Lucasmacedo/AI-ifsp-assistente-matricula
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feat: Adds base project

Browse Source
This commit is contained in:
DNXBrasil
2026-02-25 10:55:19 -03:00
parent 31f87ab437
commit 624f5dc7e6
46 changed files with 2355 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored Normal file
View File

@@ -0,0 +1,8 @@
__pycache__/
.venv/
venv/
.python-version
.env
.env.*
pyproject.toml

16
back/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
FROM python:3.12-slim
COPY requirements.txt ./requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
COPY ./ ./
RUN chmod +x ./entrypoint.sh
# Porta 8000 para a API FastAPI
EXPOSE 8000
# Porta 8501 para o aplicativo Streamlit
EXPOSE 8501
CMD ["./entrypoint.sh"]

0
back/README.md Normal file
View File

32
back/app/api.py Normal file
View File

@@ -0,0 +1,32 @@
from fastapi import FastAPI
from pydantic import BaseModel
from .backend import orquestrador
app = FastAPI()
@app.get("/")
def health():
return {"status": "ok"}
class QueryRequest(BaseModel):
query: str
history: str = ""
class QueryResponse(BaseModel):
response: str
input_tokens: int
output_tokens: int
total_tokens: int
@app.post("/agent", response_model=QueryResponse)
def run_agent(request: QueryRequest):
result = orquestrador.main(request.query, request.history)
return QueryResponse(
response=result["response"],
input_tokens=result["input_tokens"],
output_tokens=result["output_tokens"],
total_tokens=result["total_tokens"],
)

0
back/app/backend/__init__.py Normal file
View File

120
back/app/backend/agent_bedrock.py Normal file
View File

@@ -0,0 +1,120 @@
import operator
from typing import TypedDict, Annotated
from langchain_aws import ChatBedrockConverse
from langchain_core.messages import AIMessage, ToolMessage
from langgraph.graph import StateGraph, END
from .config import REGION, AWS_ACCOUNT
class AgentState(TypedDict):
messages: Annotated[list, operator.add]
current_step: str
def create_bedrock_llm(model_id: str, region: str = REGION, tools: list = None):
"""
Create a ChatBedrock instance using a model ID.
Args:
model_id: Bedrock model ID (e.g., anthropic.claude-haiku-4-5-20251001-v1:0)
region: AWS region (default: REGION env var)
tools: List of LangChain tools to bind to the model
Returns:
ChatBedrock instance configured with the model
"""
MODEL_ARNS = {
"anthropic.claude-haiku-4-5-20251001-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/us.anthropic.claude-haiku-4-5-20251001-v1:0",
"anthropic.claude-sonnet-4-5-20250929-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/global.anthropic.claude-sonnet-4-5-20250929-v1:0",
"meta.llama4-maverick-17b-instruct-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/us.meta.llama4-maverick-17b-instruct-v1:0",
"meta.llama4-scout-17b-instruct-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/us.meta.llama4-scout-17b-instruct-v1:0",
"amazon.nova-lite-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/us.amazon.nova-lite-v1:0",
"amazon.nova-pro-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/us.amazon.nova-pro-v1:0",
"amazon.nova-2-lite-v1:0": f"arn:aws:bedrock:{REGION}:{AWS_ACCOUNT}:inference-profile/global.amazon.nova-2-lite-v1:0",
}
PROVIDER = {
"anthropic.claude-haiku-4-5-20251001-v1:0": "anthropic",
"anthropic.claude-sonnet-4-5-20250929-v1:0": "anthropic",
"meta.llama4-maverick-17b-instruct-v1:0": "meta",
"meta.llama4-scout-17b-instruct-v1:0": "meta",
"amazon.nova-lite-v1:0": "amazon",
"amazon.nova-pro-v1:0": "amazon",
"amazon.nova-2-lite-v1:0": "amazon",
}
prefix = {
"anthropic.claude-haiku-4-5-20251001-v1:0": "us",
"anthropic.claude-sonnet-4-5-20250929-v1:0": "global",
"meta.llama4-maverick-17b-instruct-v1:0": "us",
"meta.llama4-scout-17b-instruct-v1:0": "us",
"amazon.nova-lite-v1:0": "us",
"amazon.nova-pro-v1:0": "us",
"amazon.nova-2-lite-v1:0": "global",
}
llm = ChatBedrockConverse(
model_id=prefix[model_id] + "." + model_id,
region_name=region,
provider=PROVIDER[model_id],
max_tokens=2048,
temperature=0.7,
)
return llm.bind_tools(tools or [])
def call_model(state: AgentState, llm) -> AgentState:
"""Call the LLM with tools."""
response = llm.invoke(state["messages"])
state["current_step"] = "model_called"
return {"messages": [response]}
def call_tools(state: AgentState, tools_map: dict) -> AgentState:
"""Execute any tool calls from the LLM response."""
last_message = state["messages"][-1]
if hasattr(last_message, "tool_calls") and last_message.tool_calls:
tool_messages = []
for tool_call in last_message.tool_calls:
result = tools_map[tool_call["name"]].invoke(tool_call["args"])
tool_messages.append(ToolMessage(content=str(result), tool_call_id=tool_call["id"]))
state["current_step"] = "tools_executed"
return {"messages": tool_messages}
else:
state["current_step"] = "no_tools"
return {"messages": []}
def should_continue(state: AgentState) -> str:
"""Determine if we should continue to tools or end."""
last_message = state["messages"][-1]
if hasattr(last_message, "tool_calls") and last_message.tool_calls:
return "tools"
return "end"
def create_agent(inference_profile_arn: str, region: str = REGION, tools: list = None):
"""
Create a LangGraph agent that uses Bedrock inference profile with tools.
Args:
inference_profile_arn: ARN of the cross-region inference profile
region: AWS region
tools: List of LangChain tools to bind to the model
Returns:
Compiled LangGraph workflow
"""
tools = tools or []
llm = create_bedrock_llm(inference_profile_arn, region, tools)
tools_map = {t.name: t for t in tools}
workflow = StateGraph(AgentState)
workflow.add_node("model", lambda state: call_model(state, llm))
workflow.add_node("tools", lambda state: call_tools(state, tools_map))
workflow.set_entry_point("model")
workflow.add_conditional_edges("model", should_continue, {"tools": "tools", "end": END})
workflow.add_edge("tools", "model")
return workflow.compile()

6
back/app/backend/config.py Normal file
View File

@@ -0,0 +1,6 @@
import os
TABLE = os.environ["TABLE"]
REGION = os.environ["REGION"]
AWS_ACCOUNT = os.environ["AWS_ACCOUNT"]
SECRET_NAME = os.environ["SECRET_NAME"]

53
back/app/backend/dynamo.py Normal file
View File

@@ -0,0 +1,53 @@
import boto3
import json
import os
from botocore.exceptions import ClientError
from langfuse import Langfuse
from .config import REGION, TABLE, SECRET_NAME
dynamodb = boto3.resource("dynamodb", region_name=REGION)
def get_secret() -> str:
session = boto3.session.Session()
client = session.client(service_name="secretsmanager", region_name=REGION)
try:
response = client.get_secret_value(SecretId=SECRET_NAME)
except ClientError as e:
raise e
return response["SecretString"]
secrets = json.loads(get_secret())
langfuse = Langfuse(
public_key=secrets["LANGFUSE-PUBLIC-KEY"],
secret_key=secrets["LANGFUSE-SECRET-KEY"],
host=os.environ["LANGFUSE_HOST"],
)
def get_contexto(dashboard: str) -> dict:
"""
Get contexto, filter, and items_disponiveis from DynamoDB for a given dashboard.
Returns:
Dict with 'contexto', 'filter', and 'items_disponiveis' keys
"""
try:
table = dynamodb.Table(TABLE)
response = table.get_item(Key={"id": dashboard + "_contexto"})
if "Item" not in response:
return {"contexto": "", "filter": "", "items_disponiveis": {}}
item = response["Item"]
return {
"contexto": item.get("contexto", ""),
"filter": item.get("filter_key", ""),
"items_disponiveis": item.get("itens_disponiveis", {}),
}
except ClientError as e:
error_message = e.response["Error"]["Message"]
return {"contexto": f"Error: {error_message}", "filter": "", "items_disponiveis": {}}

48
back/app/backend/orquestrador.py Normal file
View File

@@ -0,0 +1,48 @@
from langchain_core.messages import HumanMessage, AIMessage, SystemMessage
from langfuse.langchain import CallbackHandler
from .config import REGION
from .dynamo import langfuse, get_contexto
from .agent_bedrock import create_agent
from .tools import ReportTools
def main(user_query, history, model, base):
"""Main execution function."""
report_tools = []
SYSTEM_PROMPT = """"""
langfuse_handler = CallbackHandler()
agent = create_agent(model, REGION, tools=report_tools)
initial_state = {
"messages": [
SystemMessage(content=SYSTEM_PROMPT),
HumanMessage(content=user_query),
],
"current_step": "init",
}
config = {"callbacks": [langfuse_handler], "tags": [base]}
final_state = agent.invoke(initial_state, config=config)
total_input_tokens = 0
total_output_tokens = 0
for msg in final_state["messages"]:
if isinstance(msg, AIMessage) and hasattr(msg, "usage_metadata") and msg.usage_metadata:
total_input_tokens += msg.usage_metadata.get("input_tokens", 0)
total_output_tokens += msg.usage_metadata.get("output_tokens", 0)
langfuse.flush()
return {
"response": final_state["messages"][-1].content,
"input_tokens": total_input_tokens,
"output_tokens": total_output_tokens,
"total_tokens": total_input_tokens + total_output_tokens,
}
if __name__ == "__main__":
main(
)

85
back/app/backend/tools.py Normal file
View File

@@ -0,0 +1,85 @@
from botocore.exceptions import ClientError
from langchain_core.tools import StructuredTool
from .config import TABLE
from .dynamo import dynamodb
class ReportTools:
def __init__(self, id_mapping: dict[str, str]):
self.id_mapping = id_mapping
def get_variable_value(self, id: str, variable: str) -> str:
"""
Get a specific variable's value from DynamoDB for a specific id.
Args:
id: The id of the data
variable: The variable/column name to retrieve from the table
Returns:
The content of the specified variable for the given id
"""
real_id = self.id_mapping.get(id, id)
try:
table = dynamodb.Table(TABLE)
response = table.get_item(Key={"id": real_id})
if "Item" not in response:
return f"No report found for month: {id}"
item = response["Item"]
content = item.get(variable, "")
if not content:
return f"Variable '{variable}' not found for month: {id}"
return f"<{id}>\n{content}\n</{id}>"
except ClientError as e:
error_message = e.response["Error"]["Message"]
return f"Error fetching report: {error_message}"
def get_variables_list(self, id: str) -> str:
"""
Get the list of variables available in the table for a specific month.
Args:
id: The id of the data
Returns:
The list of available variables/keys for the specified data
"""
real_id = self.id_mapping.get(id, id)
try:
table = dynamodb.Table(TABLE)
response = table.get_item(Key={"id": real_id})
if "Item" not in response:
return f"No data found for month: {id}"
item = response["Item"]
chaves_consolidadas = item.get("chaves_consolidadas", "")
if not chaves_consolidadas:
return f"No consolidated keys found for id: {id}"
return chaves_consolidadas
except ClientError as e:
error_message = e.response["Error"]["Message"]
return f"Error fetching consolidated keys: {error_message}"
def as_tools(self) -> list:
return [
StructuredTool.from_function(
self.get_variable_value,
name="get_variable_value",
description="Get a specific variable's data from DynamoDB for a specific id.",
),
StructuredTool.from_function(
self.get_variables_list,
name="get_variable_list",
description="Get the list of variables available in the table for a specific id.",
),
]

75
back/app/front.py Normal file
View File

@@ -0,0 +1,75 @@
import streamlit as st
import time
from backend import orquestrador
import boto3
from boto3.dynamodb.conditions import Key
# Configure the page - MUST BE FIRST
st.set_page_config(
page_title="Chatbot",
page_icon="💬",
layout="centered"
)
session = boto3.Session()
# Initialize chat history in session state
if "messages" not in st.session_state:
st.session_state.messages = []
# Display title
st.title("💬 Chatbot")
# Display chat history
for message in st.session_state.messages:
with st.chat_message(message["role"]):
st.markdown(message["content"])
# Chat input
if prompt := st.chat_input("Type your message here..."):
# Add user message to chat history
st.session_state.messages.append({"role": "user", "content": prompt})
# Display user message
with st.chat_message("user"):
st.markdown(prompt)
# Display assistant response
with st.chat_message("assistant"):
message_placeholder = st.empty()
# Simulate streaming response (replace with actual API call)
result = orquestrador.main(prompt,str(st.session_state.messages),selected_value,base)
full_response = result["response"]
# Simulate typing effect
displayed_response = ""
for char in full_response:
displayed_response += char
message_placeholder.markdown(displayed_response + "")
time.sleep(0.01)
message_placeholder.markdown(full_response)
st.caption(f"Tokens: {result['input_tokens']} in / {result['output_tokens']} out / {result['total_tokens']} total")
# Add assistant response to chat history
st.session_state.messages.append({"role": "assistant", "content": full_response})
# Add a sidebar with options
with st.sidebar:
st.header("Options")
if st.button("Clear Chat History"):
st.session_state.messages = []
st.rerun()
st.divider()
st.markdown("""
### How to use:
1. Type your message in the input box
2. Press Enter or click Send
3. View the conversation history
""")

9
back/entrypoint.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
# Inicia a API FastAPI em segundo plano
echo "Iniciando API FastAPI na porta 8000..."
uvicorn app.api:app --host 0.0.0.0 --port 8000 &
# Inicia o aplicativo Streamlit em primeiro plano
echo "Iniciando aplicativo Streamlit na porta 8501..."
streamlit run app/front.py --server.port 8501 --server.address 0.0.0.0 --server.headless true

7
back/pyproject.toml Normal file
View File

@@ -0,0 +1,7 @@
[project]
name = "code"
version = "0.1.0"
description = "Add your description here"
readme = "README.md"
requires-python = ">=3.12"
dependencies = []

8
back/requirements.txt Normal file
View File

@@ -0,0 +1,8 @@
boto3==1.42.10
langchain-aws==1.1.0
langgraph==1.0.5
langchain==1.2.0
streamlit==1.52.2
langfuse==3.11.2
fastapi==0.129.0
uvicorn==0.41.0

10
infra/ecr/.gitignore vendored Normal file
View File

@@ -0,0 +1,10 @@
# Python-generated files
__pycache__/
*.py[oc]
build/
dist/
wheels/
*.egg-info
# Virtual environments
.venv

9
infra/ecr/Pulumi.ifsp-assistente-matricula-ecr.yaml Normal file
View File

@@ -0,0 +1,9 @@
config:
ecr_dev:entity_extraction_dev: ecr
ecr_dev:environment: dev
ecr_dev:ecr:
backend:
image_mutability: MUTABLE
name: assistente-matricula-dev
ecr_dev:project: Assistente Matricula
aws:region: us-east-1

3
infra/ecr/Pulumi.yaml Normal file
View File

@@ -0,0 +1,3 @@
name: ecr_dev
runtime: python
description: Infraestrutura da aplicação ECR

93
infra/ecr/README.md Normal file
View File

@@ -0,0 +1,93 @@
# ecr
## Getting started
To make it easy for you to get started with GitLab, here's a list of recommended next steps.
Already a pro? Just edit this README.md and make it your own. Want to make it easy? [Use the template at the bottom](#editing-this-readme)!
## Add your files
- [ ] [Create](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#create-a-file) or [upload](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#upload-a-file) files
- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command:
```
cd existing_repo
git remote add origin https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/ecr.git
git branch -M main
git push -uf origin main
```
## Integrate with your tools
- [ ] [Set up project integrations](https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/ecr/-/settings/integrations)
## Collaborate with your team
- [ ] [Invite team members and collaborators](https://docs.gitlab.com/ee/user/project/members/)
- [ ] [Create a new merge request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html)
- [ ] [Automatically close issues from merge requests](https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically)
- [ ] [Enable merge request approvals](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/)
- [ ] [Set auto-merge](https://docs.gitlab.com/ee/user/project/merge_requests/merge_when_pipeline_succeeds.html)
## Test and Deploy
Use the built-in continuous integration in GitLab.
- [ ] [Get started with GitLab CI/CD](https://docs.gitlab.com/ee/ci/quick_start/index.html)
- [ ] [Analyze your code for known vulnerabilities with Static Application Security Testing (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/)
- [ ] [Deploy to Kubernetes, Amazon EC2, or Amazon ECS using Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/requirements.html)
- [ ] [Use pull-based deployments for improved Kubernetes management](https://docs.gitlab.com/ee/user/clusters/agent/)
- [ ] [Set up protected environments](https://docs.gitlab.com/ee/ci/environments/protected_environments.html)
***
# Editing this README
When you're ready to make this README your own, just edit this file and use the handy template below (or feel free to structure it however you want - this is just a starting point!). Thanks to [makeareadme.com](https://www.makeareadme.com/) for this template.
## Suggestions for a good README
Every project is different, so consider which of these sections apply to yours. The sections used in the template are suggestions for most open source projects. Also keep in mind that while a README can be too long and detailed, too long is better than too short. If you think your README is too long, consider utilizing another form of documentation rather than cutting out information.
## Name
Choose a self-explaining name for your project.
## Description
Let people know what your project can do specifically. Provide context and add a link to any reference visitors might be unfamiliar with. A list of Features or a Background subsection can also be added here. If there are alternatives to your project, this is a good place to list differentiating factors.
## Badges
On some READMEs, you may see small images that convey metadata, such as whether or not all the tests are passing for the project. You can use Shields to add some to your README. Many services also have instructions for adding a badge.
## Visuals
Depending on what you are making, it can be a good idea to include screenshots or even a video (you'll frequently see GIFs rather than actual videos). Tools like ttygif can help, but check out Asciinema for a more sophisticated method.
## Installation
Within a particular ecosystem, there may be a common way of installing things, such as using Yarn, NuGet, or Homebrew. However, consider the possibility that whoever is reading your README is a novice and would like more guidance. Listing specific steps helps remove ambiguity and gets people to using your project as quickly as possible. If it only runs in a specific context like a particular programming language version or operating system or has dependencies that have to be installed manually, also add a Requirements subsection.
## Usage
Use examples liberally, and show the expected output if you can. It's helpful to have inline the smallest example of usage that you can demonstrate, while providing links to more sophisticated examples if they are too long to reasonably include in the README.
## Support
Tell people where they can go to for help. It can be any combination of an issue tracker, a chat room, an email address, etc.
## Roadmap
If you have ideas for releases in the future, it is a good idea to list them in the README.
## Contributing
State if you are open to contributions and what your requirements are for accepting them.
For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self.
You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser.
## Authors and acknowledgment
Show your appreciation to those who have contributed to the project.
## License
For open source projects, say how it is licensed.
## Project status
If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers.

27
infra/ecr/__main__.py Normal file
View File

@@ -0,0 +1,27 @@
import json
import pulumi
import pulumi_aws as aws
caller_identity = aws.get_caller_identity()
account_id = caller_identity.account_id
config = pulumi.Config()
project = config.require("project")
environment = config.require("environment")
stacks=["backend"]
for stack in stacks:
ecr_config = config.require_object("ecr")[stack]
ecr_repo = aws.ecr.Repository(ecr_config['name'],
name=ecr_config['name'],
encryption_configurations=[{
"encryption_type": "AES256",
}],
image_scanning_configuration={
"scan_on_push": False,
},
image_tag_mutability=ecr_config['image_mutability'],
opts = pulumi.ResourceOptions(protect=False))
pulumi.export("url", pulumi.Output.concat("ECR REPO ID:", ecr_repo.id))

6
infra/ecr/main.py Normal file
View File

@@ -0,0 +1,6 @@
def main():
print("Hello from ecr!")
if __name__ == "__main__":
main()

5
infra/ecr/requirements.txt Normal file
View File

@@ -0,0 +1,5 @@
pulumi
pulumi-aws
pulumi-docker
boto3
setuptools

59
infra/ecs_alb/Pulumi.ifsp-assistente-matricula-ecs-alb.yaml Normal file
View File

@@ -0,0 +1,59 @@
config:
aws:region: us-east-1
app-ecs:account_id: "305427701314" # dnxbrasil-nonprod
app-ecs:project_name: assistente-analitico
app-ecs:environment: dev
# app-ecs:bedrock_api_key:
# secure: you-can-put-your-pulumi-encrypted-secure-string-here
app-ecs:tags:
project: assistente-analitico-db-dev
env: dev # dev, test, stage, prod
account: nonprod # prod, nonprod, dataScience
costCenter: AI # AWSGeneral, AI, data, productName
owner: AI # team or a preson responsible
app-ecs:network:
vpc_id: vpc-17ceb96c
alb_internal: false
alb_subnet_ids: # 2+ private subnets if alb_internal else public subnets in the same region and vpc
- subnet-0de9f056635629827
- subnet-09cda74f27c543521
alb_allow_ingress_cidr:
- 3.14.44.224/32
ecs_subnet_ids:
- subnet-0f50f25a2fbb054d4
- subnet-043a427630309c2f4
app-ecs:ecs:
- task_name: assisnte-analitico-db-dev
ecr_repo_name: assistente-analitico-db-dev
ecr_image_tag: latest
ecr_image_digest: sha256:0bd3a927df4367ba29dbd173e0414d884e973c37599a3f6241341e8d190e827b
cpu: 256
memory: 512
desired_count: 1
sgs_allowing_ingress: {}
use_load_balancer: true
auto_scaling:
min_capacity: 1
max_capacity: 3
target_value: 60.0
lb_configs:
- name: streamlit
listener_port: 8501
target_port: 8501
container_port: 8501
- name: api
listener_port: 8000
target_port: 8000
container_port: 8000
env_variables:
LANGFUSE_HOST: http://172.31.252.176:3000
TABLE: poc_dnx_monthly_summary
REGION: us-east-1
AWS_ACCOUNT: "305427701314"
SECRET_NAME: assistente-db-secrets-manager
# SECRET_NAME: dev/ai-pge-doc-classification
# BEDROCK_REGION: us-east-1
# LANGCHAIN_TRACING_V2: "true"
# LANGCHAIN_PROJECT: pge-doc-classification-dev
app-ecs:cloudwatch:
log_group_name: assistente-analitico-db-dev

6
infra/ecs_alb/Pulumi.yaml Normal file
View File

@@ -0,0 +1,6 @@
name: app-ecs
runtime:
name: python
options:
virtualenv: venv
description: AWS ECS application deploy

71
infra/ecs_alb/README.md Normal file
View File

@@ -0,0 +1,71 @@
# GenAI project infratructure with Pulumi
Nesta documentação apresentamos o setup da IaC do projeto de GenAI.
## 🚀 Deploying Infrastructure to AWS
Para deployar a infraestrutura referente o projeto de GenAI, é utilizado uma stack IaC Pulumi.
Para isso, o desenvolvedor deve seguir os passos:
1. Dentro do diretório raiz do projeto, crie um ambiente virtual pelos comandos:
```shell
# pip install virtualenv
python3.11 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```
2. (opcional) Configure o seu Pulumi Token:
```shell
export PULUMI_ACCESS_TOKEN="your-access-token"
```
3. Pulumi Login:
```shell
pulumi login
```
4. (opcional) Select a stack to work on:
```shell
pulumi stack select
```
5. Suba a stack do pulumi:
```shell
pulumi up #selecione o stack se não tiver selecionado
```
Após estes passo, os serviços e dependências do projeto serão criados/atualizados, gerando a fundação para a aplicação.
#### Observação 1:
Lembre-se de configurar o usuário IAM registrado como profile no aws-cli, para detectar a conta AWS a ser utilizada:
```shell
export AWS_PROFILE=myorg-nonprod
```
Se não tiver configurado o profile o aws-cli, exporte as seguintes variáveis:
```shell
export AWS_DEFAULT_REGION=
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
```
#### Observação 2: Registro de imagem Docker no ECR
Para que a infraestrutura projetada anteriormente consiga referenciar as imagens de cada projeto, é necessário indicar o nome do repositório no argumento `ecr_repo_name` no arquivo YAML.
Como a versão da imagem a ser deployada, indique ou `ecr_image_tag` ou `ecr_image_digest`, sem indicar ambos.
Para registrar corretamente a imagem Docker da sua aplicação no ECR, siga os passos descritos na seguinte documentação:
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html
Para incluir variáveis de ambiente no container, informe-as como dicionário (chave-valor) em `env_variables`.
## 🤝 Agradecimentos
* Agradecemos por toda a parceria durante o projeto. Conte conosco! 📢

60
infra/ecs_alb/__main__.py Normal file
View File

@@ -0,0 +1,60 @@
import pulumi
import pulumi_aws as aws
import conf as config
import iam
import ecs
# ECS Cluster Setup
app_ecs_cluster = aws.ecs.Cluster(f"{config.project_name}-ecs-cluster",
configuration=aws.ecs.ClusterConfigurationArgs(
execute_command_configuration=aws.ecs.ClusterConfigurationExecuteCommandConfigurationArgs(
logging="DEFAULT",
),
),
settings=[aws.ecs.ClusterSettingArgs(
name="containerInsights",
value="disabled",
)],
tags={"Name": f"{config.project_name}-{config.stack_name}"},
)
ecs_cluster_capacity_providers = aws.ecs.ClusterCapacityProviders(f"{config.project_name}-cluster-capacity-providers",
cluster_name=app_ecs_cluster.name,
capacity_providers=["FARGATE", "FARGATE_SPOT"],
)
# Security Group Setup
alb_security_group = aws.ec2.SecurityGroup(f"{config.project_name}-security-group",
vpc_id=config.network["vpc_id"],
ingress=[aws.ec2.SecurityGroupIngressArgs(
protocol="-1",
from_port=0,
to_port=0,
cidr_blocks=config.network["alb_allow_ingress_cidr"],
),
],
egress=[aws.ec2.SecurityGroupEgressArgs(
protocol="-1",
from_port=0,
to_port=0,
cidr_blocks=["0.0.0.0/0"],
)],
)
# Load Balancer Setup
app_load_balancer = aws.lb.LoadBalancer(
f"alb-{config.project_name}",
load_balancer_type="application",
security_groups=[alb_security_group.id],
subnets=config.network["alb_subnet_ids"],
idle_timeout=(1200),
internal=config.network['alb_internal'],
)
for ecs_app in config.ecs:
ecs.deploy_app(ecs_app, app_ecs_cluster, alb_security_group, app_load_balancer.arn)
# Export the ALB DNS Name
pulumi.export("url", app_load_balancer.dns_name.apply(lambda dns_name: f"http://{dns_name}"))

13
infra/ecs_alb/autotag/autotag.py Normal file
View File

@@ -0,0 +1,13 @@
import pulumi
from autotag.taggable import is_taggable
# registerAutoTags registers a global stack transformation that merges a set
# of tags with whatever was also explicitly added to the resource definition.
def register_auto_tags(auto_tags):
pulumi.runtime.register_stack_transformation(lambda args: auto_tag(args, auto_tags))
# auto_tag applies the given tags to the resource properties if applicable.
def auto_tag(args, auto_tags):
if is_taggable(args.type_):
args.props['tags'] = {**(args.props['tags'] or {}), **auto_tags}
return pulumi.ResourceTransformationResult(args.props, args.opts)

12
infra/ecs_alb/autotag/policy-config.json Normal file
View File

@@ -0,0 +1,12 @@
{
"all": "mandatory",
"check-required-tags": {
"requiredTags": [
"user:project",
"user:env",
"user:account",
"user:costCenter",
"user:owner"
]
}
}

234
infra/ecs_alb/autotag/taggable.py Normal file
View File

@@ -0,0 +1,234 @@
# isTaggable returns true if the given resource type is an AWS resource that supports tags.
def is_taggable(t):
return t in taggable_resource_types
# taggable_resource_types is a list of known AWS type tokens that are taggable.
taggable_resource_types = [
'aws:accessanalyzer/analyzer:Analyzer',
'aws:acm/certificate:Certificate',
'aws:acmpca/certificateAuthority:CertificateAuthority',
'aws:alb/loadBalancer:LoadBalancer',
'aws:alb/targetGroup:TargetGroup',
'aws:apigateway/apiKey:ApiKey',
'aws:apigateway/clientCertificate:ClientCertificate',
'aws:apigateway/domainName:DomainName',
'aws:apigateway/restApi:RestApi',
'aws:apigateway/stage:Stage',
'aws:apigateway/usagePlan:UsagePlan',
'aws:apigateway/vpcLink:VpcLink',
'aws:applicationloadbalancing/loadBalancer:LoadBalancer',
'aws:applicationloadbalancing/targetGroup:TargetGroup',
'aws:appmesh/mesh:Mesh',
'aws:appmesh/route:Route',
'aws:appmesh/virtualNode:VirtualNode',
'aws:appmesh/virtualRouter:VirtualRouter',
'aws:appmesh/virtualService:VirtualService',
'aws:appsync/graphQLApi:GraphQLApi',
'aws:athena/workgroup:Workgroup',
'aws:autoscaling/group:Group',
'aws:backup/plan:Plan',
'aws:backup/vault:Vault',
'aws:cfg/aggregateAuthorization:AggregateAuthorization',
'aws:cfg/configurationAggregator:ConfigurationAggregator',
'aws:cfg/rule:Rule',
'aws:cloudformation/stack:Stack',
'aws:cloudformation/stackSet:StackSet',
'aws:cloudfront/distribution:Distribution',
'aws:cloudhsmv2/cluster:Cluster',
'aws:cloudtrail/trail:Trail',
'aws:cloudwatch/eventRule:EventRule',
'aws:cloudwatch/logGroup:LogGroup',
'aws:cloudwatch/metricAlarm:MetricAlarm',
'aws:codebuild/project:Project',
'aws:codecommit/repository:Repository',
'aws:codepipeline/pipeline:Pipeline',
'aws:codepipeline/webhook:Webhook',
'aws:codestarnotifications/notificationRule:NotificationRule',
'aws:cognito/identityPool:IdentityPool',
'aws:cognito/userPool:UserPool',
'aws:datapipeline/pipeline:Pipeline',
'aws:datasync/agent:Agent',
'aws:datasync/efsLocation:EfsLocation',
'aws:datasync/locationSmb:LocationSmb',
'aws:datasync/nfsLocation:NfsLocation',
'aws:datasync/s3Location:S3Location',
'aws:datasync/task:Task',
'aws:dax/cluster:Cluster',
'aws:directconnect/connection:Connection',
'aws:directconnect/hostedPrivateVirtualInterfaceAccepter:HostedPrivateVirtualInterfaceAccepter',
'aws:directconnect/hostedPublicVirtualInterfaceAccepter:HostedPublicVirtualInterfaceAccepter',
'aws:directconnect/hostedTransitVirtualInterfaceAcceptor:HostedTransitVirtualInterfaceAcceptor',
'aws:directconnect/linkAggregationGroup:LinkAggregationGroup',
'aws:directconnect/privateVirtualInterface:PrivateVirtualInterface',
'aws:directconnect/publicVirtualInterface:PublicVirtualInterface',
'aws:directconnect/transitVirtualInterface:TransitVirtualInterface',
'aws:directoryservice/directory:Directory',
'aws:dlm/lifecyclePolicy:LifecyclePolicy',
'aws:dms/endpoint:Endpoint',
'aws:dms/replicationInstance:ReplicationInstance',
'aws:dms/replicationSubnetGroup:ReplicationSubnetGroup',
'aws:dms/replicationTask:ReplicationTask',
'aws:docdb/cluster:Cluster',
'aws:docdb/clusterInstance:ClusterInstance',
'aws:docdb/clusterParameterGroup:ClusterParameterGroup',
'aws:docdb/subnetGroup:SubnetGroup',
'aws:dynamodb/table:Table',
'aws:ebs/snapshot:Snapshot',
'aws:ebs/snapshotCopy:SnapshotCopy',
'aws:ebs/volume:Volume',
'aws:ec2/ami:Ami',
'aws:ec2/amiCopy:AmiCopy',
'aws:ec2/amiFromInstance:AmiFromInstance',
'aws:ec2/capacityReservation:CapacityReservation',
'aws:ec2/customerGateway:CustomerGateway',
'aws:ec2/defaultNetworkAcl:DefaultNetworkAcl',
'aws:ec2/defaultRouteTable:DefaultRouteTable',
'aws:ec2/defaultSecurityGroup:DefaultSecurityGroup',
'aws:ec2/defaultSubnet:DefaultSubnet',
'aws:ec2/defaultVpc:DefaultVpc',
'aws:ec2/defaultVpcDhcpOptions:DefaultVpcDhcpOptions',
'aws:ec2/eip:Eip',
'aws:ec2/fleet:Fleet',
'aws:ec2/instance:Instance',
'aws:ec2/internetGateway:InternetGateway',
'aws:ec2/keyPair:KeyPair',
'aws:ec2/launchTemplate:LaunchTemplate',
'aws:ec2/natGateway:NatGateway',
'aws:ec2/networkAcl:NetworkAcl',
'aws:ec2/networkInterface:NetworkInterface',
'aws:ec2/placementGroup:PlacementGroup',
'aws:ec2/routeTable:RouteTable',
'aws:ec2/securityGroup:SecurityGroup',
'aws:ec2/spotInstanceRequest:SpotInstanceRequest',
'aws:ec2/subnet:Subnet',
'aws:ec2/vpc:Vpc',
'aws:ec2/vpcDhcpOptions:VpcDhcpOptions',
'aws:ec2/vpcEndpoint:VpcEndpoint',
'aws:ec2/vpcEndpointService:VpcEndpointService',
'aws:ec2/vpcPeeringConnection:VpcPeeringConnection',
'aws:ec2/vpcPeeringConnectionAccepter:VpcPeeringConnectionAccepter',
'aws:ec2/vpnConnection:VpnConnection',
'aws:ec2/vpnGateway:VpnGateway',
'aws:ec2clientvpn/endpoint:Endpoint',
'aws:ec2transitgateway/routeTable:RouteTable',
'aws:ec2transitgateway/transitGateway:TransitGateway',
'aws:ec2transitgateway/vpcAttachment:VpcAttachment',
'aws:ec2transitgateway/vpcAttachmentAccepter:VpcAttachmentAccepter',
'aws:ecr/repository:Repository',
'aws:ecs/capacityProvider:CapacityProvider',
'aws:ecs/cluster:Cluster',
'aws:ecs/service:Service',
'aws:ecs/taskDefinition:TaskDefinition',
'aws:efs/fileSystem:FileSystem',
'aws:eks/cluster:Cluster',
'aws:eks/fargateProfile:FargateProfile',
'aws:eks/nodeGroup:NodeGroup',
'aws:elasticache/cluster:Cluster',
'aws:elasticache/replicationGroup:ReplicationGroup',
'aws:elasticbeanstalk/application:Application',
'aws:elasticbeanstalk/applicationVersion:ApplicationVersion',
'aws:elasticbeanstalk/environment:Environment',
'aws:elasticloadbalancing/loadBalancer:LoadBalancer',
'aws:elasticloadbalancingv2/loadBalancer:LoadBalancer',
'aws:elasticloadbalancingv2/targetGroup:TargetGroup',
'aws:elasticsearch/domain:Domain',
'aws:elb/loadBalancer:LoadBalancer',
'aws:emr/cluster:Cluster',
'aws:fsx/lustreFileSystem:LustreFileSystem',
'aws:fsx/windowsFileSystem:WindowsFileSystem',
'aws:gamelift/alias:Alias',
'aws:gamelift/build:Build',
'aws:gamelift/fleet:Fleet',
'aws:gamelift/gameSessionQueue:GameSessionQueue',
'aws:glacier/vault:Vault',
'aws:glue/crawler:Crawler',
'aws:glue/job:Job',
'aws:glue/trigger:Trigger',
'aws:iam/role:Role',
'aws:iam/user:User',
'aws:inspector/resourceGroup:ResourceGroup',
'aws:kinesis/analyticsApplication:AnalyticsApplication',
'aws:kinesis/firehoseDeliveryStream:FirehoseDeliveryStream',
'aws:kinesis/stream:Stream',
'aws:kms/externalKey:ExternalKey',
'aws:kms/key:Key',
'aws:lambda/function:Function',
'aws:lb/loadBalancer:LoadBalancer',
'aws:lb/targetGroup:TargetGroup',
'aws:licensemanager/licenseConfiguration:LicenseConfiguration',
'aws:lightsail/instance:Instance',
'aws:mediaconvert/queue:Queue',
'aws:mediapackage/channel:Channel',
'aws:mediastore/container:Container',
'aws:mq/broker:Broker',
'aws:mq/configuration:Configuration',
'aws:msk/cluster:Cluster',
'aws:neptune/cluster:Cluster',
'aws:neptune/clusterInstance:ClusterInstance',
'aws:neptune/clusterParameterGroup:ClusterParameterGroup',
'aws:neptune/eventSubscription:EventSubscription',
'aws:neptune/parameterGroup:ParameterGroup',
'aws:neptune/subnetGroup:SubnetGroup',
'aws:opsworks/stack:Stack',
'aws:organizations/account:Account',
'aws:pinpoint/app:App',
'aws:qldb/ledger:Ledger',
'aws:ram/resourceShare:ResourceShare',
'aws:rds/cluster:Cluster',
'aws:rds/clusterEndpoint:ClusterEndpoint',
'aws:rds/clusterInstance:ClusterInstance',
'aws:rds/clusterParameterGroup:ClusterParameterGroup',
'aws:rds/clusterSnapshot:ClusterSnapshot',
'aws:rds/eventSubscription:EventSubscription',
'aws:rds/instance:Instance',
'aws:rds/optionGroup:OptionGroup',
'aws:rds/parameterGroup:ParameterGroup',
'aws:rds/securityGroup:SecurityGroup',
'aws:rds/snapshot:Snapshot',
'aws:rds/subnetGroup:SubnetGroup',
'aws:redshift/cluster:Cluster',
'aws:redshift/eventSubscription:EventSubscription',
'aws:redshift/parameterGroup:ParameterGroup',
'aws:redshift/snapshotCopyGrant:SnapshotCopyGrant',
'aws:redshift/snapshotSchedule:SnapshotSchedule',
'aws:redshift/subnetGroup:SubnetGroup',
'aws:resourcegroups/group:Group',
'aws:route53/healthCheck:HealthCheck',
'aws:route53/resolverEndpoint:ResolverEndpoint',
'aws:route53/resolverRule:ResolverRule',
'aws:route53/zone:Zone',
'aws:s3/bucket:Bucket',
'aws:s3/bucketObject:BucketObject',
'aws:sagemaker/endpoint:Endpoint',
'aws:sagemaker/endpointConfiguration:EndpointConfiguration',
'aws:sagemaker/model:Model',
'aws:sagemaker/notebookInstance:NotebookInstance',
'aws:secretsmanager/secret:Secret',
'aws:servicecatalog/portfolio:Portfolio',
'aws:sfn/activity:Activity',
'aws:sfn/stateMachine:StateMachine',
'aws:sns/topic:Topic',
'aws:sqs/queue:Queue',
'aws:ssm/activation:Activation',
'aws:ssm/document:Document',
'aws:ssm/maintenanceWindow:MaintenanceWindow',
'aws:ssm/parameter:Parameter',
'aws:ssm/patchBaseline:PatchBaseline',
'aws:storagegateway/cachesIscsiVolume:CachesIscsiVolume',
'aws:storagegateway/gateway:Gateway',
'aws:storagegateway/nfsFileShare:NfsFileShare',
'aws:storagegateway/smbFileShare:SmbFileShare',
'aws:swf/domain:Domain',
'aws:transfer/server:Server',
'aws:transfer/user:User',
'aws:waf/rateBasedRule:RateBasedRule',
'aws:waf/rule:Rule',
'aws:waf/ruleGroup:RuleGroup',
'aws:waf/webAcl:WebAcl',
'aws:wafregional/rateBasedRule:RateBasedRule',
'aws:wafregional/rule:Rule',
'aws:wafregional/ruleGroup:RuleGroup',
'aws:wafregional/webAcl:WebAcl',
'aws:workspaces/directory:Directory',
'aws:workspaces/ipGroup:IpGroup',
]

31
infra/ecs_alb/conf.py Normal file
View File

@@ -0,0 +1,31 @@
import pulumi
import pulumi_aws as aws
from autotag.autotag import register_auto_tags
config = pulumi.Config()
pulumi_project = pulumi.get_project()
project_name = config.require("project_name")
stack_name = pulumi.get_stack()
aws_region = aws.get_region().id
current = aws.get_caller_identity()
current = aws.get_caller_identity_output()
account_id1 = current.account_id
account_id = config.require("account_id")
network = config.get_object("network")
ecs = config.get_object("ecs")
ecr = config.get_object("ecr")
environment = config.require("environment")
register_auto_tags(config.get_object('tags'))
def get(x):
return config.get(x)
def get_bool(x):
return config.get_bool(x)

100
infra/ecs_alb/ecr.py Normal file
View File

@@ -0,0 +1,100 @@
import pulumi
import pulumi_aws as aws
import conf as config
import json
def create_ecr_repo():
ecr_repositories = []
for repo in config.ecr["repos"]:
if repo["create_ecr_repo"]:
ecr_repository = aws.ecr.Repository(
repo,
name=f"{repo}",
force_delete=True)
token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
langserve_ecr_life_cycle_policy = aws.ecr.LifecyclePolicy(f"{repo}-ecr-life-cycle-policy",
repository=ecr_repository.name,
policy=json.dumps({
"rules": [{
"rulePriority": 1,
"description": "Expire images when they are more than 10 available",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 10,
},
"action": {
"type": "expire",
},
}],
}))
policy_ecr = aws.iam.get_policy_document(statements=[{
"sid": "new policy",
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [config.account_id],
}],
"actions": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
],
}])
attach_policy = aws.ecr.RepositoryPolicy(f"{repo}-policy_ecr",
repository=ecr_repository.name,
policy=policy_ecr.json)
else:
ecr_repository = aws.ecr.get_repository_output(name=repo['name'])
token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
repo['ecr_repo_resource'] = ecr_repository
repo['ecr_token'] = token
ecr_repositories.append(repo)
return ecr_repositories
def get_image(ecr_repo_name, image_tag=None, image_digest=None):
assert (image_tag is not None) != (image_digest is not None), 'User either tag or image_digest, not both, to identify ECR image version.'
if image_tag:
return aws.ecr.get_image(repository_name=ecr_repo_name, image_tag=image_tag)
elif image_digest:
return aws.ecr.get_image(repository_name=ecr_repo_name, image_digest=image_digest)
def build_and_push(ecr_repositories):
ecr_repo_images = {}
for repo in ecr_repositories:
ecr_repo = repo['ecr_repo_resource']
container_context = config.get("container-context")
if container_context is None:
container_context = "."
container_file = config.get("container-file")
if container_file is None:
container_file = "./Dockerfile"
assert ('tag' in repo.keys()) != ('image_digest' in repo.keys()), 'User must provide either tag or image_digest, but not both, to identify image version'
if 'tag' in repo.keys():
ecr_image=aws.ecr.get_image(repository_name=ecr_repo.name, image_tag=repo['tag'])
elif 'image_digest' in repo.keys():
ecr_image=aws.ecr.get_image(repository_name=ecr_repo.name, image_digest=repo['image_digest'])
repo['ecr_image'] = ecr_image
ecr_repo_images[repo['name']] = repo
#ecr_repo_images.append(repo)
return ecr_repo_images

240
infra/ecs_alb/ecs.py Normal file
View File

@@ -0,0 +1,240 @@
import pulumi
import pulumi_aws as aws
import conf as config
import iam
import ecr
import json
def deploy_app(config_ecs_app, app_ecs_cluster, alb_security_group, app_load_balancer_arn):
lb_configs = config_ecs_app["lb_configs"]
target_groups = []
load_balancers = []
for lb_config in lb_configs:
tg = aws.lb.TargetGroup(f"app-target-group-{lb_config['listener_port']}",
port=lb_config["target_port"],
protocol="HTTP",
vpc_id=config.network["vpc_id"],
target_type="ip",
health_check=aws.lb.TargetGroupHealthCheckArgs(
path="/",
protocol="HTTP",
port="traffic-port",
healthy_threshold=2,
unhealthy_threshold=2,
timeout=5,
interval=30,
matcher="200-499",
),
)
aws.lb.Listener(f"app-listener-{lb_config['listener_port']}",
load_balancer_arn=app_load_balancer_arn,
port=lb_config["listener_port"],
protocol="HTTP",
default_actions=[aws.lb.ListenerDefaultActionArgs(
type="forward",
target_group_arn=tg.arn,
)],
)
target_groups.append(tg)
load_balancers.append(aws.ecs.ServiceLoadBalancerArgs(
target_group_arn=tg.arn,
container_name=f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}-service",
container_port=lb_config["target_port"],
))
# Build and Push ECR
# ecr_repos = ecr.create_ecr_repo(config_ecs_app['ecr_repo_name'])
# assert ('ecr_image_tag' in config_ecs_app.keys()) != ('ecr_image_digest' in config_ecs_app.keys()), 'User must provide either tag or image_digest, but not both, to identify image version'
if 'ecr_image_tag' in config_ecs_app.keys():
ecr_repo_image = ecr.get_image(config_ecs_app['ecr_repo_name'], image_tag=config_ecs_app['ecr_image_tag'])
elif 'ecr_image_digest' in config_ecs_app.keys():
ecr_repo_image = ecr.get_image(config_ecs_app['ecr_repo_name'], image_digest=config_ecs_app['ecr_image_digest'])
# Log Group Setup #TODO move into ecs
app_log_group = aws.cloudwatch.LogGroup(f"{config.project_name}-{config_ecs_app['task_name']}-log-group", retention_in_days=7)
# if key
# ssm_parameter, key = kms.setup_kms()
# iam.create_execution_role_with_keys(ssm_parameter, key)
# IAM Roles Setup
app_execution_role = iam.create_execution_role()
app_task_role = iam.create_task_role()
# summarization_repo_image = config_ecs_app['ecr_image']
if config_ecs_app['use_load_balancer']:
environemnt_variables = [dict(name=k, value=v) for k,v in config_ecs_app['env_variables'].items()]
print(environemnt_variables)
# ECS Task Definition Setup
app_task_definition = aws.ecs.TaskDefinition(f"{config.project_name}-{config_ecs_app['task_name']}-task-definition",
family=f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}",
cpu=config_ecs_app["cpu"],
memory=config_ecs_app["memory"],
network_mode="awsvpc",
execution_role_arn=app_execution_role.arn,
task_role_arn=app_task_role.arn,
requires_compatibilities=["FARGATE"],
container_definitions=pulumi.Output.all(ecr_repo_image.image_uri,
# ecr_repo_image.image_digest,
app_log_group.name,
environemnt_variables,
# config_ecs_app["secret_name"],
).apply(lambda args: json.dumps([{
"name": f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}-service",
"image": args[0],
"cpu": 0,
"portMappings": [
{
"name": lb_cfg["name"],
"containerPort": lb_cfg["container_port"],
"hostPort": lb_cfg["target_port"],
"protocol": "tcp",
} for lb_cfg in lb_configs
],
"essential": True,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": args[1],
"awslogs-region": config.aws_region,
"awslogs-stream-prefix": "pulumi-langserve",
},
},
"environment": args[2],
}])),
)
# ECS Security Group Setup
app_ecs_security_group = aws.ec2.SecurityGroup(f"{config.project_name}-{config_ecs_app['task_name']}-ecs-security-group",
vpc_id=config.network["vpc_id"],
ingress=[aws.ec2.SecurityGroupIngressArgs(
protocol="-1",
from_port=0,
to_port=0,
security_groups=[alb_security_group.id],
)],
egress=[aws.ec2.SecurityGroupEgressArgs(
protocol="-1",
from_port=0,
to_port=0,
cidr_blocks=["0.0.0.0/0"],
)],
)
# Security Group Rules for Ingress
for sg_name, sg_id in config_ecs_app["sgs_allowing_ingress"].items():
aws.ec2.SecurityGroupRule(f"sgr-{sg_name}-allow_in_from-{config.project_name}",
type="ingress",
from_port=0,
to_port=0,
protocol="-1",
security_group_id=sg_id,
source_security_group_id=app_ecs_security_group.id,
description=f"Allow from {config.project_name} ECS SG",
)
# Service Discovery Namespace Setup
app_service_discovery_namespace = aws.servicediscovery.PrivateDnsNamespace(f"{config.project_name}-{config_ecs_app['task_name']}-service-discovery-namespace",
name=f"{config.environment}.{config.project_name}.local",
vpc=config.network["vpc_id"],
)
# ECS Service Setup
app_service = aws.ecs.Service(f"{config.project_name}-{config_ecs_app['task_name']}-service",
cluster=app_ecs_cluster.arn,
task_definition=app_task_definition.arn,
desired_count=config_ecs_app["desired_count"],
launch_type="FARGATE",
network_configuration=aws.ecs.ServiceNetworkConfigurationArgs(
assign_public_ip=True,
security_groups=[app_ecs_security_group.id],
subnets=config.network["ecs_subnet_ids"],
),
load_balancers=load_balancers,
scheduling_strategy="REPLICA",
service_connect_configuration=aws.ecs.ServiceServiceConnectConfigurationArgs(
enabled=True,
namespace=app_service_discovery_namespace.arn,
),
tags={"Name": f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}"},
)
#defining an auto-scaling for summarization
scalable_target = aws.appautoscaling.Target("app-svc-target",
max_capacity=config_ecs_app['auto_scaling']['max_capacity'],
min_capacity=config_ecs_app['auto_scaling']['min_capacity'],
resource_id=pulumi.Output.all(app_ecs_cluster.name, app_service.name).apply(lambda args: f"service/{args[0]}/{args[1]}"),
scalable_dimension="ecs:service:DesiredCount",
service_namespace="ecs",
)
# Define an auto-scaling policy on CPU utilization
scaling_policy = aws.appautoscaling.Policy("app-svc-policy",
policy_type="TargetTrackingScaling",
resource_id=scalable_target.resource_id,
scalable_dimension="ecs:service:DesiredCount",
service_namespace="ecs",
target_tracking_scaling_policy_configuration={
"target_value": config_ecs_app['auto_scaling']['target_value'], # Target CPU utilization (30%)
"predefined_metric_specification": {
"predefined_metric_type": "ECSServiceAverageCPUUtilization"
},
},
)
else:
# classification_repo_image = ecr_repo_images['ai-med-exam-classification']['ecr_image']
# ECS without Load Balancer
new_ecs_task_definition = aws.ecs.TaskDefinition("classification-theia-poc-task-definition",
family="classification-theia-poc",
cpu=config_ecs_app["cpu"],
memory=config_ecs_app["memory"],
network_mode="awsvpc",
execution_role_arn=app_execution_role.arn,
task_role_arn=app_task_role.arn,
requires_compatibilities=["FARGATE"],
container_definitions=pulumi.Output.all(ecr_repo_image.image_uri,
# classification_repo_image.image_digest,
app_log_group.name).apply(lambda args: json.dumps([{
"name": "classification-theia-poc-service",
"image": args[0],
"cpu": 0,
"portMappings": [
{
"name": "api",
"containerPort": 80, # Define the container port without Load Balancer
"hostPort": 80,
"protocol": "tcp",
}
],
"essential": True,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": args[1],
"awslogs-region": config.aws_region,
"awslogs-stream-prefix": "pulumi-classification-theia-poc",
},
},
}])),
)
# ecs without load balancer
new_ecs_service = aws.ecs.Service("classification-theia-poc-service",
cluster=app_ecs_cluster.arn,
task_definition=new_ecs_task_definition.arn,
desired_count=config_ecs_app["desired_count"],
launch_type="FARGATE",
network_configuration=aws.ecs.ServiceNetworkConfigurationArgs(
assign_public_ip=True,
security_groups=[app_ecs_security_group.id],
subnets=config.network["ecs_subnet_ids"],
),
scheduling_strategy="REPLICA",
service_connect_configuration=aws.ecs.ServiceServiceConnectConfigurationArgs(
enabled=True,
namespace=app_service_discovery_namespace.arn,
),
tags={"Name": "classification-theia-poc"},
)

284
infra/ecs_alb/iam.py Normal file
View File

@@ -0,0 +1,284 @@
import pulumi
import pulumi_aws as aws
import conf as config
import json
def create_execution_role():
execution_role = aws.iam.Role(f"{config.project_name}-execution-role",
assume_role_policy=json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
},
},
],
}),
inline_policies=[aws.iam.RoleInlinePolicyArgs(
name=f"{config.project_name}-{config.stack_name}-service-secrets-policy",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
],
}),
)],
managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"])
return execution_role
def create_execution_role_with_keys(ssm_parameter, key):
execution_role = aws.iam.Role(f"{config.project_name}-execution-role",
assume_role_policy=json.dumps({
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
},
}],
"Version": "2012-10-17",
}),
inline_policies=[aws.iam.RoleInlinePolicyArgs(
name=f"{config.project_name}-{config.stack_name}-service-secrets-policy",
policy=pulumi.Output.all(ssm_parameter.arn, key.arn).apply(lambda args: json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": ["ssm:GetParameters"],
"Condition": {
"StringEquals": {
"ssm:ResourceTag/pulumi-application": config.project_name,
"ssm:ResourceTag/pulumi-environment": config.stack_name,
},
},
"Effect": "Allow",
"Resource": [args[0]],
},
{
"Action": ["kms:Decrypt"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/pulumi-application": config.project_name,
"aws:ResourceTag/pulumi-environment": config.stack_name,
},
},
"Effect": "Allow",
"Resource": [args[1]],
"Sid": "DecryptTaggedKMSKey",
},
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
],
})),
)],
managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"])
return execution_role
def create_task_role():
task_role = aws.iam.Role(f"{config.project_name}-task-role",
assume_role_policy=json.dumps({
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com",
},
}],
"Version": "2012-10-17",
}),
inline_policies=[
aws.iam.RoleInlinePolicyArgs(
name="ExecuteCommand",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
],
"Effect": "Allow",
"Resource": "*",
},{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StopQueryExecution",
],
"Resource": f"arn:aws:athena:us-east-1:305427701314:workgroup/iceberg-workgroup",
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetTable",
"glue:GetPartitions",
],
"Resource": [
f"arn:aws:glue:us-east-1:305427701314:catalog",
f"arn:aws:glue:us-east-1:305427701314:database/dnx_warehouse",
f"arn:aws:glue:us-east-1:305427701314:table/dnx_warehouse/*",
],
}, {
"Effect" : "Allow",
"Action" : [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource" : ["arn:aws:secretsmanager:us-east-1:305427701314:secret:assistente-db-secrets-manager-mpYPMi"
]},
{
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:305427701314:table/poc_dnx_monthly_summary",
"arn:aws:dynamodb:us-east-1:305427701314:table/poc_dnx_monthly_summary/index/*"
]
},
],
}),
),
aws.iam.RoleInlinePolicyArgs(
name="DenyIAM",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Action": "iam:*",
"Effect": "Deny",
"Resource": "*",
}],
}),
),
aws.iam.RoleInlinePolicyArgs(
name="BedrockS3SQSAccess",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
# S3
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
},
# SQS
{
"Effect": "Allow",
"Action": [
"sqs:StartMessageMoveTask",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags"
],
"Resource": "arn:aws:sqs:us-east-1:673991670544:ai-med-dev-queue-63cb463"
},
{
"Effect": "Allow",
"Action": "sqs:ListQueues",
"Resource": "*"
},
# Bedrock
{
"Effect": "Allow",
"Action": [
"bedrock:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "arn:*:kms:*:*:key/*"
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*AmazonBedrock*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
}
]
})
),
])
return task_role

74
infra/ecs_alb/kms.py Normal file
View File

@@ -0,0 +1,74 @@
import pulumi
import pulumi_aws as aws
import pulumi_docker as docker
import conf as config
import json
def setup_kms():
# KMS Key Setup
app_key = aws.kms.Key(f"{config.project_name}-key",
description="Key for encrypting secrets",
enable_key_rotation=True,
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "",
"Principal": {
"AWS": f"arn:aws:iam::{config.account_id}:root",
},
"Action": [
"kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*",
"kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion", "kms:Tag*", "kms:UntagResource",
],
"Resource": "*",
},
{
"Effect": "Allow",
"Principal": {
"AWS": f"arn:aws:iam::{config.account_id}:root",
},
"Action": [
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey",
],
"Resource": "*",
},
{
"Sid": 'Allow access to EFS for all principals in the account that are authorized to use EFS',
"Effect": 'Allow',
"Principal": {"AWS": "*"},
"Action": [
"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*",
"kms:CreateGrant", "kms:DescribeKey",
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": f"elasticfilesystem.{config.aws_region}.amazonaws.com",
"kms:CallerAccount": config.account_id,
},
},
},
],
}),
tags={
"pulumi-application": config.project_name,
"pulumi-environment": config.stack_name,
},
)
# SSM Parameter Setup
app_ssm_parameter = aws.ssm.Parameter(f"{config.project_name}-ssm-parameter",
type="SecureString",
value=config.config.require_secret("bedrock_api_key"),
key_id=app_key.key_id,
name=f"/{config.project_name}/{config.stack_name}/BEDROCK_API_KEY",
tags={
"pulumi-application": config.project_name,
"pulumi-environment": config.stack_name,
},
)
return app_ssm_parameter, app_key

5
infra/ecs_alb/requirements.txt Normal file
View File

@@ -0,0 +1,5 @@
pulumi
pulumi-aws
pulumi-docker
boto3
setuptools

40
infra/langfuse/Pulumi.inovyo.yaml Normal file
View File

@@ -0,0 +1,40 @@
config:
aws:region: us-east-1
langfuse:account_id: "232048051668"
langfuse:project_name: assistente-db-langfuse
langfuse:environment: dev
langfuse:tags:
project: assistente-db
env: dev
costCenter: AI
owner: ai-team
langfuse:network:
vpc_id: vpc-17ceb96c
subnet_ids:
- subnet-0de9f056635629827 # public-us-east-1a-subnet
- subnet-09cda74f27c543521 # public-us-east-1b-subnet
langfuse:ec2:
key_name:
allowed_ports:
- 22
- 3000
- 443
- 80
ebs_volume:
size: 100 # em GB
device_name: /dev/sdf # nome do device
volume_type: gp2 # tipo de volume
instance_type: t3.xlarge # langfuse requires at least t3.xlarge
instance_name: LangfuseEC2
sg_name: langfuse-sg
langfuse:langfuse_config:
repo_url: "https://github.com/langfuse/langfuse.git"
web_port: 3000
worker_port: 3030
database_url: "postgresql://langfuse:langfuse@postgres:5432/langfuse"
clickhouse_url: "http://clickhouse:8123"
telemetry_enabled: false

3
infra/langfuse/Pulumi.yaml Normal file
View File

@@ -0,0 +1,3 @@
name: langfuse-dev
runtime: python
description: Infraestrutura da aplicação Langfuse em EC2 usando Docker

93
infra/langfuse/README.md Normal file
View File

@@ -0,0 +1,93 @@
# langfuse
## Getting started
To make it easy for you to get started with GitLab, here's a list of recommended next steps.
Already a pro? Just edit this README.md and make it your own. Want to make it easy? [Use the template at the bottom](#editing-this-readme)!
## Add your files
- [ ] [Create](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#create-a-file) or [upload](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#upload-a-file) files
- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command:
```
cd existing_repo
git remote add origin https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/langfuse.git
git branch -M main
git push -uf origin main
```
## Integrate with your tools
- [ ] [Set up project integrations](https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/langfuse/-/settings/integrations)
## Collaborate with your team
- [ ] [Invite team members and collaborators](https://docs.gitlab.com/ee/user/project/members/)
- [ ] [Create a new merge request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html)
- [ ] [Automatically close issues from merge requests](https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically)
- [ ] [Enable merge request approvals](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/)
- [ ] [Set auto-merge](https://docs.gitlab.com/ee/user/project/merge_requests/merge_when_pipeline_succeeds.html)
## Test and Deploy
Use the built-in continuous integration in GitLab.
- [ ] [Get started with GitLab CI/CD](https://docs.gitlab.com/ee/ci/quick_start/index.html)
- [ ] [Analyze your code for known vulnerabilities with Static Application Security Testing (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/)
- [ ] [Deploy to Kubernetes, Amazon EC2, or Amazon ECS using Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/requirements.html)
- [ ] [Use pull-based deployments for improved Kubernetes management](https://docs.gitlab.com/ee/user/clusters/agent/)
- [ ] [Set up protected environments](https://docs.gitlab.com/ee/ci/environments/protected_environments.html)
***
# Editing this README
When you're ready to make this README your own, just edit this file and use the handy template below (or feel free to structure it however you want - this is just a starting point!). Thanks to [makeareadme.com](https://www.makeareadme.com/) for this template.
## Suggestions for a good README
Every project is different, so consider which of these sections apply to yours. The sections used in the template are suggestions for most open source projects. Also keep in mind that while a README can be too long and detailed, too long is better than too short. If you think your README is too long, consider utilizing another form of documentation rather than cutting out information.
## Name
Choose a self-explaining name for your project.
## Description
Let people know what your project can do specifically. Provide context and add a link to any reference visitors might be unfamiliar with. A list of Features or a Background subsection can also be added here. If there are alternatives to your project, this is a good place to list differentiating factors.
## Badges
On some READMEs, you may see small images that convey metadata, such as whether or not all the tests are passing for the project. You can use Shields to add some to your README. Many services also have instructions for adding a badge.
## Visuals
Depending on what you are making, it can be a good idea to include screenshots or even a video (you'll frequently see GIFs rather than actual videos). Tools like ttygif can help, but check out Asciinema for a more sophisticated method.
## Installation
Within a particular ecosystem, there may be a common way of installing things, such as using Yarn, NuGet, or Homebrew. However, consider the possibility that whoever is reading your README is a novice and would like more guidance. Listing specific steps helps remove ambiguity and gets people to using your project as quickly as possible. If it only runs in a specific context like a particular programming language version or operating system or has dependencies that have to be installed manually, also add a Requirements subsection.
## Usage
Use examples liberally, and show the expected output if you can. It's helpful to have inline the smallest example of usage that you can demonstrate, while providing links to more sophisticated examples if they are too long to reasonably include in the README.
## Support
Tell people where they can go to for help. It can be any combination of an issue tracker, a chat room, an email address, etc.
## Roadmap
If you have ideas for releases in the future, it is a good idea to list them in the README.
## Contributing
State if you are open to contributions and what your requirements are for accepting them.
For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self.
You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser.
## Authors and acknowledgment
Show your appreciation to those who have contributed to the project.
## License
For open source projects, say how it is licensed.
## Project status
If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers.

105
infra/langfuse/__main__.py Normal file
View File

@@ -0,0 +1,105 @@
import pulumi
import pulumi_aws as aws
import conf as config
# 🔐 Security Group
ingress_rules = [{"protocol": "tcp", "from_port": port, "to_port": port, "cidr_blocks": ["3.14.44.224/32"]}
for port in config.ec2_config["allowed_ports"]]
sg = aws.ec2.SecurityGroup(config.ec2_config["sg_name"],
vpc_id=config.network["vpc_id"],
description="Allow defined ports",
ingress=ingress_rules,
egress=[{"protocol": "-1", "from_port": 0, "to_port": 0, "cidr_blocks": ["0.0.0.0/0"]}],
)
# 🐳 Script user_data com Docker, Langfuse e montagem do volume EBS
user_data = f"""#!/bin/bash
set -e
sudo apt-get update -y
sudo apt-get install -y ca-certificates curl gnupg git
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update -y
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo groupadd docker || true
sudo usermod -aG docker ubuntu
sudo chmod 666 /var/run/docker.sock
sudo systemctl enable docker
sudo systemctl restart docker
cd /opt
git clone {config.langfuse_config["repo_url"]}
cd langfuse
NEXTAUTH_SECRET=$(openssl rand -hex 32)
PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
SALT=$(openssl rand -hex 16)
ENCRYPTION_KEY=$(openssl rand -hex 32)
cat > .env <<EOF
NEXTAUTH_SECRET=$NEXTAUTH_SECRET
NEXTAUTH_URL=http://$PUBLIC_IP:{config.langfuse_config["web_port"]}
DATABASE_URL=postgresql://postgres:postgres@postgres:5432/postgres
CLICKHOUSE_URL=http://clickhouse:8123
CLICKHOUSE_USER=clickhouse
CLICKHOUSE_PASSWORD=clickhouse
TELEMETRY_ENABLED=false
SALT=$SALT
ENCRYPTION_KEY=$ENCRYPTION_KEY
REDIS_AUTH=myredissecret
LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID=minio
LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY=miniosecret
LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID=minio
LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY=miniosecret
LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID=minio
LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY=miniosecret
MINIO_ROOT_USER=minio
MINIO_ROOT_PASSWORD=miniosecret
EOF
sudo docker compose -f docker-compose.yml up -d
# 📦 Montar volume EBS
DEVICE="{config.ec2_config['ebs_volume']['device_name']}"
MOUNT_DIR="/mnt/langfuse-data"
if [ -b "$DEVICE" ]; then
sudo mkfs -t ext4 $DEVICE
sudo mkdir -p $MOUNT_DIR
sudo mount $DEVICE $MOUNT_DIR
echo "$DEVICE $MOUNT_DIR ext4 defaults,nofail 0 2" | sudo tee -a /etc/fstab
else
echo "Volume $DEVICE não encontrado."
fi
"""
# 🖥️ Criar EC2
instance = aws.ec2.Instance("assistente-produtos-servicos-langfuse-ec2",
instance_type=config.ec2_config["instance_type"],
ami=aws.ec2.get_ami(
most_recent=True,
owners=["099720109477"],
filters=[{"name": "name", "values": ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]}]
).id,
subnet_id=config.network["subnet_ids"][0],
vpc_security_group_ids=[sg.id],
#key_name=config.ec2_config["key_name"],
user_data=user_data,
associate_public_ip_address=True,
tags={"Name": config.ec2_config["instance_name"]},
root_block_device=aws.ec2.InstanceRootBlockDeviceArgs(
volume_size=config.ec2_config["ebs_volume"]["size"],
volume_type=config.ec2_config["ebs_volume"]["volume_type"],
delete_on_termination=True,
)
)
pulumi.export("instance_ip", instance.public_ip)
pulumi.export("url", pulumi.Output.concat("http://", instance.public_ip, f":{config.langfuse_config['web_port']}"))

13
infra/langfuse/autotag/autotag.py Normal file
View File

@@ -0,0 +1,13 @@
import pulumi
from autotag.taggable import is_taggable
# registerAutoTags registers a global stack transformation that merges a set
# of tags with whatever was also explicitly added to the resource definition.
def register_auto_tags(auto_tags):
pulumi.runtime.register_stack_transformation(lambda args: auto_tag(args, auto_tags))
# auto_tag applies the given tags to the resource properties if applicable.
def auto_tag(args, auto_tags):
if is_taggable(args.type_):
args.props['tags'] = {**(args.props['tags'] or {}), **auto_tags}
return pulumi.ResourceTransformationResult(args.props, args.opts)

12
infra/langfuse/autotag/policy-config.json Normal file
View File

@@ -0,0 +1,12 @@
{
"all": "mandatory",
"check-required-tags": {
"requiredTags": [
"user:project",
"user:env",
"user:account",
"user:costCenter",
"user:owner"
]
}
}

234
infra/langfuse/autotag/taggable.py Normal file
View File

@@ -0,0 +1,234 @@
# isTaggable returns true if the given resource type is an AWS resource that supports tags.
def is_taggable(t):
return t in taggable_resource_types
# taggable_resource_types is a list of known AWS type tokens that are taggable.
taggable_resource_types = [
'aws:accessanalyzer/analyzer:Analyzer',
'aws:acm/certificate:Certificate',
'aws:acmpca/certificateAuthority:CertificateAuthority',
'aws:alb/loadBalancer:LoadBalancer',
'aws:alb/targetGroup:TargetGroup',
'aws:apigateway/apiKey:ApiKey',
'aws:apigateway/clientCertificate:ClientCertificate',
'aws:apigateway/domainName:DomainName',
'aws:apigateway/restApi:RestApi',
'aws:apigateway/stage:Stage',
'aws:apigateway/usagePlan:UsagePlan',
'aws:apigateway/vpcLink:VpcLink',
'aws:applicationloadbalancing/loadBalancer:LoadBalancer',
'aws:applicationloadbalancing/targetGroup:TargetGroup',
'aws:appmesh/mesh:Mesh',
'aws:appmesh/route:Route',
'aws:appmesh/virtualNode:VirtualNode',
'aws:appmesh/virtualRouter:VirtualRouter',
'aws:appmesh/virtualService:VirtualService',
'aws:appsync/graphQLApi:GraphQLApi',
'aws:athena/workgroup:Workgroup',
'aws:autoscaling/group:Group',
'aws:backup/plan:Plan',
'aws:backup/vault:Vault',
'aws:cfg/aggregateAuthorization:AggregateAuthorization',
'aws:cfg/configurationAggregator:ConfigurationAggregator',
'aws:cfg/rule:Rule',
'aws:cloudformation/stack:Stack',
'aws:cloudformation/stackSet:StackSet',
'aws:cloudfront/distribution:Distribution',
'aws:cloudhsmv2/cluster:Cluster',
'aws:cloudtrail/trail:Trail',
'aws:cloudwatch/eventRule:EventRule',
'aws:cloudwatch/logGroup:LogGroup',
'aws:cloudwatch/metricAlarm:MetricAlarm',
'aws:codebuild/project:Project',
'aws:codecommit/repository:Repository',
'aws:codepipeline/pipeline:Pipeline',
'aws:codepipeline/webhook:Webhook',
'aws:codestarnotifications/notificationRule:NotificationRule',
'aws:cognito/identityPool:IdentityPool',
'aws:cognito/userPool:UserPool',
'aws:datapipeline/pipeline:Pipeline',
'aws:datasync/agent:Agent',
'aws:datasync/efsLocation:EfsLocation',
'aws:datasync/locationSmb:LocationSmb',
'aws:datasync/nfsLocation:NfsLocation',
'aws:datasync/s3Location:S3Location',
'aws:datasync/task:Task',
'aws:dax/cluster:Cluster',
'aws:directconnect/connection:Connection',
'aws:directconnect/hostedPrivateVirtualInterfaceAccepter:HostedPrivateVirtualInterfaceAccepter',
'aws:directconnect/hostedPublicVirtualInterfaceAccepter:HostedPublicVirtualInterfaceAccepter',
'aws:directconnect/hostedTransitVirtualInterfaceAcceptor:HostedTransitVirtualInterfaceAcceptor',
'aws:directconnect/linkAggregationGroup:LinkAggregationGroup',
'aws:directconnect/privateVirtualInterface:PrivateVirtualInterface',
'aws:directconnect/publicVirtualInterface:PublicVirtualInterface',
'aws:directconnect/transitVirtualInterface:TransitVirtualInterface',
'aws:directoryservice/directory:Directory',
'aws:dlm/lifecyclePolicy:LifecyclePolicy',
'aws:dms/endpoint:Endpoint',
'aws:dms/replicationInstance:ReplicationInstance',
'aws:dms/replicationSubnetGroup:ReplicationSubnetGroup',
'aws:dms/replicationTask:ReplicationTask',
'aws:docdb/cluster:Cluster',
'aws:docdb/clusterInstance:ClusterInstance',
'aws:docdb/clusterParameterGroup:ClusterParameterGroup',
'aws:docdb/subnetGroup:SubnetGroup',
'aws:dynamodb/table:Table',
'aws:ebs/snapshot:Snapshot',
'aws:ebs/snapshotCopy:SnapshotCopy',
'aws:ebs/volume:Volume',
'aws:ec2/ami:Ami',
'aws:ec2/amiCopy:AmiCopy',
'aws:ec2/amiFromInstance:AmiFromInstance',
'aws:ec2/capacityReservation:CapacityReservation',
'aws:ec2/customerGateway:CustomerGateway',
'aws:ec2/defaultNetworkAcl:DefaultNetworkAcl',
'aws:ec2/defaultRouteTable:DefaultRouteTable',
'aws:ec2/defaultSecurityGroup:DefaultSecurityGroup',
'aws:ec2/defaultSubnet:DefaultSubnet',
'aws:ec2/defaultVpc:DefaultVpc',
'aws:ec2/defaultVpcDhcpOptions:DefaultVpcDhcpOptions',
'aws:ec2/eip:Eip',
'aws:ec2/fleet:Fleet',
'aws:ec2/instance:Instance',
'aws:ec2/internetGateway:InternetGateway',
'aws:ec2/keyPair:KeyPair',
'aws:ec2/launchTemplate:LaunchTemplate',
'aws:ec2/natGateway:NatGateway',
'aws:ec2/networkAcl:NetworkAcl',
'aws:ec2/networkInterface:NetworkInterface',
'aws:ec2/placementGroup:PlacementGroup',
'aws:ec2/routeTable:RouteTable',
'aws:ec2/securityGroup:SecurityGroup',
'aws:ec2/spotInstanceRequest:SpotInstanceRequest',
'aws:ec2/subnet:Subnet',
'aws:ec2/vpc:Vpc',
'aws:ec2/vpcDhcpOptions:VpcDhcpOptions',
'aws:ec2/vpcEndpoint:VpcEndpoint',
'aws:ec2/vpcEndpointService:VpcEndpointService',
'aws:ec2/vpcPeeringConnection:VpcPeeringConnection',
'aws:ec2/vpcPeeringConnectionAccepter:VpcPeeringConnectionAccepter',
'aws:ec2/vpnConnection:VpnConnection',
'aws:ec2/vpnGateway:VpnGateway',
'aws:ec2clientvpn/endpoint:Endpoint',
'aws:ec2transitgateway/routeTable:RouteTable',
'aws:ec2transitgateway/transitGateway:TransitGateway',
'aws:ec2transitgateway/vpcAttachment:VpcAttachment',
'aws:ec2transitgateway/vpcAttachmentAccepter:VpcAttachmentAccepter',
'aws:ecr/repository:Repository',
'aws:ecs/capacityProvider:CapacityProvider',
'aws:ecs/cluster:Cluster',
'aws:ecs/service:Service',
'aws:ecs/taskDefinition:TaskDefinition',
'aws:efs/fileSystem:FileSystem',
'aws:eks/cluster:Cluster',
'aws:eks/fargateProfile:FargateProfile',
'aws:eks/nodeGroup:NodeGroup',
'aws:elasticache/cluster:Cluster',
'aws:elasticache/replicationGroup:ReplicationGroup',
'aws:elasticbeanstalk/application:Application',
'aws:elasticbeanstalk/applicationVersion:ApplicationVersion',
'aws:elasticbeanstalk/environment:Environment',
'aws:elasticloadbalancing/loadBalancer:LoadBalancer',
'aws:elasticloadbalancingv2/loadBalancer:LoadBalancer',
'aws:elasticloadbalancingv2/targetGroup:TargetGroup',
'aws:elasticsearch/domain:Domain',
'aws:elb/loadBalancer:LoadBalancer',
'aws:emr/cluster:Cluster',
'aws:fsx/lustreFileSystem:LustreFileSystem',
'aws:fsx/windowsFileSystem:WindowsFileSystem',
'aws:gamelift/alias:Alias',
'aws:gamelift/build:Build',
'aws:gamelift/fleet:Fleet',
'aws:gamelift/gameSessionQueue:GameSessionQueue',
'aws:glacier/vault:Vault',
'aws:glue/crawler:Crawler',
'aws:glue/job:Job',
'aws:glue/trigger:Trigger',
'aws:iam/role:Role',
'aws:iam/user:User',
'aws:inspector/resourceGroup:ResourceGroup',
'aws:kinesis/analyticsApplication:AnalyticsApplication',
'aws:kinesis/firehoseDeliveryStream:FirehoseDeliveryStream',
'aws:kinesis/stream:Stream',
'aws:kms/externalKey:ExternalKey',
'aws:kms/key:Key',
'aws:lambda/function:Function',
'aws:lb/loadBalancer:LoadBalancer',
'aws:lb/targetGroup:TargetGroup',
'aws:licensemanager/licenseConfiguration:LicenseConfiguration',
'aws:lightsail/instance:Instance',
'aws:mediaconvert/queue:Queue',
'aws:mediapackage/channel:Channel',
'aws:mediastore/container:Container',
'aws:mq/broker:Broker',
'aws:mq/configuration:Configuration',
'aws:msk/cluster:Cluster',
'aws:neptune/cluster:Cluster',
'aws:neptune/clusterInstance:ClusterInstance',
'aws:neptune/clusterParameterGroup:ClusterParameterGroup',
'aws:neptune/eventSubscription:EventSubscription',
'aws:neptune/parameterGroup:ParameterGroup',
'aws:neptune/subnetGroup:SubnetGroup',
'aws:opsworks/stack:Stack',
'aws:organizations/account:Account',
'aws:pinpoint/app:App',
'aws:qldb/ledger:Ledger',
'aws:ram/resourceShare:ResourceShare',
'aws:rds/cluster:Cluster',
'aws:rds/clusterEndpoint:ClusterEndpoint',
'aws:rds/clusterInstance:ClusterInstance',
'aws:rds/clusterParameterGroup:ClusterParameterGroup',
'aws:rds/clusterSnapshot:ClusterSnapshot',
'aws:rds/eventSubscription:EventSubscription',
'aws:rds/instance:Instance',
'aws:rds/optionGroup:OptionGroup',
'aws:rds/parameterGroup:ParameterGroup',
'aws:rds/securityGroup:SecurityGroup',
'aws:rds/snapshot:Snapshot',
'aws:rds/subnetGroup:SubnetGroup',
'aws:redshift/cluster:Cluster',
'aws:redshift/eventSubscription:EventSubscription',
'aws:redshift/parameterGroup:ParameterGroup',
'aws:redshift/snapshotCopyGrant:SnapshotCopyGrant',
'aws:redshift/snapshotSchedule:SnapshotSchedule',
'aws:redshift/subnetGroup:SubnetGroup',
'aws:resourcegroups/group:Group',
'aws:route53/healthCheck:HealthCheck',
'aws:route53/resolverEndpoint:ResolverEndpoint',
'aws:route53/resolverRule:ResolverRule',
'aws:route53/zone:Zone',
'aws:s3/bucket:Bucket',
'aws:s3/bucketObject:BucketObject',
'aws:sagemaker/endpoint:Endpoint',
'aws:sagemaker/endpointConfiguration:EndpointConfiguration',
'aws:sagemaker/model:Model',
'aws:sagemaker/notebookInstance:NotebookInstance',
'aws:secretsmanager/secret:Secret',
'aws:servicecatalog/portfolio:Portfolio',
'aws:sfn/activity:Activity',
'aws:sfn/stateMachine:StateMachine',
'aws:sns/topic:Topic',
'aws:sqs/queue:Queue',
'aws:ssm/activation:Activation',
'aws:ssm/document:Document',
'aws:ssm/maintenanceWindow:MaintenanceWindow',
'aws:ssm/parameter:Parameter',
'aws:ssm/patchBaseline:PatchBaseline',
'aws:storagegateway/cachesIscsiVolume:CachesIscsiVolume',
'aws:storagegateway/gateway:Gateway',
'aws:storagegateway/nfsFileShare:NfsFileShare',
'aws:storagegateway/smbFileShare:SmbFileShare',
'aws:swf/domain:Domain',
'aws:transfer/server:Server',
'aws:transfer/user:User',
'aws:waf/rateBasedRule:RateBasedRule',
'aws:waf/rule:Rule',
'aws:waf/ruleGroup:RuleGroup',
'aws:waf/webAcl:WebAcl',
'aws:wafregional/rateBasedRule:RateBasedRule',
'aws:wafregional/rule:Rule',
'aws:wafregional/ruleGroup:RuleGroup',
'aws:wafregional/webAcl:WebAcl',
'aws:workspaces/directory:Directory',
'aws:workspaces/ipGroup:IpGroup',
]

20
infra/langfuse/conf.py Normal file
View File

@@ -0,0 +1,20 @@
import pulumi
import pulumi_aws as aws
from autotag.autotag import register_auto_tags
config = pulumi.Config("langfuse")
project_name = config.require("project_name")
stack_name = pulumi.get_stack()
environment = config.require("environment")
account_id = config.require("account_id")
tags = config.require_object("tags")
network = config.require_object("network")
ec2_config = config.require_object("ec2")
langfuse_config = config.require_object("langfuse_config")
aws_region = aws.get_region().id
current = aws.get_caller_identity()
register_auto_tags(tags)

5
infra/langfuse/requirements.txt Normal file
View File

@@ -0,0 +1,5 @@
pulumi
pulumi-aws
pulumi-docker
boto3
setuptools

9
infra/s3/Pulumi.assistente-matricula.yaml Normal file
View File

@@ -0,0 +1,9 @@
config:
aws:region: us-east-1
ia-bucket:
buckets:
- name: assistente-matricula-docs
- name: assistente-matricula-transcribe
tags:
Enviroment: dev
Owner: ai

3
infra/s3/Pulumi.yaml Normal file
View File

@@ -0,0 +1,3 @@
name: ia-bucket
runtime: python
description: S3 bucket for assisten-matricula

9
infra/s3/main.py Normal file
View File

@@ -0,0 +1,9 @@
import pulumi
import pulumi_aws as aws
config=pulumi.Config()
buckets_config=config.require_object("buckets")
tags=config.require_object("tags")
for b in buckets_config:
bucket=aws.s3.BucketV2(b["name"],tags=tags)
pulumi.export("bucket_name",bucket.id)
pulumi.export("bucket_arn",bucket.arn)