diff --git a/code/Dockerfile b/code/Dockerfile new file mode 100644 index 0000000..682030b --- /dev/null +++ b/code/Dockerfile @@ -0,0 +1,37 @@ +# Use uma imagem base Python oficial. +# Escolha uma versão que seja compatível com suas dependências. +FROM python:3.12-slim + +# Copia os arquivos de requisitos primeiro para aproveitar o cache do Docker +COPY requirements.txt ./requirements.txt + +# Instala as dependências do backend +RUN pip install --no-cache-dir -r requirements.txt + +# Copia o restante dos diretórios e arquivos da aplicação + +COPY ./ ./ + +# Garante que o script de inicialização seja executável +RUN chmod +x ./entrypoint.sh + +# Cria os diretórios que a API FastAPI pode precisar (se eles não existirem) +# Estes diretórios serão usados para persistência se volumes forem montados. +#RUN mkdir -p /app/faiss_index_store && \ +# mkdir -p /app/uploaded_pdfs + +# Expõe as portas que os aplicativos usarão +# Porta 8000 para a API FastAPI +EXPOSE 8000 +# Porta 8501 para o aplicativo Streamlit +EXPOSE 8501 + +# Define a variável de ambiente GROQ_API_KEY. +# É ALTAMENTE RECOMENDADO passar esta variável em tempo de execução +# em vez de embuti-la aqui por questões de segurança. +# Exemplo: docker run -e GROQ_API_KEY="sua_chave_aqui" ... +# ENV GROQ_API_KEY="SUA_CHAVE_GROQ_AQUI_SE_NECESSARIO_MAS_NAO_RECOMENDADO_EMBUTIR" + +# Comando para executar quando o contêiner iniciar +# Executa o script start.sh que gerencia os dois processos +CMD ["./entrypoint.sh"] diff --git a/code/README.md b/code/README.md new file mode 100644 index 0000000..e69de29 diff --git a/code/app/backend/BDAgent.py b/code/app/backend/BDAgent.py new file mode 100644 index 0000000..8d2e367 --- /dev/null +++ b/code/app/backend/BDAgent.py @@ -0,0 +1,342 @@ +""" +LangGraph Agent using AWS Bedrock Cross-Region Inference Profile with Tools + +This script demonstrates how to create a LangGraph agent that uses +an AWS Bedrock inference profile with custom tools (add and multiply). +""" + +import boto3 +from typing import TypedDict, Annotated +from langgraph.graph import StateGraph, END +from langchain_aws import ChatBedrockConverse +from langchain_core.tools import tool +from langchain_core.messages import HumanMessage, AIMessage, ToolMessage, SystemMessage +import operator +import json +import time +from langfuse import Langfuse +from langfuse.langchain import CallbackHandler +from botocore.exceptions import ClientError +import os +from backend.utils import dynamodb_read_table as drt +WORKGROUP = "iceberg-workgroup" +DATABASE = "dnx_warehouse" +def get_secret(): + + secret_name = "assistente-db-secrets-manager" + region_name = "us-east-1" + + # Create a Secrets Manager client + session = boto3.session.Session() + client = session.client( + service_name='secretsmanager', + region_name=region_name + ) + + try: + get_secret_value_response = client.get_secret_value( + SecretId=secret_name + ) + except ClientError as e: + # For a list of exceptions thrown, see + # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html + raise e + + secret = get_secret_value_response['SecretString'] + return secret +secrets=json.loads(get_secret()) +langfuse = Langfuse( + public_key=secrets['LANGFUSE-PUBLIC-KEY'], + secret_key=secrets['LANGFUSE-SECRET-KEY'], + host=os.environ["LANGFUSE_HOST"] +) +session = boto3.Session() +athena = session.client("athena", region_name="us-east-1") + +# ============================================== +# QUERY +# ============================================== + +def exec_athena_query(query): + print("Executando query no Athena...") + response = athena.start_query_execution( + QueryString=query, + QueryExecutionContext={"Database": DATABASE}, + WorkGroup=WORKGROUP + ) + + query_execution_id = response["QueryExecutionId"] + print(f"QueryExecutionId: {query_execution_id}") + + # ============================================== + # AGUARDAR RESULTADO + # ============================================== + + while True: + result = athena.get_query_execution(QueryExecutionId=query_execution_id) + state = result["QueryExecution"]["Status"]["State"] + + if state in ["SUCCEEDED", "FAILED", "CANCELLED"]: + print("Estado final:", state) + break + + print("Aguardando execução...") + time.sleep(1) + if state == "SUCCEEDED": + output = athena.get_query_results(QueryExecutionId=query_execution_id) + print(f"\n🔧 [TOOL CALLED] consult answer") + return output["ResultSet"]["Rows"] + else: + print("Erro ao executar a query.") +# Define tools + + + +# Define@tool the agent state +class AgentState(TypedDict): + messages: Annotated[list, operator.add] + current_step: str + + +# Initialize Bedrock client with inference profile +def create_bedrock_llm(model_id: str, region: str = "us-east-1"): + """ + Create a ChatBedrock instance using a model ID. + + Args: + model_id: Bedrock model ID (e.g., anthropic.claude-haiku-4-5-20251001-v1:0) + region: AWS region (default: us-east-1) + + Returns: + ChatBedrock instance configured with the model + """ + # Determine provider and model_kwargs based on model ID + MODEL_ARNS = { + "anthropic.claude-haiku-4-5-20251001-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/global.anthropic.claude-haiku-4-5-20251001-v1:0", + "anthropic.claude-sonnet-4-5-20250929-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/global.anthropic.claude-sonnet-4-5-20250929-v1:0", + "meta.llama4-maverick-17b-instruct-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/us.meta.llama4-maverick-17b-instruct-v1:0", + "meta.llama4-scout-17b-instruct-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/us.meta.llama4-scout-17b-instruct-v1:0", + "amazon.nova-lite-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/us.amazon.nova-lite-v1:0", + "amazon.nova-pro-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/us.amazon.nova-pro-v1:0", + "amazon.nova-2-lite-v1:0": "arn:aws:bedrock:us-east-1:305427701314:inference-profile/global.amazon.nova-2-lite-v1:0" + } + PROVIDER={ + "anthropic.claude-haiku-4-5-20251001-v1:0": "anthropic", + "anthropic.claude-sonnet-4-5-20250929-v1:0": "anthropic", + "meta.llama4-maverick-17b-instruct-v1:0": "meta", + "meta.llama4-scout-17b-instruct-v1:0": "meta", + "amazon.nova-lite-v1:0": "amazon", + "amazon.nova-pro-v1:0": "amazon", + "amazon.nova-2-lite-v1:0": "amazon" + } + prefix={ + "anthropic.claude-haiku-4-5-20251001-v1:0": "global", + "anthropic.claude-sonnet-4-5-20250929-v1:0": "global", + "meta.llama4-maverick-17b-instruct-v1:0": "us", + "meta.llama4-scout-17b-instruct-v1:0": "us", + "amazon.nova-lite-v1:0": "us", + "amazon.nova-pro-v1:0": "us", + "amazon.nova-2-lite-v1:0": "global" + } + llm = ChatBedrockConverse( + model_id=prefix[model_id]+"."+model_id, + region_name=region, + provider=PROVIDER[model_id], + max_tokens=2048, + temperature=0.7 + ) + + # Bind tools to the LLM + #tools = [consult_answers,count_table_rows] + tools=[] + llm_with_tools = llm.bind_tools(tools) + + return llm_with_tools + + +# Define agent nodes +def call_model(state: AgentState, llm) -> AgentState: + """Call the LLM with tools.""" + print(f"[MODEL] Calling Bedrock inference profile...") + + messages = state["messages"] + langfuse_handler = CallbackHandler() + config = {"configurable": {"thread_id": "abc123"},"callbacks": [langfuse_handler]} + response = llm.invoke(messages,config=config) + state["current_step"] = "model_called" + return {"messages": [response]} + + +def call_tools(state: AgentState) -> AgentState: + """Execute any tool calls from the LLM response.""" + print(f"[TOOLS] Checking for tool calls...") + + messages = state["messages"] + last_message = messages[-1] + + # Check if there are tool calls + if hasattr(last_message, 'tool_calls') and last_message.tool_calls: + print(f"[TOOLS] Found {len(last_message.tool_calls)} tool call(s)") + + tool_messages = [] + tools_map = { + } + + # Execute each tool call + for tool_call in last_message.tool_calls: + tool_name = tool_call["name"] + tool_args = tool_call["args"] + + print(f"[TOOLS] Executing: {tool_name}") + + # Call the appropriate tool + tool_func = tools_map[tool_name] + result = tool_func.invoke(tool_args) + + # Create tool message + tool_message = ToolMessage( + content=str(result), + tool_call_id=tool_call["id"] + ) + tool_messages.append(tool_message) + + state["current_step"] = "tools_executed" + return {"messages": tool_messages} + else: + print(f"[TOOLS] No tool calls found") + state["current_step"] = "no_tools" + return {"messages": []} + + +def should_continue(state: AgentState) -> str: + """Determine if we should continue to tools or end.""" + messages = state["messages"] + last_message = messages[-1] + + # If there are tool calls, continue to tools node + if hasattr(last_message, 'tool_calls') and last_message.tool_calls: + print("[ROUTER] Routing to tools...") + return "tools" + + # Otherwise, end + print("[ROUTER] No more tool calls, ending...") + return "end" + + +# Build the LangGraph agent +def create_agent(inference_profile_arn: str, region: str = "us-east-1"): + """ + Create a LangGraph agent that uses Bedrock inference profile with tools. + + Args: + inference_profile_arn: ARN of the cross-region inference profile + region: AWS region + + Returns: + Compiled LangGraph workflow + """ + # Initialize the LLM with tools + llm = create_bedrock_llm(inference_profile_arn, region) + + # Create the graph + workflow = StateGraph(AgentState) + + # Add nodes + workflow.add_node("model", lambda state: call_model(state, llm)) + workflow.add_node("tools", call_tools) + + # Define the workflow + workflow.set_entry_point("model") + + # Add conditional edges + workflow.add_conditional_edges( + "model", + should_continue, + { + "tools": "tools", + "end": END + } + ) + + # After tools, go back to model + workflow.add_edge("tools", "model") + + # Compile the graph + app = workflow.compile() + + return app + + +def main(user_query,history,model): + """Main execution function.""" + + # Configuration - Update with your actual inference profile ARN + + INFERENCE_PROFILE_ARN = model + REGION = "us-east-1" + # System prompt for the agent + + SYSTEM_PROMPT=""" You are a analitical agent, with acess to monthly reports about Bacio di latte + + A Bacio di Latte é uma rede de gelaterias artesanais fundada em São Paulo, Brasil, em 2011, pelos irmãos milaneses Edoardo e Luigi Tonolli, que trouxeram a tradição do gelato italiano com ingredientes de alta qualidade, resultando em um sorvete cremoso e fresco, produzido diariamente, sem gordura hidrogenada ou trans, e que se tornou popular não só no Brasil, mas também nos EUA, representando uma experiência autêntica de gelato. + <\context> + + """+drt.read_table_as_xml("poc_dnx_monthly_summary","us-east-1")+"""" + <\reports> + Here is the chat history:"""+history+""" + Aswer the user the best you can with the given information, if you don't know the answer or how to answer say so, only answer from what you know.""" + + print("=" * 60) + print("LangGraph Agent with AWS Bedrock Inference Profile + Tools") + print("=" * 60) + print(f"\nUsing inference profile: {INFERENCE_PROFILE_ARN}") + print(f"Region: {REGION}\n") + print("Available Tools:") + print(" - add_numbers(a, b): Add two numbers") + print(" - multiply_numbers(a, b): Multiply two numbers") + print("\nSystem Prompt: Configured ✓") + print("=" * 60) + + # Create the agent + agent = create_agent(INFERENCE_PROFILE_ARN, REGION) + + # Example query that requires tools + + # Initialize state with system prompt + initial_state = { + "messages": [ + SystemMessage(content=SYSTEM_PROMPT), + HumanMessage(content=user_query) + ], + "current_step": "init" + } + + print(f"\nUser Query: {user_query}\n") + print("-" * 60) + + # Run the agent + final_state = agent.invoke(initial_state) + + # Display results + print("-" * 60) + print("\n[FINAL RESULT]") + print("\nConversation History:") + for i, msg in enumerate(final_state["messages"], 1): + if isinstance(msg, SystemMessage): + print(f"\n{i}. System: [System prompt configured]") + elif isinstance(msg, HumanMessage): + print(f"\n{i}. User: {msg.content}") + elif isinstance(msg, AIMessage): + if hasattr(msg, 'tool_calls') and msg.tool_calls: + print(f"\n{i}. AI: [Calling tools...]") + else: + print(f"\n{i}. AI: {msg.content}") + elif isinstance(msg, ToolMessage): + print(f"\n{i}. Tool Result: {msg.content}") + + print("\n" + "=" * 60) + print(f"Agent completed successfully. Final step: {final_state['current_step']}") + langfuse.flush() + return final_state['messages'][-1].content +if __name__=="__main__": + main("oi","ancar_nps_tradicional","","") \ No newline at end of file diff --git a/code/app/backend/utils/dynamodb_read_table.py b/code/app/backend/utils/dynamodb_read_table.py new file mode 100644 index 0000000..cf3f363 --- /dev/null +++ b/code/app/backend/utils/dynamodb_read_table.py @@ -0,0 +1,209 @@ +""" +DynamoDB Table Reader Script + +This script connects to AWS DynamoDB and reads all entries from a specified table. +Outputs data in XML format with tags containing the context XML content. + +Usage: + from dynamodb_read_table import read_table_as_xml + xml_content = read_table_as_xml("my-table-name") +""" + +import re +import boto3 +from botocore.exceptions import ClientError + + +def clean_context_xml(context: str) -> str: + """ + Remove XML declaration and tags from context content. + + Args: + context: Raw XML content from DynamoDB + + Returns: + Cleaned XML content without declaration and relatorio tags + """ + # Remove XML declaration (e.g., ) + context = re.sub(r'<\?xml[^?]*\?>\s*', '', context) + + # Remove opening tag (with any attributes) + context = re.sub(r']*>\s*', '', context) + + # Remove closing tag + context = re.sub(r'\s*', '', context) + + return context.strip() + + +def remove_xml_declaration(content: str) -> str: + """ + Remove only the XML declaration from content. + + Args: + content: Raw XML content + + Returns: + Content without XML declaration (keeps relatorio tags) + """ + content = re.sub(r'<\?xml[^?]*\?>\s*', '', content) + return content.strip() + + +def format_items_to_xml(items: list) -> str: + """ + Format all DynamoDB items to XML format. + + Each item's 'period' field becomes a tag, + and the 'context' and 'dados_consolidados' fields are placed inside it. + + Args: + items: List of DynamoDB items + + Returns: + Complete XML formatted string with all items + """ + xml_parts = [] + + for item in items: + period = item.get("period", "unknown") + context = item.get("context", "") + dados_consolidados = item.get("dados_consolidados", "") + + # Clean the XML content + cleaned_context = clean_context_xml(context) + cleaned_dados = remove_xml_declaration(dados_consolidados) + + xml_parts.append(f"<{period}>") + xml_parts.append(cleaned_context) + if cleaned_dados: + xml_parts.append(cleaned_dados) + xml_parts.append(f"") + xml_parts.append("") # Empty line between entries + + return "\n".join(xml_parts) + + +def get_dynamodb_client(region_name: str = "us-east-1"): + """Create and return a DynamoDB client.""" + session = boto3.Session() + return session.client("dynamodb", region_name=region_name) + + +def get_dynamodb_resource(region_name: str = "us-east-1"): + """Create and return a DynamoDB resource for higher-level operations.""" + session = boto3.Session() + return session.resource("dynamodb", region_name=region_name) + + +def scan_table(table_name: str, region_name: str = "us-east-1") -> list: + """ + Scan a DynamoDB table and return all items. + + Uses pagination to handle tables larger than 1MB response limit. + + Args: + table_name: Name of the DynamoDB table to scan + region_name: AWS region where the table is located + + Returns: + List of all items in the table + """ + dynamodb = get_dynamodb_resource(region_name) + table = dynamodb.Table(table_name) + + items = [] + last_evaluated_key = None + + try: + while True: + if last_evaluated_key: + response = table.scan(ExclusiveStartKey=last_evaluated_key) + else: + response = table.scan() + + items.extend(response.get("Items", [])) + + last_evaluated_key = response.get("LastEvaluatedKey") + if not last_evaluated_key: + break + + print(f"Successfully scanned {len(items)} items from table '{table_name}'") + return items + + except ClientError as e: + error_code = e.response["Error"]["Code"] + error_message = e.response["Error"]["Message"] + print(f"Error scanning table: {error_code} - {error_message}") + raise + + +def list_tables(region_name: str = "us-east-1") -> list: + """List all DynamoDB tables in the specified region.""" + client = get_dynamodb_client(region_name) + + tables = [] + last_evaluated_table_name = None + + try: + while True: + if last_evaluated_table_name: + response = client.list_tables(ExclusiveStartTableName=last_evaluated_table_name) + else: + response = client.list_tables() + + tables.extend(response.get("TableNames", [])) + + last_evaluated_table_name = response.get("LastEvaluatedTableName") + if not last_evaluated_table_name: + break + + return tables + + except ClientError as e: + error_code = e.response["Error"]["Code"] + error_message = e.response["Error"]["Message"] + print(f"Error listing tables: {error_code} - {error_message}") + raise + + +def get_table_info(table_name: str, region_name: str = "us-east-1") -> dict: + """Get metadata information about a DynamoDB table.""" + client = get_dynamodb_client(region_name) + + try: + response = client.describe_table(TableName=table_name) + table_info = response.get("Table", {}) + + return { + "TableName": table_info.get("TableName"), + "TableStatus": table_info.get("TableStatus"), + "ItemCount": table_info.get("ItemCount"), + "TableSizeBytes": table_info.get("TableSizeBytes"), + "KeySchema": table_info.get("KeySchema"), + "AttributeDefinitions": table_info.get("AttributeDefinitions"), + "CreationDateTime": str(table_info.get("CreationDateTime")), + } + + except ClientError as e: + error_code = e.response["Error"]["Code"] + error_message = e.response["Error"]["Message"] + print(f"Error describing table: {error_code} - {error_message}") + raise + + +def read_table_as_xml(table_name: str, region_name: str = "us-east-1") -> str: + """ + Read all entries from a DynamoDB table and return as XML string. + + Args: + table_name: Name of the DynamoDB table to read + region_name: AWS region where the table is located (default: us-east-1) + + Returns: + XML formatted string with all items wrapped in tags + """ + items = scan_table(table_name, region_name) + return format_items_to_xml(items) +if __name__=="__main__": + print(read_table_as_xml("poc_dnx_monthly_summary","us-east-1")) \ No newline at end of file diff --git a/code/app/front.py b/code/app/front.py new file mode 100644 index 0000000..71b2fa5 --- /dev/null +++ b/code/app/front.py @@ -0,0 +1,89 @@ +import streamlit as st +import time +from backend import BDAgent +import boto3 + +# Configure the page - MUST BE FIRST +st.set_page_config( + page_title="Chatbot", + page_icon="💬", + layout="centered" +) + +session = boto3.Session() + +# Model selection with session state persistence +MODELS = [ + "anthropic.claude-sonnet-4-5-20250929-v1:0", + "meta.llama4-maverick-17b-instruct-v1:0", + "meta.llama4-scout-17b-instruct-v1:0", + "amazon.nova-lite-v1:0", + "amazon.nova-pro-v1:0", + "amazon.nova-2-lite-v1:0" +] + +selected_value = st.selectbox( + "Selecione o modelo:", + MODELS, + key="selected_model" +) + + + +# Initialize chat history in session state +if "messages" not in st.session_state: + st.session_state.messages = [] + +# Display title +st.title("💬 Chatbot") + +# Display chat history +for message in st.session_state.messages: + with st.chat_message(message["role"]): + st.markdown(message["content"]) + +# Chat input +if prompt := st.chat_input("Type your message here..."): + # Add user message to chat history + st.session_state.messages.append({"role": "user", "content": prompt}) + + # Display user message + with st.chat_message("user"): + st.markdown(prompt) + + # Display assistant response + with st.chat_message("assistant"): + message_placeholder = st.empty() + + # Simulate streaming response (replace with actual API call) + + full_response = BDAgent.main(prompt,str(st.session_state.messages),selected_value) + + # Simulate typing effect + displayed_response = "" + for char in full_response: + displayed_response += char + message_placeholder.markdown(displayed_response + "▌") + time.sleep(0.01) + + message_placeholder.markdown(full_response) + + # Add assistant response to chat history + st.session_state.messages.append({"role": "assistant", "content": full_response}) + +# Add a sidebar with options +with st.sidebar: + st.header("Options") + + if st.button("Clear Chat History"): + st.session_state.messages = [] + st.rerun() + + st.divider() + + st.markdown(""" + ### How to use: + 1. Type your message in the input box + 2. Press Enter or click Send + 3. View the conversation history + """) \ No newline at end of file diff --git a/code/entrypoint.sh b/code/entrypoint.sh new file mode 100644 index 0000000..f67db42 --- /dev/null +++ b/code/entrypoint.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Define o diretório base da aplicação dentro do contêiner +APP_DIR="/app" + +# Navega para o diretório do backend e inicia a API FastAPI em segundo plano +#echo "Iniciando API FastAPI na porta 8000..." +#python app/backend/main.py & + +# Aguarda alguns segundos para garantir que a API tenha tempo de iniciar +# Isso é opcional, mas pode ajudar a evitar problemas de conexão imediata do frontend +#echo "Aguardando a API iniciar..." +#sleep 10 # Ajuste o tempo conforme necessário + +# Navega para o diretório do frontend e inicia o aplicativo Streamlit em primeiro plano +echo "Iniciando aplicativo Streamlit na porta 8501..." +# --server.headless=true é importante para rodar Streamlit em ambientes sem GUI (como Docker) +# --server.address=0.0.0.0 permite que o Streamlit seja acessado de fora do contêiner +# --server.enableCORS=false pode ser necessário dependendo da configuração, mas geralmente não para localhost +streamlit run app/front.py --server.port 8501 --server.address 0.0.0.0 --server.headless true + +# O comando 'streamlit run' manterá o contêiner em execução. +# Se o Streamlit parar por algum motivo, o script e, consequentemente, o contêiner, terminarão. \ No newline at end of file diff --git a/code/main.py b/code/main.py new file mode 100644 index 0000000..08c1bc0 --- /dev/null +++ b/code/main.py @@ -0,0 +1,6 @@ +def main(): + print("Hello from code!") + + +if __name__ == "__main__": + main() diff --git a/code/requirements.txt b/code/requirements.txt new file mode 100644 index 0000000..36fb5ea --- /dev/null +++ b/code/requirements.txt @@ -0,0 +1,6 @@ +boto3>=1.34.0 +langchain-aws>=0.1.0 +langgraph>=0.0.20 +langchain>=0.1.0 +streamlit +langfuse diff --git a/infra/ecr/Pulumi.inovyo.yaml b/infra/ecr/Pulumi.inovyo.yaml new file mode 100644 index 0000000..6b44807 --- /dev/null +++ b/infra/ecr/Pulumi.inovyo.yaml @@ -0,0 +1,9 @@ +config: + ecr_dev:entity_extraction_dev: ecr + ecr_dev:environment: dev + ecr_dev:ecr: + backend: + image_mutability: MUTABLE + name: assistente-analitico-db-dev + ecr_dev:project: Assistente Analitico db + aws:region: us-east-1 diff --git a/infra/ecr/Pulumi.yaml b/infra/ecr/Pulumi.yaml new file mode 100644 index 0000000..7ad347f --- /dev/null +++ b/infra/ecr/Pulumi.yaml @@ -0,0 +1,3 @@ +name: ecr_dev +runtime: python +description: Infraestrutura da aplicação ECR \ No newline at end of file diff --git a/infra/ecr/README.md b/infra/ecr/README.md new file mode 100644 index 0000000..b6f4811 --- /dev/null +++ b/infra/ecr/README.md @@ -0,0 +1,93 @@ +# ecr + + + +## Getting started + +To make it easy for you to get started with GitLab, here's a list of recommended next steps. + +Already a pro? Just edit this README.md and make it your own. Want to make it easy? [Use the template at the bottom](#editing-this-readme)! + +## Add your files + +- [ ] [Create](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#create-a-file) or [upload](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#upload-a-file) files +- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command: + +``` +cd existing_repo +git remote add origin https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/ecr.git +git branch -M main +git push -uf origin main +``` + +## Integrate with your tools + +- [ ] [Set up project integrations](https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/ecr/-/settings/integrations) + +## Collaborate with your team + +- [ ] [Invite team members and collaborators](https://docs.gitlab.com/ee/user/project/members/) +- [ ] [Create a new merge request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html) +- [ ] [Automatically close issues from merge requests](https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically) +- [ ] [Enable merge request approvals](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/) +- [ ] [Set auto-merge](https://docs.gitlab.com/ee/user/project/merge_requests/merge_when_pipeline_succeeds.html) + +## Test and Deploy + +Use the built-in continuous integration in GitLab. + +- [ ] [Get started with GitLab CI/CD](https://docs.gitlab.com/ee/ci/quick_start/index.html) +- [ ] [Analyze your code for known vulnerabilities with Static Application Security Testing (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/) +- [ ] [Deploy to Kubernetes, Amazon EC2, or Amazon ECS using Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/requirements.html) +- [ ] [Use pull-based deployments for improved Kubernetes management](https://docs.gitlab.com/ee/user/clusters/agent/) +- [ ] [Set up protected environments](https://docs.gitlab.com/ee/ci/environments/protected_environments.html) + +*** + +# Editing this README + +When you're ready to make this README your own, just edit this file and use the handy template below (or feel free to structure it however you want - this is just a starting point!). Thanks to [makeareadme.com](https://www.makeareadme.com/) for this template. + +## Suggestions for a good README + +Every project is different, so consider which of these sections apply to yours. The sections used in the template are suggestions for most open source projects. Also keep in mind that while a README can be too long and detailed, too long is better than too short. If you think your README is too long, consider utilizing another form of documentation rather than cutting out information. + +## Name +Choose a self-explaining name for your project. + +## Description +Let people know what your project can do specifically. Provide context and add a link to any reference visitors might be unfamiliar with. A list of Features or a Background subsection can also be added here. If there are alternatives to your project, this is a good place to list differentiating factors. + +## Badges +On some READMEs, you may see small images that convey metadata, such as whether or not all the tests are passing for the project. You can use Shields to add some to your README. Many services also have instructions for adding a badge. + +## Visuals +Depending on what you are making, it can be a good idea to include screenshots or even a video (you'll frequently see GIFs rather than actual videos). Tools like ttygif can help, but check out Asciinema for a more sophisticated method. + +## Installation +Within a particular ecosystem, there may be a common way of installing things, such as using Yarn, NuGet, or Homebrew. However, consider the possibility that whoever is reading your README is a novice and would like more guidance. Listing specific steps helps remove ambiguity and gets people to using your project as quickly as possible. If it only runs in a specific context like a particular programming language version or operating system or has dependencies that have to be installed manually, also add a Requirements subsection. + +## Usage +Use examples liberally, and show the expected output if you can. It's helpful to have inline the smallest example of usage that you can demonstrate, while providing links to more sophisticated examples if they are too long to reasonably include in the README. + +## Support +Tell people where they can go to for help. It can be any combination of an issue tracker, a chat room, an email address, etc. + +## Roadmap +If you have ideas for releases in the future, it is a good idea to list them in the README. + +## Contributing +State if you are open to contributions and what your requirements are for accepting them. + +For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self. + +You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser. + +## Authors and acknowledgment +Show your appreciation to those who have contributed to the project. + +## License +For open source projects, say how it is licensed. + +## Project status +If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers. diff --git a/infra/ecr/__main__.py b/infra/ecr/__main__.py new file mode 100644 index 0000000..511be84 --- /dev/null +++ b/infra/ecr/__main__.py @@ -0,0 +1,27 @@ +import json +import pulumi +import pulumi_aws as aws + +caller_identity = aws.get_caller_identity() +account_id = caller_identity.account_id + +config = pulumi.Config() +project = config.require("project") +environment = config.require("environment") +stacks=["backend"] +for stack in stacks: + ecr_config = config.require_object("ecr")[stack] + + ecr_repo = aws.ecr.Repository(ecr_config['name'], + name=ecr_config['name'], + encryption_configurations=[{ + "encryption_type": "AES256", + }], + image_scanning_configuration={ + "scan_on_push": False, + }, + image_tag_mutability=ecr_config['image_mutability'], + opts = pulumi.ResourceOptions(protect=False)) + + + pulumi.export("url", pulumi.Output.concat("ECR REPO ID:", ecr_repo.id)) diff --git a/infra/ecr/main.py b/infra/ecr/main.py new file mode 100644 index 0000000..9c20e27 --- /dev/null +++ b/infra/ecr/main.py @@ -0,0 +1,6 @@ +def main(): + print("Hello from ecr!") + + +if __name__ == "__main__": + main() diff --git a/infra/ecr/requirements.txt b/infra/ecr/requirements.txt new file mode 100644 index 0000000..20a7eca --- /dev/null +++ b/infra/ecr/requirements.txt @@ -0,0 +1,5 @@ +pulumi +pulumi-aws +pulumi-docker +boto3 +setuptools \ No newline at end of file diff --git a/infra/ecs_alb/Pulumi.Inovyo.yaml b/infra/ecs_alb/Pulumi.Inovyo.yaml new file mode 100644 index 0000000..e301e79 --- /dev/null +++ b/infra/ecs_alb/Pulumi.Inovyo.yaml @@ -0,0 +1,51 @@ +config: + aws:region: us-east-1 + app-ecs:account_id: "305427701314" # dnxbrasil-nonprod + app-ecs:project_name: assistente-analitico + app-ecs:environment: dev + # app-ecs:bedrock_api_key: + # secure: you-can-put-your-pulumi-encrypted-secure-string-here + app-ecs:tags: + project: assistente-analitico-db-dev + env: dev # dev, test, stage, prod + account: nonprod # prod, nonprod, dataScience + costCenter: AI # AWSGeneral, AI, data, productName + owner: AI # team or a preson responsible + app-ecs:network: + vpc_id: vpc-17ceb96c + alb_internal: false + alb_subnet_ids: # 2+ private subnets if alb_internal else public subnets in the same region and vpc + - subnet-0de9f056635629827 + - subnet-09cda74f27c543521 + alb_allow_ingress_cidr: + - 3.14.44.224/32 + ecs_subnet_ids: + - subnet-0f50f25a2fbb054d4 + - subnet-0014ea77951bbeb6c + app-ecs:ecs: + - task_name: assisnte-analitico-db-dev + ecr_repo_name: assistente-analitico-db-dev + ecr_image_tag: latest + ecr_image_digest: sha256:7a2aede33d8dd34822b73291d64e1ccce26980fc531290c54d992bcb7dee26fa + cpu: 256 + memory: 512 + desired_count: 1 + sgs_allowing_ingress: {} + use_load_balancer: true + auto_scaling: + min_capacity: 1 + max_capacity: 3 + target_value: 60.0 + lb_config: + name: listener + listener_port: 8501 + target_port: 8501 + container_port: 8501 + env_variables: + LANGFUSE_HOST: http://172.31.252.176:3000 + # SECRET_NAME: dev/ai-pge-doc-classification + # BEDROCK_REGION: us-east-1 + # LANGCHAIN_TRACING_V2: "true" + # LANGCHAIN_PROJECT: pge-doc-classification-dev + app-ecs:cloudwatch: + log_group_name: assistente-analitico-db-dev \ No newline at end of file diff --git a/infra/ecs_alb/Pulumi.yaml b/infra/ecs_alb/Pulumi.yaml new file mode 100644 index 0000000..132c194 --- /dev/null +++ b/infra/ecs_alb/Pulumi.yaml @@ -0,0 +1,6 @@ +name: app-ecs +runtime: + name: python + options: + virtualenv: venv +description: AWS ECS application deploy diff --git a/infra/ecs_alb/README.md b/infra/ecs_alb/README.md new file mode 100644 index 0000000..30a3912 --- /dev/null +++ b/infra/ecs_alb/README.md @@ -0,0 +1,71 @@ +# GenAI project infratructure with Pulumi + +Nesta documentação apresentamos o setup da IaC do projeto de GenAI. + + +## 🚀 Deploying Infrastructure to AWS + +Para deployar a infraestrutura referente o projeto de GenAI, é utilizado uma stack IaC Pulumi. + +Para isso, o desenvolvedor deve seguir os passos: + +1. Dentro do diretório raiz do projeto, crie um ambiente virtual pelos comandos: +```shell +# pip install virtualenv +python3.11 -m venv .venv +source .venv/bin/activate +pip install -r requirements.txt +``` + +2. (opcional) Configure o seu Pulumi Token: +```shell +export PULUMI_ACCESS_TOKEN="your-access-token" +``` + +3. Pulumi Login: +```shell +pulumi login +``` + +4. (opcional) Select a stack to work on: +```shell +pulumi stack select +``` + +5. Suba a stack do pulumi: +```shell +pulumi up #selecione o stack se não tiver selecionado +``` + +Após estes passo, os serviços e dependências do projeto serão criados/atualizados, gerando a fundação para a aplicação. + +#### Observação 1: + +Lembre-se de configurar o usuário IAM registrado como profile no aws-cli, para detectar a conta AWS a ser utilizada: + +```shell +export AWS_PROFILE=myorg-nonprod +``` +Se não tiver configurado o profile o aws-cli, exporte as seguintes variáveis: + +```shell +export AWS_DEFAULT_REGION= +export AWS_ACCESS_KEY_ID= +export AWS_SECRET_ACCESS_KEY= +``` + +#### Observação 2: Registro de imagem Docker no ECR + +Para que a infraestrutura projetada anteriormente consiga referenciar as imagens de cada projeto, é necessário indicar o nome do repositório no argumento `ecr_repo_name` no arquivo YAML. + +Como a versão da imagem a ser deployada, indique ou `ecr_image_tag` ou `ecr_image_digest`, sem indicar ambos. + +Para registrar corretamente a imagem Docker da sua aplicação no ECR, siga os passos descritos na seguinte documentação: + +- https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html + +Para incluir variáveis de ambiente no container, informe-as como dicionário (chave-valor) em `env_variables`. + +## 🤝 Agradecimentos + +* Agradecemos por toda a parceria durante o projeto. Conte conosco! 📢 \ No newline at end of file diff --git a/infra/ecs_alb/__main__.py b/infra/ecs_alb/__main__.py new file mode 100644 index 0000000..d844815 --- /dev/null +++ b/infra/ecs_alb/__main__.py @@ -0,0 +1,60 @@ +import pulumi +import pulumi_aws as aws +import conf as config +import iam +import ecs + + +# ECS Cluster Setup +app_ecs_cluster = aws.ecs.Cluster(f"{config.project_name}-ecs-cluster", + configuration=aws.ecs.ClusterConfigurationArgs( + execute_command_configuration=aws.ecs.ClusterConfigurationExecuteCommandConfigurationArgs( + logging="DEFAULT", + ), + ), + settings=[aws.ecs.ClusterSettingArgs( + name="containerInsights", + value="disabled", + )], + tags={"Name": f"{config.project_name}-{config.stack_name}"}, +) + +ecs_cluster_capacity_providers = aws.ecs.ClusterCapacityProviders(f"{config.project_name}-cluster-capacity-providers", + cluster_name=app_ecs_cluster.name, + capacity_providers=["FARGATE", "FARGATE_SPOT"], +) + +# Security Group Setup +alb_security_group = aws.ec2.SecurityGroup(f"{config.project_name}-security-group", + vpc_id=config.network["vpc_id"], + ingress=[aws.ec2.SecurityGroupIngressArgs( + protocol="-1", + from_port=0, + to_port=0, + cidr_blocks=config.network["alb_allow_ingress_cidr"], + ), + ], + egress=[aws.ec2.SecurityGroupEgressArgs( + protocol="-1", + from_port=0, + to_port=0, + cidr_blocks=["0.0.0.0/0"], + )], +) + +# Load Balancer Setup +app_load_balancer = aws.lb.LoadBalancer( + f"alb-{config.project_name}", + load_balancer_type="application", + security_groups=[alb_security_group.id], + subnets=config.network["alb_subnet_ids"], + idle_timeout=(1200), + internal=config.network['alb_internal'], +) + +for ecs_app in config.ecs: + ecs.deploy_app(ecs_app, app_ecs_cluster, alb_security_group, app_load_balancer.arn) + +# Export the ALB DNS Name +pulumi.export("url", app_load_balancer.dns_name.apply(lambda dns_name: f"http://{dns_name}")) + diff --git a/infra/ecs_alb/autotag/autotag.py b/infra/ecs_alb/autotag/autotag.py new file mode 100644 index 0000000..5e7b829 --- /dev/null +++ b/infra/ecs_alb/autotag/autotag.py @@ -0,0 +1,13 @@ +import pulumi +from autotag.taggable import is_taggable + +# registerAutoTags registers a global stack transformation that merges a set +# of tags with whatever was also explicitly added to the resource definition. +def register_auto_tags(auto_tags): + pulumi.runtime.register_stack_transformation(lambda args: auto_tag(args, auto_tags)) + +# auto_tag applies the given tags to the resource properties if applicable. +def auto_tag(args, auto_tags): + if is_taggable(args.type_): + args.props['tags'] = {**(args.props['tags'] or {}), **auto_tags} + return pulumi.ResourceTransformationResult(args.props, args.opts) \ No newline at end of file diff --git a/infra/ecs_alb/autotag/policy-config.json b/infra/ecs_alb/autotag/policy-config.json new file mode 100644 index 0000000..ab6c09e --- /dev/null +++ b/infra/ecs_alb/autotag/policy-config.json @@ -0,0 +1,12 @@ +{ + "all": "mandatory", + "check-required-tags": { + "requiredTags": [ + "user:project", + "user:env", + "user:account", + "user:costCenter", + "user:owner" + ] + } +} \ No newline at end of file diff --git a/infra/ecs_alb/autotag/taggable.py b/infra/ecs_alb/autotag/taggable.py new file mode 100644 index 0000000..fa7f629 --- /dev/null +++ b/infra/ecs_alb/autotag/taggable.py @@ -0,0 +1,234 @@ +# isTaggable returns true if the given resource type is an AWS resource that supports tags. +def is_taggable(t): + return t in taggable_resource_types + +# taggable_resource_types is a list of known AWS type tokens that are taggable. +taggable_resource_types = [ + 'aws:accessanalyzer/analyzer:Analyzer', + 'aws:acm/certificate:Certificate', + 'aws:acmpca/certificateAuthority:CertificateAuthority', + 'aws:alb/loadBalancer:LoadBalancer', + 'aws:alb/targetGroup:TargetGroup', + 'aws:apigateway/apiKey:ApiKey', + 'aws:apigateway/clientCertificate:ClientCertificate', + 'aws:apigateway/domainName:DomainName', + 'aws:apigateway/restApi:RestApi', + 'aws:apigateway/stage:Stage', + 'aws:apigateway/usagePlan:UsagePlan', + 'aws:apigateway/vpcLink:VpcLink', + 'aws:applicationloadbalancing/loadBalancer:LoadBalancer', + 'aws:applicationloadbalancing/targetGroup:TargetGroup', + 'aws:appmesh/mesh:Mesh', + 'aws:appmesh/route:Route', + 'aws:appmesh/virtualNode:VirtualNode', + 'aws:appmesh/virtualRouter:VirtualRouter', + 'aws:appmesh/virtualService:VirtualService', + 'aws:appsync/graphQLApi:GraphQLApi', + 'aws:athena/workgroup:Workgroup', + 'aws:autoscaling/group:Group', + 'aws:backup/plan:Plan', + 'aws:backup/vault:Vault', + 'aws:cfg/aggregateAuthorization:AggregateAuthorization', + 'aws:cfg/configurationAggregator:ConfigurationAggregator', + 'aws:cfg/rule:Rule', + 'aws:cloudformation/stack:Stack', + 'aws:cloudformation/stackSet:StackSet', + 'aws:cloudfront/distribution:Distribution', + 'aws:cloudhsmv2/cluster:Cluster', + 'aws:cloudtrail/trail:Trail', + 'aws:cloudwatch/eventRule:EventRule', + 'aws:cloudwatch/logGroup:LogGroup', + 'aws:cloudwatch/metricAlarm:MetricAlarm', + 'aws:codebuild/project:Project', + 'aws:codecommit/repository:Repository', + 'aws:codepipeline/pipeline:Pipeline', + 'aws:codepipeline/webhook:Webhook', + 'aws:codestarnotifications/notificationRule:NotificationRule', + 'aws:cognito/identityPool:IdentityPool', + 'aws:cognito/userPool:UserPool', + 'aws:datapipeline/pipeline:Pipeline', + 'aws:datasync/agent:Agent', + 'aws:datasync/efsLocation:EfsLocation', + 'aws:datasync/locationSmb:LocationSmb', + 'aws:datasync/nfsLocation:NfsLocation', + 'aws:datasync/s3Location:S3Location', + 'aws:datasync/task:Task', + 'aws:dax/cluster:Cluster', + 'aws:directconnect/connection:Connection', + 'aws:directconnect/hostedPrivateVirtualInterfaceAccepter:HostedPrivateVirtualInterfaceAccepter', + 'aws:directconnect/hostedPublicVirtualInterfaceAccepter:HostedPublicVirtualInterfaceAccepter', + 'aws:directconnect/hostedTransitVirtualInterfaceAcceptor:HostedTransitVirtualInterfaceAcceptor', + 'aws:directconnect/linkAggregationGroup:LinkAggregationGroup', + 'aws:directconnect/privateVirtualInterface:PrivateVirtualInterface', + 'aws:directconnect/publicVirtualInterface:PublicVirtualInterface', + 'aws:directconnect/transitVirtualInterface:TransitVirtualInterface', + 'aws:directoryservice/directory:Directory', + 'aws:dlm/lifecyclePolicy:LifecyclePolicy', + 'aws:dms/endpoint:Endpoint', + 'aws:dms/replicationInstance:ReplicationInstance', + 'aws:dms/replicationSubnetGroup:ReplicationSubnetGroup', + 'aws:dms/replicationTask:ReplicationTask', + 'aws:docdb/cluster:Cluster', + 'aws:docdb/clusterInstance:ClusterInstance', + 'aws:docdb/clusterParameterGroup:ClusterParameterGroup', + 'aws:docdb/subnetGroup:SubnetGroup', + 'aws:dynamodb/table:Table', + 'aws:ebs/snapshot:Snapshot', + 'aws:ebs/snapshotCopy:SnapshotCopy', + 'aws:ebs/volume:Volume', + 'aws:ec2/ami:Ami', + 'aws:ec2/amiCopy:AmiCopy', + 'aws:ec2/amiFromInstance:AmiFromInstance', + 'aws:ec2/capacityReservation:CapacityReservation', + 'aws:ec2/customerGateway:CustomerGateway', + 'aws:ec2/defaultNetworkAcl:DefaultNetworkAcl', + 'aws:ec2/defaultRouteTable:DefaultRouteTable', + 'aws:ec2/defaultSecurityGroup:DefaultSecurityGroup', + 'aws:ec2/defaultSubnet:DefaultSubnet', + 'aws:ec2/defaultVpc:DefaultVpc', + 'aws:ec2/defaultVpcDhcpOptions:DefaultVpcDhcpOptions', + 'aws:ec2/eip:Eip', + 'aws:ec2/fleet:Fleet', + 'aws:ec2/instance:Instance', + 'aws:ec2/internetGateway:InternetGateway', + 'aws:ec2/keyPair:KeyPair', + 'aws:ec2/launchTemplate:LaunchTemplate', + 'aws:ec2/natGateway:NatGateway', + 'aws:ec2/networkAcl:NetworkAcl', + 'aws:ec2/networkInterface:NetworkInterface', + 'aws:ec2/placementGroup:PlacementGroup', + 'aws:ec2/routeTable:RouteTable', + 'aws:ec2/securityGroup:SecurityGroup', + 'aws:ec2/spotInstanceRequest:SpotInstanceRequest', + 'aws:ec2/subnet:Subnet', + 'aws:ec2/vpc:Vpc', + 'aws:ec2/vpcDhcpOptions:VpcDhcpOptions', + 'aws:ec2/vpcEndpoint:VpcEndpoint', + 'aws:ec2/vpcEndpointService:VpcEndpointService', + 'aws:ec2/vpcPeeringConnection:VpcPeeringConnection', + 'aws:ec2/vpcPeeringConnectionAccepter:VpcPeeringConnectionAccepter', + 'aws:ec2/vpnConnection:VpnConnection', + 'aws:ec2/vpnGateway:VpnGateway', + 'aws:ec2clientvpn/endpoint:Endpoint', + 'aws:ec2transitgateway/routeTable:RouteTable', + 'aws:ec2transitgateway/transitGateway:TransitGateway', + 'aws:ec2transitgateway/vpcAttachment:VpcAttachment', + 'aws:ec2transitgateway/vpcAttachmentAccepter:VpcAttachmentAccepter', + 'aws:ecr/repository:Repository', + 'aws:ecs/capacityProvider:CapacityProvider', + 'aws:ecs/cluster:Cluster', + 'aws:ecs/service:Service', + 'aws:ecs/taskDefinition:TaskDefinition', + 'aws:efs/fileSystem:FileSystem', + 'aws:eks/cluster:Cluster', + 'aws:eks/fargateProfile:FargateProfile', + 'aws:eks/nodeGroup:NodeGroup', + 'aws:elasticache/cluster:Cluster', + 'aws:elasticache/replicationGroup:ReplicationGroup', + 'aws:elasticbeanstalk/application:Application', + 'aws:elasticbeanstalk/applicationVersion:ApplicationVersion', + 'aws:elasticbeanstalk/environment:Environment', + 'aws:elasticloadbalancing/loadBalancer:LoadBalancer', + 'aws:elasticloadbalancingv2/loadBalancer:LoadBalancer', + 'aws:elasticloadbalancingv2/targetGroup:TargetGroup', + 'aws:elasticsearch/domain:Domain', + 'aws:elb/loadBalancer:LoadBalancer', + 'aws:emr/cluster:Cluster', + 'aws:fsx/lustreFileSystem:LustreFileSystem', + 'aws:fsx/windowsFileSystem:WindowsFileSystem', + 'aws:gamelift/alias:Alias', + 'aws:gamelift/build:Build', + 'aws:gamelift/fleet:Fleet', + 'aws:gamelift/gameSessionQueue:GameSessionQueue', + 'aws:glacier/vault:Vault', + 'aws:glue/crawler:Crawler', + 'aws:glue/job:Job', + 'aws:glue/trigger:Trigger', + 'aws:iam/role:Role', + 'aws:iam/user:User', + 'aws:inspector/resourceGroup:ResourceGroup', + 'aws:kinesis/analyticsApplication:AnalyticsApplication', + 'aws:kinesis/firehoseDeliveryStream:FirehoseDeliveryStream', + 'aws:kinesis/stream:Stream', + 'aws:kms/externalKey:ExternalKey', + 'aws:kms/key:Key', + 'aws:lambda/function:Function', + 'aws:lb/loadBalancer:LoadBalancer', + 'aws:lb/targetGroup:TargetGroup', + 'aws:licensemanager/licenseConfiguration:LicenseConfiguration', + 'aws:lightsail/instance:Instance', + 'aws:mediaconvert/queue:Queue', + 'aws:mediapackage/channel:Channel', + 'aws:mediastore/container:Container', + 'aws:mq/broker:Broker', + 'aws:mq/configuration:Configuration', + 'aws:msk/cluster:Cluster', + 'aws:neptune/cluster:Cluster', + 'aws:neptune/clusterInstance:ClusterInstance', + 'aws:neptune/clusterParameterGroup:ClusterParameterGroup', + 'aws:neptune/eventSubscription:EventSubscription', + 'aws:neptune/parameterGroup:ParameterGroup', + 'aws:neptune/subnetGroup:SubnetGroup', + 'aws:opsworks/stack:Stack', + 'aws:organizations/account:Account', + 'aws:pinpoint/app:App', + 'aws:qldb/ledger:Ledger', + 'aws:ram/resourceShare:ResourceShare', + 'aws:rds/cluster:Cluster', + 'aws:rds/clusterEndpoint:ClusterEndpoint', + 'aws:rds/clusterInstance:ClusterInstance', + 'aws:rds/clusterParameterGroup:ClusterParameterGroup', + 'aws:rds/clusterSnapshot:ClusterSnapshot', + 'aws:rds/eventSubscription:EventSubscription', + 'aws:rds/instance:Instance', + 'aws:rds/optionGroup:OptionGroup', + 'aws:rds/parameterGroup:ParameterGroup', + 'aws:rds/securityGroup:SecurityGroup', + 'aws:rds/snapshot:Snapshot', + 'aws:rds/subnetGroup:SubnetGroup', + 'aws:redshift/cluster:Cluster', + 'aws:redshift/eventSubscription:EventSubscription', + 'aws:redshift/parameterGroup:ParameterGroup', + 'aws:redshift/snapshotCopyGrant:SnapshotCopyGrant', + 'aws:redshift/snapshotSchedule:SnapshotSchedule', + 'aws:redshift/subnetGroup:SubnetGroup', + 'aws:resourcegroups/group:Group', + 'aws:route53/healthCheck:HealthCheck', + 'aws:route53/resolverEndpoint:ResolverEndpoint', + 'aws:route53/resolverRule:ResolverRule', + 'aws:route53/zone:Zone', + 'aws:s3/bucket:Bucket', + 'aws:s3/bucketObject:BucketObject', + 'aws:sagemaker/endpoint:Endpoint', + 'aws:sagemaker/endpointConfiguration:EndpointConfiguration', + 'aws:sagemaker/model:Model', + 'aws:sagemaker/notebookInstance:NotebookInstance', + 'aws:secretsmanager/secret:Secret', + 'aws:servicecatalog/portfolio:Portfolio', + 'aws:sfn/activity:Activity', + 'aws:sfn/stateMachine:StateMachine', + 'aws:sns/topic:Topic', + 'aws:sqs/queue:Queue', + 'aws:ssm/activation:Activation', + 'aws:ssm/document:Document', + 'aws:ssm/maintenanceWindow:MaintenanceWindow', + 'aws:ssm/parameter:Parameter', + 'aws:ssm/patchBaseline:PatchBaseline', + 'aws:storagegateway/cachesIscsiVolume:CachesIscsiVolume', + 'aws:storagegateway/gateway:Gateway', + 'aws:storagegateway/nfsFileShare:NfsFileShare', + 'aws:storagegateway/smbFileShare:SmbFileShare', + 'aws:swf/domain:Domain', + 'aws:transfer/server:Server', + 'aws:transfer/user:User', + 'aws:waf/rateBasedRule:RateBasedRule', + 'aws:waf/rule:Rule', + 'aws:waf/ruleGroup:RuleGroup', + 'aws:waf/webAcl:WebAcl', + 'aws:wafregional/rateBasedRule:RateBasedRule', + 'aws:wafregional/rule:Rule', + 'aws:wafregional/ruleGroup:RuleGroup', + 'aws:wafregional/webAcl:WebAcl', + 'aws:workspaces/directory:Directory', + 'aws:workspaces/ipGroup:IpGroup', +] \ No newline at end of file diff --git a/infra/ecs_alb/conf.py b/infra/ecs_alb/conf.py new file mode 100644 index 0000000..165eb96 --- /dev/null +++ b/infra/ecs_alb/conf.py @@ -0,0 +1,31 @@ +import pulumi +import pulumi_aws as aws +from autotag.autotag import register_auto_tags + +config = pulumi.Config() + +pulumi_project = pulumi.get_project() + +project_name = config.require("project_name") +stack_name = pulumi.get_stack() +aws_region = aws.get_region().id + + +current = aws.get_caller_identity() + +current = aws.get_caller_identity_output() +account_id1 = current.account_id + +account_id = config.require("account_id") + +network = config.get_object("network") +ecs = config.get_object("ecs") +ecr = config.get_object("ecr") +environment = config.require("environment") + +register_auto_tags(config.get_object('tags')) + +def get(x): + return config.get(x) +def get_bool(x): + return config.get_bool(x) \ No newline at end of file diff --git a/infra/ecs_alb/ecr.py b/infra/ecs_alb/ecr.py new file mode 100644 index 0000000..05308bb --- /dev/null +++ b/infra/ecs_alb/ecr.py @@ -0,0 +1,100 @@ +import pulumi +import pulumi_aws as aws +import conf as config +import json + + +def create_ecr_repo(): + ecr_repositories = [] + for repo in config.ecr["repos"]: + if repo["create_ecr_repo"]: + ecr_repository = aws.ecr.Repository( + repo, + name=f"{repo}", + force_delete=True) + + token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id) + langserve_ecr_life_cycle_policy = aws.ecr.LifecyclePolicy(f"{repo}-ecr-life-cycle-policy", + repository=ecr_repository.name, + policy=json.dumps({ + "rules": [{ + "rulePriority": 1, + "description": "Expire images when they are more than 10 available", + "selection": { + "tagStatus": "any", + "countType": "imageCountMoreThan", + "countNumber": 10, + }, + "action": { + "type": "expire", + }, + }], + })) + + policy_ecr = aws.iam.get_policy_document(statements=[{ + "sid": "new policy", + "effect": "Allow", + "principals": [{ + "type": "AWS", + "identifiers": [config.account_id], + }], + "actions": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecr:DeleteRepository", + "ecr:BatchDeleteImage", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepositoryPolicy", + ], + }]) + attach_policy = aws.ecr.RepositoryPolicy(f"{repo}-policy_ecr", + repository=ecr_repository.name, + policy=policy_ecr.json) + else: + ecr_repository = aws.ecr.get_repository_output(name=repo['name']) + token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id) + + repo['ecr_repo_resource'] = ecr_repository + repo['ecr_token'] = token + ecr_repositories.append(repo) + + return ecr_repositories + +def get_image(ecr_repo_name, image_tag=None, image_digest=None): + assert (image_tag is not None) != (image_digest is not None), 'User either tag or image_digest, not both, to identify ECR image version.' + if image_tag: + return aws.ecr.get_image(repository_name=ecr_repo_name, image_tag=image_tag) + elif image_digest: + return aws.ecr.get_image(repository_name=ecr_repo_name, image_digest=image_digest) + +def build_and_push(ecr_repositories): + ecr_repo_images = {} + for repo in ecr_repositories: + ecr_repo = repo['ecr_repo_resource'] + container_context = config.get("container-context") + if container_context is None: + container_context = "." + container_file = config.get("container-file") + if container_file is None: + container_file = "./Dockerfile" + + assert ('tag' in repo.keys()) != ('image_digest' in repo.keys()), 'User must provide either tag or image_digest, but not both, to identify image version' + if 'tag' in repo.keys(): + ecr_image=aws.ecr.get_image(repository_name=ecr_repo.name, image_tag=repo['tag']) + elif 'image_digest' in repo.keys(): + ecr_image=aws.ecr.get_image(repository_name=ecr_repo.name, image_digest=repo['image_digest']) + + repo['ecr_image'] = ecr_image + + ecr_repo_images[repo['name']] = repo + + #ecr_repo_images.append(repo) + return ecr_repo_images \ No newline at end of file diff --git a/infra/ecs_alb/ecs.py b/infra/ecs_alb/ecs.py new file mode 100644 index 0000000..16f7169 --- /dev/null +++ b/infra/ecs_alb/ecs.py @@ -0,0 +1,238 @@ +import pulumi +import pulumi_aws as aws +import conf as config +import iam +import ecr +import json + +def deploy_app(config_ecs_app, app_ecs_cluster, alb_security_group, app_load_balancer_arn): + lb_config = config_ecs_app["lb_config"] + target_group = aws.lb.TargetGroup(f"app-target-group-{lb_config['listener_port']}", + port=lb_config["target_port"], + protocol="HTTP", + vpc_id=config.network["vpc_id"], + target_type="ip", + health_check=aws.lb.TargetGroupHealthCheckArgs( + path="/", # TODO if it doesn't work, can use /docs for fastapi + protocol="HTTP", + port="traffic-port", + healthy_threshold=2, + unhealthy_threshold=2, + timeout=5, + interval=30, + matcher="200-499", + ), + ) + aws.lb.Listener(f"app-listener-{lb_config['listener_port']}", + load_balancer_arn=app_load_balancer_arn, + port=lb_config["listener_port"], + protocol="HTTP", + default_actions=[aws.lb.ListenerDefaultActionArgs( + type="forward", + target_group_arn=target_group.arn, + )], + ) + # target_groups.append(target_group) + + # Build and Push ECR + # ecr_repos = ecr.create_ecr_repo(config_ecs_app['ecr_repo_name']) + # assert ('ecr_image_tag' in config_ecs_app.keys()) != ('ecr_image_digest' in config_ecs_app.keys()), 'User must provide either tag or image_digest, but not both, to identify image version' + if 'ecr_image_tag' in config_ecs_app.keys(): + ecr_repo_image = ecr.get_image(config_ecs_app['ecr_repo_name'], image_tag=config_ecs_app['ecr_image_tag']) + elif 'ecr_image_digest' in config_ecs_app.keys(): + ecr_repo_image = ecr.get_image(config_ecs_app['ecr_repo_name'], image_digest=config_ecs_app['ecr_image_digest']) + + + # Log Group Setup #TODO move into ecs + app_log_group = aws.cloudwatch.LogGroup(f"{config.project_name}-{config_ecs_app['task_name']}-log-group", retention_in_days=7) + + + # if key + # ssm_parameter, key = kms.setup_kms() + # iam.create_execution_role_with_keys(ssm_parameter, key) + # IAM Roles Setup + app_execution_role = iam.create_execution_role() + app_task_role = iam.create_task_role() + + # summarization_repo_image = config_ecs_app['ecr_image'] + + if config_ecs_app['use_load_balancer']: + environemnt_variables = [dict(name=k, value=v) for k,v in config_ecs_app['env_variables'].items()] + print(environemnt_variables) + # ECS Task Definition Setup + app_task_definition = aws.ecs.TaskDefinition(f"{config.project_name}-{config_ecs_app['task_name']}-task-definition", + family=f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}", + cpu=config_ecs_app["cpu"], + memory=config_ecs_app["memory"], + network_mode="awsvpc", + execution_role_arn=app_execution_role.arn, + task_role_arn=app_task_role.arn, + requires_compatibilities=["FARGATE"], + container_definitions=pulumi.Output.all(ecr_repo_image.image_uri, + # ecr_repo_image.image_digest, + app_log_group.name, + environemnt_variables, + # config_ecs_app["secret_name"], + ).apply(lambda args: json.dumps([{ + "name": f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}-service", + "image": args[0], + "cpu": 0, + "portMappings": [ + { + "name": "api", + "containerPort": lb_config["container_port"], + "hostPort": lb_config["target_port"], + "protocol": "tcp", + } + # } for lb_config_item in lb_configs + ], + "essential": True, + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": args[1], + "awslogs-region": config.aws_region, + "awslogs-stream-prefix": "pulumi-langserve", + }, + }, + "environment": args[2], + }])), + ) + + # ECS Security Group Setup + app_ecs_security_group = aws.ec2.SecurityGroup(f"{config.project_name}-{config_ecs_app['task_name']}-ecs-security-group", + vpc_id=config.network["vpc_id"], + ingress=[aws.ec2.SecurityGroupIngressArgs( + protocol="-1", + from_port=0, + to_port=0, + security_groups=[alb_security_group.id], + )], + egress=[aws.ec2.SecurityGroupEgressArgs( + protocol="-1", + from_port=0, + to_port=0, + cidr_blocks=["0.0.0.0/0"], + )], + ) + + # Security Group Rules for Ingress + for sg_name, sg_id in config_ecs_app["sgs_allowing_ingress"].items(): + aws.ec2.SecurityGroupRule(f"sgr-{sg_name}-allow_in_from-{config.project_name}", + type="ingress", + from_port=0, + to_port=0, + protocol="-1", + security_group_id=sg_id, + source_security_group_id=app_ecs_security_group.id, + description=f"Allow from {config.project_name} ECS SG", + ) + + # Service Discovery Namespace Setup + app_service_discovery_namespace = aws.servicediscovery.PrivateDnsNamespace(f"{config.project_name}-{config_ecs_app['task_name']}-service-discovery-namespace", + name=f"{config.environment}.{config.project_name}.local", + vpc=config.network["vpc_id"], + ) + + # ECS Service Setup + load_balancer = aws.ecs.ServiceLoadBalancerArgs( + target_group_arn=target_group.arn, + container_name=f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}-service", + container_port=lb_config["target_port"], + ) + + app_service = aws.ecs.Service(f"{config.project_name}-{config_ecs_app['task_name']}-service", + cluster=app_ecs_cluster.arn, + task_definition=app_task_definition.arn, + desired_count=config_ecs_app["desired_count"], + launch_type="FARGATE", + network_configuration=aws.ecs.ServiceNetworkConfigurationArgs( + assign_public_ip=True, + security_groups=[app_ecs_security_group.id], + subnets=config.network["ecs_subnet_ids"], + ), + load_balancers=[load_balancer], + scheduling_strategy="REPLICA", + service_connect_configuration=aws.ecs.ServiceServiceConnectConfigurationArgs( + enabled=True, + namespace=app_service_discovery_namespace.arn, + ), + tags={"Name": f"{config.project_name}-{config_ecs_app['task_name']}-{config.environment}"}, + ) + + #defining an auto-scaling for summarization + scalable_target = aws.appautoscaling.Target("app-svc-target", + max_capacity=config_ecs_app['auto_scaling']['max_capacity'], + min_capacity=config_ecs_app['auto_scaling']['min_capacity'], + resource_id=pulumi.Output.all(app_ecs_cluster.name, app_service.name).apply(lambda args: f"service/{args[0]}/{args[1]}"), + scalable_dimension="ecs:service:DesiredCount", + service_namespace="ecs", + ) + + # Define an auto-scaling policy on CPU utilization + scaling_policy = aws.appautoscaling.Policy("app-svc-policy", + policy_type="TargetTrackingScaling", + resource_id=scalable_target.resource_id, + scalable_dimension="ecs:service:DesiredCount", + service_namespace="ecs", + target_tracking_scaling_policy_configuration={ + "target_value": config_ecs_app['auto_scaling']['target_value'], # Target CPU utilization (30%) + "predefined_metric_specification": { + "predefined_metric_type": "ECSServiceAverageCPUUtilization" + }, + }, + ) + else: + # classification_repo_image = ecr_repo_images['ai-med-exam-classification']['ecr_image'] + # ECS without Load Balancer + new_ecs_task_definition = aws.ecs.TaskDefinition("classification-theia-poc-task-definition", + family="classification-theia-poc", + cpu=config_ecs_app["cpu"], + memory=config_ecs_app["memory"], + network_mode="awsvpc", + execution_role_arn=app_execution_role.arn, + task_role_arn=app_task_role.arn, + requires_compatibilities=["FARGATE"], + container_definitions=pulumi.Output.all(ecr_repo_image.image_uri, + # classification_repo_image.image_digest, + app_log_group.name).apply(lambda args: json.dumps([{ + "name": "classification-theia-poc-service", + "image": args[0], + "cpu": 0, + "portMappings": [ + { + "name": "api", + "containerPort": 80, # Define the container port without Load Balancer + "hostPort": 80, + "protocol": "tcp", + } + ], + "essential": True, + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": args[1], + "awslogs-region": config.aws_region, + "awslogs-stream-prefix": "pulumi-classification-theia-poc", + }, + }, + }])), + ) + # ecs without load balancer + new_ecs_service = aws.ecs.Service("classification-theia-poc-service", + cluster=app_ecs_cluster.arn, + task_definition=new_ecs_task_definition.arn, + desired_count=config_ecs_app["desired_count"], + launch_type="FARGATE", + network_configuration=aws.ecs.ServiceNetworkConfigurationArgs( + assign_public_ip=True, + security_groups=[app_ecs_security_group.id], + subnets=config.network["ecs_subnet_ids"], + ), + scheduling_strategy="REPLICA", + service_connect_configuration=aws.ecs.ServiceServiceConnectConfigurationArgs( + enabled=True, + namespace=app_service_discovery_namespace.arn, + ), + tags={"Name": "classification-theia-poc"}, + ) \ No newline at end of file diff --git a/infra/ecs_alb/iam.py b/infra/ecs_alb/iam.py new file mode 100644 index 0000000..59f5086 --- /dev/null +++ b/infra/ecs_alb/iam.py @@ -0,0 +1,281 @@ +import pulumi +import pulumi_aws as aws +import conf as config +import json + + +def create_execution_role(): + execution_role = aws.iam.Role(f"{config.project_name}-execution-role", + assume_role_policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com", + }, + }, + ], + }), + inline_policies=[aws.iam.RoleInlinePolicyArgs( + name=f"{config.project_name}-{config.stack_name}-service-secrets-policy", + policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:GetLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:ListTagsForResource", + "ecr:DescribeImageScanFindings" + ], + "Resource": "*" + } + ], + }), + )], + managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]) + return execution_role + +def create_execution_role_with_keys(ssm_parameter, key): + execution_role = aws.iam.Role(f"{config.project_name}-execution-role", + assume_role_policy=json.dumps({ + "Statement": [{ + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com", + }, + }], + "Version": "2012-10-17", + }), + inline_policies=[aws.iam.RoleInlinePolicyArgs( + name=f"{config.project_name}-{config.stack_name}-service-secrets-policy", + policy=pulumi.Output.all(ssm_parameter.arn, key.arn).apply(lambda args: json.dumps({ + "Version": "2012-10-17", + "Statement": [ + { + "Action": ["ssm:GetParameters"], + "Condition": { + "StringEquals": { + "ssm:ResourceTag/pulumi-application": config.project_name, + "ssm:ResourceTag/pulumi-environment": config.stack_name, + }, + }, + "Effect": "Allow", + "Resource": [args[0]], + }, + { + "Action": ["kms:Decrypt"], + "Condition": { + "StringEquals": { + "aws:ResourceTag/pulumi-application": config.project_name, + "aws:ResourceTag/pulumi-environment": config.stack_name, + }, + }, + "Effect": "Allow", + "Resource": [args[1]], + "Sid": "DecryptTaggedKMSKey", + }, + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", + "ecr:GetLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:ListTagsForResource", + "ecr:DescribeImageScanFindings" + ], + "Resource": "*" + } + ], + })), + )], + managed_policy_arns=["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]) + return execution_role + + +def create_task_role(): + task_role = aws.iam.Role(f"{config.project_name}-task-role", + assume_role_policy=json.dumps({ + "Statement": [{ + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com", + }, + }], + "Version": "2012-10-17", + }), + inline_policies=[ + aws.iam.RoleInlinePolicyArgs( + name="ExecuteCommand", + policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ssmmessages:CreateControlChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenDataChannel", + ], + "Effect": "Allow", + "Resource": "*", + }, + { + "Action": [ + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + ], + "Effect": "Allow", + "Resource": "*", + },{ + "Effect": "Allow", + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryExecution", + "athena:GetQueryResults", + "athena:StopQueryExecution", + ], + "Resource": f"arn:aws:athena:us-east-1:305427701314:workgroup/iceberg-workgroup", + }, + { + "Effect": "Allow", + "Action": [ + "glue:GetDatabase", + "glue:GetTable", + "glue:GetPartitions", + ], + "Resource": [ + f"arn:aws:glue:us-east-1:305427701314:catalog", + f"arn:aws:glue:us-east-1:305427701314:database/dnx_warehouse", + f"arn:aws:glue:us-east-1:305427701314:table/dnx_warehouse/*", + ], + }, { + "Effect" : "Allow", + "Action" : [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Resource" : ["arn:aws:secretsmanager:us-east-1:305427701314:secret:assistente-db-secrets-manager-mpYPMi" + ]}, + { + "Effect": "Allow", + "Action": [ + "dynamodb:Scan", + "dynamodb:GetItem", + "dynamodb:Query", + "dynamodb:DescribeTable" + ], + "Resource": "arn:aws:dynamodb:us-east-1:305427701314:table/poc_dnx_monthly_summary" + }, + ], + }), + ), + aws.iam.RoleInlinePolicyArgs( + name="DenyIAM", + policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [{ + "Action": "iam:*", + "Effect": "Deny", + "Resource": "*", + }], + }), + ), + aws.iam.RoleInlinePolicyArgs( + name="BedrockS3SQSAccess", + policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [ + # S3 + { + "Effect": "Allow", + "Action": [ + "s3:*", + "s3-object-lambda:*" + ], + "Resource": "*" + }, + # SQS + { + "Effect": "Allow", + "Action": [ + "sqs:StartMessageMoveTask", + "sqs:DeleteMessage", + "sqs:GetQueueUrl", + "sqs:ListDeadLetterSourceQueues", + "sqs:ListMessageMoveTasks", + "sqs:PurgeQueue", + "sqs:ReceiveMessage", + "sqs:GetQueueAttributes", + "sqs:ListQueueTags" + ], + "Resource": "arn:aws:sqs:us-east-1:673991670544:ai-med-dev-queue-63cb463" + }, + { + "Effect": "Allow", + "Action": "sqs:ListQueues", + "Resource": "*" + }, + # Bedrock + { + "Effect": "Allow", + "Action": [ + "bedrock:*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "arn:*:kms:*:*:key/*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:ListRoles", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "arn:aws:iam::*:role/*AmazonBedrock*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "bedrock.amazonaws.com" + } + } + } + ] + }) + ), + ]) + return task_role diff --git a/infra/ecs_alb/kms.py b/infra/ecs_alb/kms.py new file mode 100644 index 0000000..07f3863 --- /dev/null +++ b/infra/ecs_alb/kms.py @@ -0,0 +1,74 @@ +import pulumi +import pulumi_aws as aws +import pulumi_docker as docker +import conf as config +import json + + +def setup_kms(): + # KMS Key Setup + app_key = aws.kms.Key(f"{config.project_name}-key", + description="Key for encrypting secrets", + enable_key_rotation=True, + policy=json.dumps({ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Sid": "", + "Principal": { + "AWS": f"arn:aws:iam::{config.account_id}:root", + }, + "Action": [ + "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", + "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", "kms:Tag*", "kms:UntagResource", + ], + "Resource": "*", + }, + { + "Effect": "Allow", + "Principal": { + "AWS": f"arn:aws:iam::{config.account_id}:root", + }, + "Action": [ + "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey", + ], + "Resource": "*", + }, + { + "Sid": 'Allow access to EFS for all principals in the account that are authorized to use EFS', + "Effect": 'Allow', + "Principal": {"AWS": "*"}, + "Action": [ + "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", + "kms:CreateGrant", "kms:DescribeKey", + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": f"elasticfilesystem.{config.aws_region}.amazonaws.com", + "kms:CallerAccount": config.account_id, + }, + }, + }, + ], + }), + tags={ + "pulumi-application": config.project_name, + "pulumi-environment": config.stack_name, + }, + ) + + # SSM Parameter Setup + app_ssm_parameter = aws.ssm.Parameter(f"{config.project_name}-ssm-parameter", + type="SecureString", + value=config.config.require_secret("bedrock_api_key"), + key_id=app_key.key_id, + name=f"/{config.project_name}/{config.stack_name}/BEDROCK_API_KEY", + tags={ + "pulumi-application": config.project_name, + "pulumi-environment": config.stack_name, + }, + ) + return app_ssm_parameter, app_key \ No newline at end of file diff --git a/infra/ecs_alb/requirements.txt b/infra/ecs_alb/requirements.txt new file mode 100644 index 0000000..eb8d6d6 --- /dev/null +++ b/infra/ecs_alb/requirements.txt @@ -0,0 +1,5 @@ +pulumi +pulumi-aws +pulumi-docker +boto3 +setuptools diff --git a/infra/langfuse/Pulumi.inovyo.yaml b/infra/langfuse/Pulumi.inovyo.yaml new file mode 100644 index 0000000..b34e9a9 --- /dev/null +++ b/infra/langfuse/Pulumi.inovyo.yaml @@ -0,0 +1,40 @@ +config: + aws:region: us-east-1 + langfuse:account_id: "232048051668" + langfuse:project_name: assistente-db-langfuse + langfuse:environment: dev + + langfuse:tags: + project: assistente-db + env: dev + costCenter: AI + owner: ai-team + + langfuse:network: + vpc_id: vpc-17ceb96c + subnet_ids: + - subnet-0de9f056635629827 # public-us-east-1a-subnet + - subnet-09cda74f27c543521 # public-us-east-1b-subnet + + langfuse:ec2: + key_name: + allowed_ports: + - 22 + - 3000 + - 443 + - 80 + ebs_volume: + size: 100 # em GB + device_name: /dev/sdf # nome do device + volume_type: gp2 # tipo de volume + instance_type: t3.xlarge # langfuse requires at least t3.xlarge + instance_name: LangfuseEC2 + sg_name: langfuse-sg + + langfuse:langfuse_config: + repo_url: "https://github.com/langfuse/langfuse.git" + web_port: 3000 + worker_port: 3030 + database_url: "postgresql://langfuse:langfuse@postgres:5432/langfuse" + clickhouse_url: "http://clickhouse:8123" + telemetry_enabled: false \ No newline at end of file diff --git a/infra/langfuse/Pulumi.yaml b/infra/langfuse/Pulumi.yaml new file mode 100644 index 0000000..9561767 --- /dev/null +++ b/infra/langfuse/Pulumi.yaml @@ -0,0 +1,3 @@ +name: langfuse-dev +runtime: python +description: Infraestrutura da aplicação Langfuse em EC2 usando Docker \ No newline at end of file diff --git a/infra/langfuse/README.md b/infra/langfuse/README.md new file mode 100644 index 0000000..414c5c2 --- /dev/null +++ b/infra/langfuse/README.md @@ -0,0 +1,93 @@ +# langfuse + + + +## Getting started + +To make it easy for you to get started with GitLab, here's a list of recommended next steps. + +Already a pro? Just edit this README.md and make it your own. Want to make it easy? [Use the template at the bottom](#editing-this-readme)! + +## Add your files + +- [ ] [Create](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#create-a-file) or [upload](https://docs.gitlab.com/ee/user/project/repository/web_editor.html#upload-a-file) files +- [ ] [Add files using the command line](https://docs.gitlab.com/ee/gitlab-basics/add-file.html#add-a-file-using-the-command-line) or push an existing Git repository with the following command: + +``` +cd existing_repo +git remote add origin https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/langfuse.git +git branch -M main +git push -uf origin main +``` + +## Integrate with your tools + +- [ ] [Set up project integrations](https://gitlab.shared.cloud.dnxbrasil.com.br/dnx-br/sandbox/genai/langfuse/-/settings/integrations) + +## Collaborate with your team + +- [ ] [Invite team members and collaborators](https://docs.gitlab.com/ee/user/project/members/) +- [ ] [Create a new merge request](https://docs.gitlab.com/ee/user/project/merge_requests/creating_merge_requests.html) +- [ ] [Automatically close issues from merge requests](https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#closing-issues-automatically) +- [ ] [Enable merge request approvals](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/) +- [ ] [Set auto-merge](https://docs.gitlab.com/ee/user/project/merge_requests/merge_when_pipeline_succeeds.html) + +## Test and Deploy + +Use the built-in continuous integration in GitLab. + +- [ ] [Get started with GitLab CI/CD](https://docs.gitlab.com/ee/ci/quick_start/index.html) +- [ ] [Analyze your code for known vulnerabilities with Static Application Security Testing (SAST)](https://docs.gitlab.com/ee/user/application_security/sast/) +- [ ] [Deploy to Kubernetes, Amazon EC2, or Amazon ECS using Auto Deploy](https://docs.gitlab.com/ee/topics/autodevops/requirements.html) +- [ ] [Use pull-based deployments for improved Kubernetes management](https://docs.gitlab.com/ee/user/clusters/agent/) +- [ ] [Set up protected environments](https://docs.gitlab.com/ee/ci/environments/protected_environments.html) + +*** + +# Editing this README + +When you're ready to make this README your own, just edit this file and use the handy template below (or feel free to structure it however you want - this is just a starting point!). Thanks to [makeareadme.com](https://www.makeareadme.com/) for this template. + +## Suggestions for a good README + +Every project is different, so consider which of these sections apply to yours. The sections used in the template are suggestions for most open source projects. Also keep in mind that while a README can be too long and detailed, too long is better than too short. If you think your README is too long, consider utilizing another form of documentation rather than cutting out information. + +## Name +Choose a self-explaining name for your project. + +## Description +Let people know what your project can do specifically. Provide context and add a link to any reference visitors might be unfamiliar with. A list of Features or a Background subsection can also be added here. If there are alternatives to your project, this is a good place to list differentiating factors. + +## Badges +On some READMEs, you may see small images that convey metadata, such as whether or not all the tests are passing for the project. You can use Shields to add some to your README. Many services also have instructions for adding a badge. + +## Visuals +Depending on what you are making, it can be a good idea to include screenshots or even a video (you'll frequently see GIFs rather than actual videos). Tools like ttygif can help, but check out Asciinema for a more sophisticated method. + +## Installation +Within a particular ecosystem, there may be a common way of installing things, such as using Yarn, NuGet, or Homebrew. However, consider the possibility that whoever is reading your README is a novice and would like more guidance. Listing specific steps helps remove ambiguity and gets people to using your project as quickly as possible. If it only runs in a specific context like a particular programming language version or operating system or has dependencies that have to be installed manually, also add a Requirements subsection. + +## Usage +Use examples liberally, and show the expected output if you can. It's helpful to have inline the smallest example of usage that you can demonstrate, while providing links to more sophisticated examples if they are too long to reasonably include in the README. + +## Support +Tell people where they can go to for help. It can be any combination of an issue tracker, a chat room, an email address, etc. + +## Roadmap +If you have ideas for releases in the future, it is a good idea to list them in the README. + +## Contributing +State if you are open to contributions and what your requirements are for accepting them. + +For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self. + +You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser. + +## Authors and acknowledgment +Show your appreciation to those who have contributed to the project. + +## License +For open source projects, say how it is licensed. + +## Project status +If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers. diff --git a/infra/langfuse/__main__.py b/infra/langfuse/__main__.py new file mode 100644 index 0000000..e5bbcd6 --- /dev/null +++ b/infra/langfuse/__main__.py @@ -0,0 +1,105 @@ +import pulumi +import pulumi_aws as aws +import conf as config + +# 🔐 Security Group +ingress_rules = [{"protocol": "tcp", "from_port": port, "to_port": port, "cidr_blocks": ["3.14.44.224/32"]} + for port in config.ec2_config["allowed_ports"]] + +sg = aws.ec2.SecurityGroup(config.ec2_config["sg_name"], + vpc_id=config.network["vpc_id"], + description="Allow defined ports", + ingress=ingress_rules, + egress=[{"protocol": "-1", "from_port": 0, "to_port": 0, "cidr_blocks": ["0.0.0.0/0"]}], +) + +# 🐳 Script user_data com Docker, Langfuse e montagem do volume EBS +user_data = f"""#!/bin/bash +set -e +sudo apt-get update -y +sudo apt-get install -y ca-certificates curl gnupg git +sudo install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg +sudo chmod a+r /etc/apt/keyrings/docker.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update -y +sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin +sudo groupadd docker || true +sudo usermod -aG docker ubuntu +sudo chmod 666 /var/run/docker.sock +sudo systemctl enable docker +sudo systemctl restart docker + +cd /opt +git clone {config.langfuse_config["repo_url"]} +cd langfuse + +NEXTAUTH_SECRET=$(openssl rand -hex 32) +PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) +SALT=$(openssl rand -hex 16) +ENCRYPTION_KEY=$(openssl rand -hex 32) + +cat > .env <=1.34.0 +langchain-aws>=0.1.0 +langgraph>=0.0.20 +langchain>=0.1.0