First migration commit

Author: Eric Cornwell

.gitignore

@@ -0,0 +1,21 @@
+deployment/cdk/cdk.out
+deployment/cdk/node_modules
+deployment/cdk/package-lock.json
+deployment/cdk/outputs.json
+deployment/cdk/stacks/__pycache__
+deployment/cdk/stacks/components/__pycache__/
+deployment/terraform/.terraform
+deployment/terraform/.terraform.lock.hcl
+deployment/terraform/.terraform.tfstate.lock.info
+deployment/terraform/terraform.tfstate
+deployment/terraform/terraform.tfstate.backup
+deployment/terraform/outputs.json
+source/lambda/workflow_trigger/workflow_trigger.zip
+source/lambda/workflow_complete/workflow_complete.zip
+source/workflow-submissions
+source/containers/build-deploy-containers.log
+deployment/terraform/workflow-submissions/
+deployment/cdk/workflow-submissions/
+source/Gradio/.DS_Store
+source/venv/
+source/Gradio/workflow-submissions

deployment/cdk/app.py

@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: LicenseRef-.amazon.com.-AmznSL-1.0
+# Licensed under the Amazon Software License  http://aws.amazon.com/asl/
+#
+# Main entry into CDK App to build infrastructure stack
+#
+
+import os
+import json
+import aws_cdk as cdk
+from stacks.infra_stack import GSWorkflowBaseStack
+from stacks.post_deploy_stack import GSWorkflowPostDeployStack
+
+app = cdk.App()
+
+# Load the app configuration from the config.json file
+try:
+    with open("config.json", "r", encoding="utf-8") as config_file:
+        config_data = json.load(config_file)
+except Exception as e:
+    print(f"Could not read the app configuration file. {e}")
+    raise e
+
+# Set CDK environment variables
+environment = cdk.Environment(
+    account=config_data['accountId'],
+    region=config_data['region']
+)
+
+# Comply with SageMaker path definitions
+current_path = os.path.dirname(os.path.realpath(__file__))
+build_args = {'CODE_PATH':'/opt/ml/code','MODEL_PATH':'/opt/ml/model'}
+
+# Handle deploying and destroying groups of stacks
+select_all = False
+bundling_stacks = app.node.try_get_context("aws:cdk:bundling-stacks")
+is_destroy = app.node.try_get_context("destroy")
+bootstrap = app.node.try_get_context("bootstrap")
+
+# Check if bundling_stacks exists and contains "**"
+if bundling_stacks and "**" in bundling_stacks:
+    select_all = True
+
+# Create the Base Stack
+if is_destroy or select_all or bootstrap or bundling_stacks is None or (bundling_stacks and "GSWorkflowBaseStack" in bundling_stacks):
+    print("Creating base stack...")
+    base_stack = GSWorkflowBaseStack(
+        scope=app,
+        id="GSWorkflowBaseStack",
+        config_data=config_data,
+        env=environment
+    )
+
+# Always include post-deploy stack in the app definition, even during destroy
+# Handle cases where bundling_stacks is None, empty list, or contains the stack name
+if select_all or bundling_stacks is None or len(bundling_stacks) == 0 or (bundling_stacks and "GSWorkflowPostDeployStack" in bundling_stacks):
+        print("Post-deploy stack condition is TRUE")
+        try:
+            print("Creating post-deploy stack...")
+            outputs_path = os.path.join(current_path, "outputs.json")
+            print(f"Looking for outputs file at: {outputs_path}")
+            print(f"File exists: {os.path.exists(outputs_path)}")
+            
+            # Try to read existing outputs
+            with open(outputs_path, "r") as f:
+                output_data = json.load(f)
+                print(f"Successfully loaded outputs data: {list(output_data.keys()) if output_data else 'empty'}")
+            
+            post_deploy_stack = GSWorkflowPostDeployStack(
+                scope=app,
+                id="GSWorkflowPostDeployStack",
+                config_data=config_data,
+                output_json_path=outputs_path,
+                build_args=build_args,
+                dockerfile_path=os.path.join(current_path, "../../source/container"),
+                env=environment
+            )
+            print("Post-deploy stack created successfully")
+            
+            if 'base_stack' in locals():
+                post_deploy_stack.add_dependency(base_stack)
+                print("Added dependency on base stack")
+        except (FileNotFoundError, KeyError) as e:
+            print(f"Warning: Could not create post-deploy stack due to missing outputs: {e}")
+        except Exception as e:
+            print(f"Error creating post-deploy stack: {str(e)}")
+else:
+    print("Post-deploy stack condition is FALSE")
+
+app.synth()

deployment/cdk/cdk.json

@@ -0,0 +1,69 @@
+{
+  "app": "python app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "python/__pycache__",
+      "tests"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true
+  }
+}

deployment/cdk/config.json

@@ -0,0 +1,9 @@
+{                        
+    "comment": "NOTE: BEFORE DEPLOYING STACK, UPDATE THE ACCOUNT ID AND REGION BELOW",
+    "accountId": "",
+    "region": "us-east-1",
+    "constructNamePrefix": "3dgs",
+    "s3TriggerKey": "workflow-input",
+    "adminEmail": "",
+    "maintainS3ObjectsOnStackDeletion": "true"
+}

deployment/cdk/requirements.txt

@@ -0,0 +1,5 @@
+aws-cdk-lib==2.144.0
+constructs>=10.0.0,<11.0.0
+cdk-ecr-deployment==3.0.127
+boto3
+gradio

deployment/cdk/stacks/components/container_deployment.py

@@ -0,0 +1,147 @@
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: LicenseRef-.amazon.com.-AmznSL-1.0
+# Licensed under the Amazon Software License  http://aws.amazon.com/asl/
+
+"""Main construct to build and push the container resources to ECR"""
+
+from aws_cdk import (
+    Environment,
+    RemovalPolicy,
+    aws_ecr as ecr,
+    aws_iam as iam,
+    aws_ecr_assets as ecr_assets,
+    CfnOutput
+)
+from aws_cdk.aws_ecr_assets import DockerImageAsset
+import cdk_ecr_deployment
+from constructs import Construct
+import json
+import os
+
+class ContainerDeployment(Construct):
+    """Class for Container Deployment Construct"""
+    def __init__(
+            self,
+            scope: Construct,
+            id: str,
+            config_data: dict,
+            output_data: dict,
+            build_args: dict,
+            dockerfile_path: str,
+            env: Environment,
+            **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        try:
+            # Validate input parameters
+            if not dockerfile_path or not os.path.exists(dockerfile_path):
+                raise ValueError(f"Invalid dockerfile path: {dockerfile_path}")
+            if not os.path.exists(os.path.join(dockerfile_path, "Dockerfile")):
+                raise ValueError(f"Dockerfile not found in {dockerfile_path}")
+
+            # Get ECR repository name
+            print(output_data)
+            # Check if output_data already has the GSWorkflowBaseStack key or is already the stack outputs
+            if 'GSWorkflowBaseStack' in output_data:
+                ecr_repo_name = output_data['GSWorkflowBaseStack']['ECRRepoName']
+            else:
+                ecr_repo_name = output_data['ECRRepoName']
+                
+            if not ecr_repo_name:
+                raise ValueError("ECR repository name not found in output data")
+
+            # Create deployment role with required permissions
+            deployment_role = iam.Role(
+                self,
+                "ECRDeploymentRole",
+                assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
+                managed_policies=[
+                    iam.ManagedPolicy.from_aws_managed_policy_name(
+                        "service-role/AWSLambdaBasicExecutionRole"
+                    )
+                ]
+            )
+
+            # Add ECR permissions
+            deployment_role.add_to_policy(
+                iam.PolicyStatement(
+                    actions=[
+                        "ecr:GetAuthorizationToken",
+                        "ecr:BatchCheckLayerAvailability",
+                        "ecr:GetDownloadUrlForLayer",
+                        "ecr:GetRepositoryPolicy",
+                        "ecr:DescribeRepositories",
+                        "ecr:ListImages",
+                        "ecr:DescribeImages",
+                        "ecr:BatchGetImage",
+                        "ecr:InitiateLayerUpload",
+                        "ecr:UploadLayerPart",
+                        "ecr:CompleteLayerUpload",
+                        "ecr:PutImage"
+                    ],
+                    resources=[f"arn:aws:ecr:{env.region}:{env.account}:repository/{ecr_repo_name}"]
+                )
+            )
+
+            # Build and assign the docker image for ECR
+            self.asset = ecr_assets.DockerImageAsset(
+                self,
+                "DockerImage",
+                asset_name=ecr_repo_name,
+                directory=dockerfile_path,
+                build_args=build_args,
+                platform=ecr_assets.Platform.LINUX_AMD64,
+                #build_options={
+                #    "platform": "linux/amd64"
+                #}
+            )
+
+            # Copy image from cdk docker image asset to ECR
+            self.deployment = cdk_ecr_deployment.ECRDeployment(
+                self,
+                "DeployDockerImage",
+                src=cdk_ecr_deployment.DockerImageName(self.asset.image_uri),
+                dest=cdk_ecr_deployment.DockerImageName(
+                    f"{env.account}.dkr.ecr.{env.region}.amazonaws.com/{ecr_repo_name}:latest"
+                ),
+                role=deployment_role,
+                memory_limit=512,
+            )
+
+            # Add dependencies
+            if hasattr(self.asset, "node"):
+                self.deployment.node.add_dependency(self.asset)
+
+            # Add outputs
+            CfnOutput(
+                self,
+                "DockerImageUri",
+                value=self.asset.image_uri,
+                description="URI of the built Docker image"
+            )
+
+            CfnOutput(
+                self,
+                "ECRRepositoryUri",
+                value=f"{env.account}.dkr.ecr.{env.region}.amazonaws.com/{ecr_repo_name}",
+                description="URI of the ECR repository"
+            )
+
+        except Exception as e:
+            print(f"Error in ContainerDeployment construct: {e}")
+            raise e
+
+    @property
+    def image_uri(self) -> str:
+        """Return the URI of the deployed Docker image"""
+        return self.asset.image_uri if hasattr(self, 'asset') else None
+
+    @property
+    def deployment_role(self) -> iam.Role:
+        """Return the deployment role"""
+        return self.deployment.role if hasattr(self, 'deployment') else None
+
+    def add_to_role_policy(self, statement: iam.PolicyStatement):
+        """Add additional permissions to the deployment role"""
+        if self.deployment_role:
+            self.deployment_role.add_to_policy(statement)