Skip to content

Commit

Permalink
Merge branch 'main' into comcalvi/notification-arns
Browse files Browse the repository at this point in the history
  • Loading branch information
mergify[bot] authored Aug 13, 2024
2 parents e933382 + f1af7fc commit c308c5a
Show file tree
Hide file tree
Showing 14 changed files with 557 additions and 13 deletions.
15 changes: 15 additions & 0 deletions .github/ISSUE_TEMPLATE/bug-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,21 @@ body:
description: What is the problem? A clear and concise description of the bug.
validations:
required: true
- type: checkboxes
id: regression
attributes:
label: Regression Issue
description: What is a regression? If it worked in a previous version but doesn’t in the latest version, it’s considered a regression. In this case, please provide specific version number in the report.
options:
- label: Select this option if this issue appears to be a regression.
required: false
- type: input
id: working-version
attributes:
label: Last Known Working CDK Version
description: Specify the last known CDK version where this code was functioning as expected (if applicable).
validations:
required: false
- type: textarea
id: expected
attributes:
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/issue-regression-labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Apply potential regression label on issues
name: issue-regression-label
on:
issues:
types: [opened, edited]
jobs:
add-regression-label:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Fetch template body
id: check_regression
uses: actions/github-script@v7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TEMPLATE_BODY: ${{ github.event.issue.body }}
with:
script: |
const regressionPattern = /\[x\] Select this option if this issue appears to be a regression\./i;
const template = `${process.env.TEMPLATE_BODY}`
const match = regressionPattern.test(template);
core.setOutput('is_regression', match);
- name: Manage regression label
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then
gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }}
else
gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }}
fi
25 changes: 25 additions & 0 deletions packages/@aws-cdk/aws-sagemaker-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,31 @@ const model = new sagemaker.Model(this, 'InferencePipelineModel', {
});
```

### Model Properties

#### Network Isolation

If you enable [network isolation](https://docs.aws.amazon.com/sagemaker/latest/dg/mkt-algo-model-internet-free.html), the containers can't make any outbound network calls, even to other AWS services such as Amazon S3. Additionally, no AWS credentials are made available to the container runtime environment.

To enable network isolation, set the `networkIsolation` property to `true`:

```typescript
import * as sagemaker from '@aws-cdk/aws-sagemaker-alpha';

declare const image: sagemaker.ContainerImage;
declare const modelData: sagemaker.ModelData;

const model = new sagemaker.Model(this, 'ContainerModel', {
containers: [
{
image,
modelData,
}
],
networkIsolation: true,
});
```

### Container Images

Inference code can be stored in the Amazon EC2 Container Registry (Amazon ECR), which is specified
Expand Down
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-sagemaker-alpha/lib/model.ts
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,17 @@ export interface ModelProps {
* @default true
*/
readonly allowAllOutbound?: boolean;

/**
* Whether to enable network isolation for the model container.
*
* When enabled, no inbound or outbound network calls can be made to or from the model container.
*
* @see https://docs.aws.amazon.com/sagemaker/latest/dg/mkt-algo-model-internet-free.html
*
* @default false
*/
readonly networkIsolation?: boolean;
}

/**
Expand Down Expand Up @@ -312,6 +323,7 @@ export class Model extends ModelBase {
primaryContainer: cdk.Lazy.any({ produce: () => this.renderPrimaryContainer() }),
vpcConfig: cdk.Lazy.any({ produce: () => this.renderVpcConfig() }),
containers: cdk.Lazy.any({ produce: () => this.renderContainers() }),
enableNetworkIsolation: props.networkIsolation,
});
this.modelName = this.getResourceNameAttribute(model.attrModelName);
this.modelArn = this.getResourceArnAttribute(model.ref, {
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -898,6 +898,169 @@
"HuggingFaceModelRoleDefaultPolicy50587D35",
"HuggingFaceModelRoleDA17DA00"
]
},
"NetworkIsolationModelRole562D6C7F": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/AmazonSageMakerFullAccess"
]
]
}
]
}
},
"NetworkIsolationModelRoleDefaultPolicy84ACFE88": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ecr:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":repository/",
{
"Fn::Sub": "cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}"
}
]
]
}
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"/*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
}
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "NetworkIsolationModelRoleDefaultPolicy84ACFE88",
"Roles": [
{
"Ref": "NetworkIsolationModelRole562D6C7F"
}
]
}
},
"NetworkIsolationModel29FE9107": {
"Type": "AWS::SageMaker::Model",
"Properties": {
"Containers": [
{
"Image": {
"Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a"
}
},
{
"Image": {
"Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a"
},
"ModelDataUrl": {
"Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz"
}
},
{
"Image": {
"Fn::Sub": "${AWS::AccountId}.dkr.ecr.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-${AWS::AccountId}-${AWS::Region}:442a71de95281cb26bd41da567c79060206108b97bdde93cb4ce5f213f50013a"
},
"ModelDataUrl": {
"Fn::Sub": "https://s3.${AWS::Region}.${AWS::URLSuffix}/cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/126d48fa0e32fbef5078b9d88658b35ad29d4291eb86675a64c75fa4f1338916.gz"
}
}
],
"EnableNetworkIsolation": true,
"ExecutionRoleArn": {
"Fn::GetAtt": [
"NetworkIsolationModelRole562D6C7F",
"Arn"
]
}
},
"DependsOn": [
"NetworkIsolationModelRoleDefaultPolicy84ACFE88",
"NetworkIsolationModelRole562D6C7F"
]
}
},
"Mappings": {
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit c308c5a

Please sign in to comment.