-
Notifications
You must be signed in to change notification settings - Fork 0
/
me_http_role.ts
164 lines (146 loc) · 5.04 KB
/
me_http_role.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
/*
* Copyright 2023-2024 Amazon.com, Inc. or its affiliates.
*/
import { region_info } from "aws-cdk-lib";
import {
CompositePrincipal,
Effect,
ManagedPolicy,
PolicyStatement,
Role,
ServicePrincipal
} from "aws-cdk-lib/aws-iam";
import { Construct } from "constructs";
import { MRDataplaneConfig } from "../../model_runner/mr_dataplane";
import { MRModelEndpointsConfig } from "../../model_runner/testing/mr_endpoints";
import { OSMLAccount } from "../../osml_account";
import { MEContainerConfig } from "../me_container";
/**
* Represents the properties required for a HTTP model task role.
* @interface MEHTTPRoleProps
*/
export interface MEHTTPRoleProps {
/**
* The OSML deployment account
* @type {OSMLAccount}
* @readonly
*/
readonly account: OSMLAccount;
/**
* The name to assign the role.
* @type {string}
* @readonly
*/
readonly roleName: string;
}
/**
* Represents an AWS CDK construct for creating an OSML HTTP Endpoint Role.
*/
export class MEHTTPRole extends Construct {
/**
* The IAM role associated with the OSML HTTP endpoint.
*/
public role: Role;
/**
* The AWS partition in which the resources are located.
*/
public partition: string;
/**
* The Model Runner Dataplane Configuration values to be used for this MRTaskRole
*/
public mrDataplaneConfig: MRDataplaneConfig = new MRDataplaneConfig();
/**
* The Model Runner Model Endpoints Configuration values to be used for this MRTaskRole
*/
public mrModelEndpointsConfig: MRModelEndpointsConfig =
new MRModelEndpointsConfig();
/**
* The Model Endpoint Container Configuration values to be used for this MRTaskRole
*/
public meContainerConfig: MEContainerConfig = new MEContainerConfig();
/**
* Creates an OSMLHTTPEndpointRole construct.
*
* @param {Construct} scope - The scope/stack in which to define this construct.
* @param {string} id - The id of this construct within the current scope.
* @param {MEHTTPRoleProps} props - The properties of this construct.
* @returns MEHTTPRole - The OSMLHTTPEndpointRole construct.
*/
constructor(scope: Construct, id: string, props: MEHTTPRoleProps) {
super(scope, id);
/**
* Retrieves the AWS partition based on the region provided.
*
* @type {string}
*/
this.partition = region_info.Fact.find(
props.account.region,
region_info.FactName.PARTITION
)!;
// Defining constants for better readability
const MR_FIRELENS_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.METRICS_NAMESPACE}/MRFireLens`;
const MR_SERVICE_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.METRICS_NAMESPACE}/MRService`;
const MR_HTTPENDPOINT_LOG_GROUP_NAME = `/aws/${this.mrDataplaneConfig.METRICS_NAMESPACE}/HTTPEndpoint`;
// Create the IAM role for the OSML HTTP endpoint.
const meHttpRole = new Role(this, "MEHTTPEndpointRole", {
roleName: props.roleName,
assumedBy: new CompositePrincipal(
new ServicePrincipal("ecs-tasks.amazonaws.com"),
new ServicePrincipal("lambda.amazonaws.com")
),
description:
"Allows the OversightML HTTP model endpoint to access necessary resources."
});
const meHttpPolicy = new ManagedPolicy(this, "MEHttpPolicy", {
managedPolicyName: "MEHttpPolicy"
});
// Add permissions for cloudwatch permissions
const cwPolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
resources: [
`arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_FIRELENS_LOG_GROUP_NAME}:*`,
`arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_SERVICE_LOG_GROUP_NAME}:*`,
`arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:${MR_HTTPENDPOINT_LOG_GROUP_NAME}:*`,
`arn:${this.partition}:logs:${props.account.region}:${props.account.id}:log-group:/aws/sagemaker/Endpoints/*`
]
});
// Add permissions for ECR permissions
const ecrAuthPolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
actions: ["ecr:GetAuthorizationToken"],
resources: ["*"]
});
const ecrPolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:DescribeRepositories"
],
resources: [
`arn:${this.partition}:ecr:${props.account.region}:${props.account.id}:repository/*`
]
});
meHttpPolicy.addStatements(
cwPolicyStatement,
ecrAuthPolicyStatement,
ecrPolicyStatement
);
meHttpRole.addManagedPolicy(meHttpPolicy);
this.role = meHttpRole;
}
}