feat(stepfunctions-tasks): bedrock createModelCustomizationJob integration

[badmintoncryer]

This PR was previously created and passed the community review, but the maintainer review stopped midway, and it was eventually closed. There shouldn’t be any issues with the content, so I am submitting the PR again.

Issue # (if applicable)

Closes #29042

Reason for this change

AWS stepfunctions support optimized integration with AWS bedrock.
Currently, only invokeModel is supported by CDK, but I would like createModelCustomizationJob to be supported in the same manner.

Description of changes

I've added CreatemodelCustomizationJob class.

const taskConfig = {
  baseModel: model,
  clientRequestToken: 'MyToken',
  customizationType: CustomizationType.FINE_TUNING,
  kmsKey,
  customModelName: 'MyCustomModel',
  customModelTags: [{ key: 'key1', value: 'value1' }],
  hyperParameters: {
    batchSize: '10',
  },
  jobName: 'MyCustomizationJob',
  jobTags: [{ key: 'key2', value: 'value2' }],
  outputDataS3Uri: outputBucket.s3UrlForObject(),
  trainingDataS3Uri: trainingBucket.s3UrlForObject(),
  validationDataS3Uri: [validationBucket.s3UrlForObject()],
  vpcConfig: {
    securityGroups: [new ec2.SecurityGroup(stack, 'SecurityGroup', { vpc })],
    subnets: vpc.isolatedSubnets,
  },
};

const task1 = new BedrockCreateModelCustomizationJob(stack, 'CreateModelCustomizationJob1', taskConfig);

const chain = sfn.Chain
  .start(new sfn.Pass(stack, 'Start'))
  .next(task1)
  .next(new sfn.Pass(stack, 'Done'));

new sfn.StateMachine(stack, 'StateMachine', {
  definitionBody: sfn.DefinitionBody.fromChainable(chain),
  timeout: cdk.Duration.seconds(30),
});

Description of how you validated changes

I've added both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

@gracelu0 Thank you for your kindness check. I've addressed all of your comments.

[gracelu0]

Thank you for working on this! I left some comments to improve the interface design for extensibility, and we will need to check the policy updates with security reviewer (so there may be some additional comments to address).

[gracelu0]

instead of all the // optional comments can we have a // required comment to point out the required properties?

[badmintoncryer]

Fixed.

[gracelu0]

from the linked docs, By default, Amazon Bedrock encrypts custom models with AWS owned keys. - can we specify that as the default here?

[badmintoncryer]

Fixed!

[gracelu0]

what is this prefix field for? since I see for the s3Uri property the pattern is ^s3://[a-z0-9][-.a-z0-9]{1,61}(?:/[-!_*'().a-z0-9A-Z]+(?:/[-!_*'().a-z0-9A-Z]+)*)?/?$ so the prefix is expected to be s3://.

[badmintoncryer]

I apologize for the confusing naming. This prefix represents the absolute path from the root within the bucket, and is passed to the s3UrlForObject() method as follows.

        OutputDataConfig: {
          S3Uri: this.props.outputData.bucket.s3UrlForObject(this.props.outputData.path),
        },

I've changed it from "prefix" to "path" and added some explanations. How does this look?

[gracelu0]

While I like the simplified BucketConfiguration interface here, I see that TrainingDataConfig already differs from ValidationDataConfig and OutputDataConfig with additional prop invocationLogsConfig.

To avoid making breaking changes in the future in case new sub-properties are added, can we make a base interface BucketConfiguration (maybe called DataBucketConfiguration) and create interfaces extending it for each of outputData, trainingData and validationData ?

[badmintoncryer]

Thank you for your nice suggestion. I defined each interfaces like that.

[gracelu0]

It looks like validationDataConfig is not required, so we need to update this and also the validation to allow minimum of 0 validators

[badmintoncryer]

fixed.

[gracelu0]

I think it's okay if we don't include it in this PR, but we should ensure the contract allows us to add this in the future (see my other comment about extending the interface)

[gracelu0]

From https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html#model-customization-iam-role-trust it mentions the option to restrict the scope using Condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-id"
                },
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:bedrock:us-east-1:account-id:model-customization-job/*"
                }
            }
        }
    ] 
}

Can we add this to adhere to PoLP and reduce the permissions scope?

[badmintoncryer]

I've added Condition section!

const role = new iam.Role(this, 'BedrockRole', {
      assumedBy: new iam.ServicePrincipal('bedrock.amazonaws.com', {
        conditions: {
          StringEquals: {
            'aws:SourceAccount': account,
          },
          ArnEquals: {
            'aws:SourceArn': Stack.of(this).formatArn({
              service: 'bedrock',
              resource: 'model-customization-job',
              resourceName: '*',
            }),
          },
        },
      }),

Pull request has been modified.

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[badmintoncryer]

This information is described in management console.

[badmintoncryer]

@gracelu0 I'm really sorry for my late response. I've addressed all of your comments. Could you please reconfirm again?

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a979625
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository