feat(stepfunctions-tasks): bedrock createModelCustomizationJob integration

[badmintoncryer]

This PR was previously created and passed the community review, but the maintainer review stopped midway, and it was eventually closed. There shouldn’t be any issues with the content, so I am submitting the PR again.

Issue # (if applicable)

Closes #29042

Reason for this change

AWS stepfunctions support optimized integration with AWS bedrock.
Currently, only invokeModel is supported by CDK, but I would like createModelCustomizationJob to be supported in the same manner.

Description of changes

I've added CreatemodelCustomizationJob class.

const taskConfig = {
  baseModel: model,
  clientRequestToken: 'MyToken',
  customizationType: CustomizationType.FINE_TUNING,
  kmsKey,
  customModelName: 'MyCustomModel',
  customModelTags: [{ key: 'key1', value: 'value1' }],
  hyperParameters: {
    batchSize: '10',
  },
  jobName: 'MyCustomizationJob',
  jobTags: [{ key: 'key2', value: 'value2' }],
  outputDataS3Uri: outputBucket.s3UrlForObject(),
  trainingDataS3Uri: trainingBucket.s3UrlForObject(),
  validationDataS3Uri: [validationBucket.s3UrlForObject()],
  vpcConfig: {
    securityGroups: [new ec2.SecurityGroup(stack, 'SecurityGroup', { vpc })],
    subnets: vpc.isolatedSubnets,
  },
};

const task1 = new BedrockCreateModelCustomizationJob(stack, 'CreateModelCustomizationJob1', taskConfig);

const chain = sfn.Chain
  .start(new sfn.Pass(stack, 'Start'))
  .next(task1)
  .next(new sfn.Pass(stack, 'Done'));

new sfn.StateMachine(stack, 'StateMachine', {
  definitionBody: sfn.DefinitionBody.fromChainable(chain),
  timeout: cdk.Duration.seconds(30),
});

Description of how you validated changes

I've added both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

@moelasmar It appears that the needs-maintainer-review label was attached, but it was automatically removed.

Additionally, I’m seeing a CodeQL error related to a regular expression, but this expression is directly from the CloudFormation documentation. In this case, I believe it’s acceptable to ignore the error. What are your thoughts?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.38%. Comparing base (b021efe) to head (068c110).
Report is 35 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #31913   +/-   ##
=======================================
  Coverage   81.38%   81.38%           
=======================================
  Files         222      222           
  Lines       13698    13698           
  Branches     2413     2413           
=======================================
  Hits        11148    11148           
  Misses       2271     2271           
  Partials      279      279           

Flag	Coverage Δ
suite.unit	81.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	80.69% <ø> (ø)
packages/aws-cdk-lib/core	82.10% <ø> (ø)

[gracelu0]

Hi @badmintoncryer , thank you for working on this! I saw the previously open PR was approved (apologies that it got closed by our automation), I just have a few more comments.

[gracelu0]

To adhere to the best security practice stated here: https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html#encryption-cm-statements, can we add a kms:ViaService condition to this policy to limit key access to the Amazon Bedrock service? There's an example under the Encrypt a model dropdown in that link

[badmintoncryer]

I've updated my code and executed integ test again!

[gracelu0]

Just wondering if there's a reason we omit invocationLogsConfig?

https://docs.aws.amazon.com/bedrock/latest/APIReference/API_TrainingDataConfig.html#API_TrainingDataConfig_Contents

[badmintoncryer]

When it was created, I remember handling all the parameters, so additional arguments might have been added later. Should I address this as well?

[gracelu0]

I think it's okay if we don't include it in this PR, but we should ensure the contract allows us to add this in the future (see my other comment about extending the interface)

Pull request has been modified.

[badmintoncryer]

@gracelu0 Thank you for your kindness check. I've addressed all of your comments.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 068c110
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[gracelu0]

Thank you for working on this! I left some comments to improve the interface design for extensibility, and we will need to check the policy updates with security reviewer (so there may be some additional comments to address).

[gracelu0]

instead of all the // optional comments can we have a // required comment to point out the required properties?

[gracelu0]

from the linked docs, By default, Amazon Bedrock encrypts custom models with AWS owned keys. - can we specify that as the default here?

[gracelu0]

what is this prefix field for? since I see for the s3Uri property the pattern is ^s3://[a-z0-9][-.a-z0-9]{1,61}(?:/[-!_*'().a-z0-9A-Z]+(?:/[-!_*'().a-z0-9A-Z]+)*)?/?$ so the prefix is expected to be s3://.

[gracelu0]

While I like the simplified BucketConfiguration interface here, I see that TrainingDataConfig already differs from ValidationDataConfig and OutputDataConfig with additional prop invocationLogsConfig.

To avoid making breaking changes in the future in case new sub-properties are added, can we make a base interface BucketConfiguration (maybe called DataBucketConfiguration) and create interfaces extending it for each of outputData, trainingData and validationData ?

[gracelu0]

It looks like validationDataConfig is not required, so we need to update this and also the validation to allow minimum of 0 validators

[gracelu0]

I think it's okay if we don't include it in this PR, but we should ensure the contract allows us to add this in the future (see my other comment about extending the interface)

[gracelu0]

From https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html#model-customization-iam-role-trust it mentions the option to restrict the scope using Condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-id"
                },
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:bedrock:us-east-1:account-id:model-customization-job/*"
                }
            }
        }
    ] 
}

Can we add this to adhere to PoLP and reduce the permissions scope?