feat(stepfunctions-tasks): bedrock createModelCustomizationJob integration

[badmintoncryer]

Issue

Closes #29042

Reason for this change

AWS stepfunctions support optimized integration with AWS bedrock.
Currently, only invokeModel is supported by CDK, but I would like createModelCustomizationJob to be supported in the same manner.

Description of changes

I've added CreatemodelCustomizationJob class.

const taskConfig = {
  baseModel: model,
  clientRequestToken: 'MyToken',
  customizationType: CustomizationType.FINE_TUNING,
  kmsKey,
  customModelName: 'MyCustomModel',
  customModelTags: [{ key: 'key1', value: 'value1' }],
  hyperParameters: {
    batchSize: '10',
  },
  jobName: 'MyCustomizationJob',
  jobTags: [{ key: 'key2', value: 'value2' }],
  outputDataS3Uri: outputBucket.s3UrlForObject(),
  trainingDataS3Uri: trainingBucket.s3UrlForObject(),
  validationDataS3Uri: [validationBucket.s3UrlForObject()],
  vpcConfig: {
    securityGroups: [new ec2.SecurityGroup(stack, 'SecurityGroup', { vpc })],
    subnets: vpc.isolatedSubnets,
  },
};

const task1 = new BedrockCreateModelCustomizationJob(stack, 'CreateModelCustomizationJob1', taskConfig);

const chain = sfn.Chain
  .start(new sfn.Pass(stack, 'Start'))
  .next(task1)
  .next(new sfn.Pass(stack, 'Done'));

new sfn.StateMachine(stack, 'StateMachine', {
  definitionBody: sfn.DefinitionBody.fromChainable(chain),
  timeout: cdk.Duration.seconds(30),
});

Description of how you validated changes

I've added both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[lpizzinidev]

Thanks 👍
Left some comments for adjustments

[lpizzinidev]

Thanks for implementing the changes!
I left some suggestions for further improvements

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[badmintoncryer]

@lpizzinidev
Thank you for your review. I've addressed your comments.

[lpizzinidev]

🤔 I don't think the current IAM policies setup is correct.
From the documentation, we should create:

1. If the task is in a private VPC with no internet access, a VPC endpoint policy granting S3 access via the private network (docs). In this case, I think we should also validate that a VPC gateway endpoint for S3 must is provided.
2. If customModelKmsKey is specified, a key policy to grant KMS permissions to the Bedrock role (docs

Let me know if you think I missed something or want to discuss it further.

[lpizzinidev]

Thanks for updating the implementation 👍
I left #29043 (comment) to be discussed.

[lpizzinidev]

Thanks for implementing the changes 👍
I left comments for adjusting the vpc interface (#29043 (comment)) and other nits.
Thank you for your patience, I should have thought about it before 😅 (of course let me know if you think that the implementation is better as is)

[badmintoncryer]

@lpizzinidev Thank you for your continuous review!
I have updated to use only vpc as props and I will fix CI failure later.

I have 1 question about security groups.

#29043 (comment)

[lpizzinidev]

#29043 (comment)

My only concern is regarding the settings for the security group. If only the vpc is specified as an argument, there will be a need to automatically generate a security group for the ENI used by bedrock. For the outbound rules of this security group, is it acceptable to allow access to S3 via HTTPS to 0.0.0.0/0?

We should allow users control over securityGroups configuration.
Which is why I think we should revert to using the previous interface.

If the strictest outbound rules are required

Let's keep it simple for now as adding stricter rules will probably require adding more props.

The rest of the changes look good 👍

[lpizzinidev]

Thanks 👍 Left comments for some final minor adjustments.
Otherwise, this looks good to me 💪

[badmintoncryer]

@lpizzinidev I'm sorry for my misunderstanding. I've removed vpc props from vpcConfig.
I apologize for the time it took to make the corrections in this PR. I look forward to continuing to work with you.

[lpizzinidev]

@badmintoncryer
No worries, you're pretty quick in implementing changes 😄
Hopefully, this will get merged soon 💪

[comcalvi]

This is a fantastic change! Shoutout to @lpizzinidev for reviewing this PR!

Pull request has been modified.

[badmintoncryer]

@comcalvi Thank you for your review and I'm sorry for my confusing implementation. I've replied your comments.

Pull request has been modified.

[badmintoncryer]

@comcalvi I've resolved conflicts. Could you approve again after esbuild issue is fixed?

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 3697bf6
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.