export class TSExecutionRole extends Construct { "logs:CreateLogGroup" ], resources: [ - `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${TS_LOG_GROUP_NAME}*` + `arn:${this.partition}:logs:${props.account.region}:${props.account.id}:*` ] }); diff --git a/lib/osml/tile_server/roles/ts_lambda_role.ts b/lib/osml/tile_server/roles/ts_lambda_role.ts index a76e39c..716df06 100644 --- a/lib/osml/tile_server/roles/ts_lambda_role.ts +++ b/lib/osml/tile_server/roles/ts_lambda_role.ts @@ -15,7 +15,6 @@ import { import { Construct } from "constructs"; import { OSMLAccount } from "../../osml_account"; -import { TSDataplaneConfig } from "../ts_dataplane"; /** * Represents the properties required to define a tile server lambda sweeper role. @@ -52,11 +51,6 @@ export class TSLambdaRole extends Construct { */ public partition: string; - /** - * The TSDataplane Configuration class to be used for TSLambdaRole. - */ - public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig(); - /** * Creates an TSLambdaRole construct. * @param {Construct} scope - The scope/stack in which to define this construct. @@ -67,9 +61,6 @@ export class TSLambdaRole extends Construct { constructor(scope: Construct, id: string, props: TSLambdaRoleProps) { super(scope, id); - // Defining constants for better readability - const DDB_JOB_TABLE_NAME = this.tsDataplaneConfig.DDB_JOB_TABLE; - // Determine the AWS partition based on the provided AWS region this.partition = region_info.Fact.find( props.account.region, @@ -95,7 +86,7 @@ export class TSLambdaRole extends Construct { effect: Effect.ALLOW, actions: ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem"], resources: [ - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_TABLE_NAME}` + `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*` ] }); diff --git a/lib/osml/tile_server/roles/ts_task_role.ts b/lib/osml/tile_server/roles/ts_task_role.ts index 4e3bc14..841418b 100644 --- a/lib/osml/tile_server/roles/ts_task_role.ts +++ b/lib/osml/tile_server/roles/ts_task_role.ts @@ -16,7 +16,6 @@ import { import { Construct } from "constructs"; import { OSMLAccount } from "../../osml_account"; -import { TSDataplaneConfig } from "../ts_dataplane"; /** * Represents the properties required to define a model runner ECS task role. @@ -53,11 +52,6 @@ export class TSTaskRole extends Construct { */ public partition: string; - /** - * The TSDataplane Configuration class to be used for TSLambdaRole. - */ - public tsDataplaneConfig: TSDataplaneConfig = new TSDataplaneConfig(); - /** * Creates an TSTaskRole construct. * @param {Construct} scope - The scope/stack in which to define this construct. @@ -68,10 +62,6 @@ export class TSTaskRole extends Construct { constructor(scope: Construct, id: string, props: TSTaskRoleProps) { super(scope, id); - // Defining constants for better readability - const DDB_JOB_TABLE_NAME = this.tsDataplaneConfig.DDB_JOB_TABLE; - const SQS_JOB_QUEUE_NAME = this.tsDataplaneConfig.SQS_JOB_QUEUE; - // Determine the AWS partition based on the provided AWS region this.partition = region_info.Fact.find( props.account.region, @@ -105,7 +95,7 @@ export class TSTaskRole extends Construct { "dynamodb:DescribeTable" ], resources: [ - `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:table/${DDB_JOB_TABLE_NAME}` + `arn:${this.partition}:dynamodb:${props.account.region}:${props.account.id}:*` ] }); @@ -120,8 +110,7 @@ export class TSTaskRole extends Construct { "sqs:ListQueues" ], resources: [ - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_JOB_QUEUE_NAME}`, - `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:${SQS_JOB_QUEUE_NAME}DLQ` + `arn:${this.partition}:sqs:${props.account.region}:${props.account.id}:*` ] });