From 4a1e4ac48f74a4fde86c882d4e0890ab0090a7a8 Mon Sep 17 00:00:00 2001 From: Massimiliano Angelino Date: Tue, 23 Jan 2024 16:34:37 +0100 Subject: [PATCH] chore(format): reformat via prettify --- bin/aws-genai-llm-chatbot.ts | 4 +- cli/magic-create.ts | 11 +- lib/authentication/index.ts | 14 +- lib/aws-genai-llm-chatbot-stack.ts | 170 +++++++++++++----- .../chatbot-dynamodb-tables/index.ts | 2 +- lib/chatbot-api/chatbot-s3-buckets/index.ts | 13 +- lib/chatbot-api/index.ts | 12 +- lib/chatbot-api/websocket-api.ts | 10 +- lib/model-interfaces/idefics/index.ts | 26 +-- lib/model-interfaces/langchain/index.ts | 4 +- lib/models/index.ts | 76 ++++---- .../create-aurora-workspace.ts | 14 +- lib/rag-engines/aurora-pgvector/index.ts | 21 ++- .../data-import/file-import-batch-job.ts | 40 +++-- .../data-import/file-import-workflow.ts | 6 +- lib/rag-engines/data-import/index.ts | 14 +- .../data-import/website-crawling-workflow.ts | 6 +- .../create-kendra-workspace.ts | 14 +- lib/rag-engines/kendra-retrieval/index.ts | 6 +- .../create-opensearch-workspace.ts | 14 +- .../workspaces/delete-workspace.ts | 6 +- lib/sagemaker-model/deploy-container-model.ts | 10 +- lib/sagemaker-model/deploy-package-model.ts | 10 +- .../hf-custom-script-model/index.ts | 59 +++--- lib/shared/index.ts | 22 +-- lib/shared/shared-asset-bundler.ts | 11 +- lib/user-interface/index.ts | 53 +++--- 27 files changed, 400 insertions(+), 248 deletions(-) diff --git a/bin/aws-genai-llm-chatbot.ts b/bin/aws-genai-llm-chatbot.ts index b66dcfbcc..e8e5487ac 100644 --- a/bin/aws-genai-llm-chatbot.ts +++ b/bin/aws-genai-llm-chatbot.ts @@ -2,7 +2,7 @@ import * as cdk from "aws-cdk-lib"; import "source-map-support/register"; import { AwsGenAILLMChatbotStack } from "../lib/aws-genai-llm-chatbot-stack"; -import { AwsSolutionsChecks } from "cdk-nag" +import { AwsSolutionsChecks } from "cdk-nag"; import { getConfig } from "./config"; import { Aspects } from "aws-cdk-lib"; @@ -18,4 +18,4 @@ new AwsGenAILLMChatbotStack(app, `${config.prefix}GenAIChatBotStack`, { }, }); -Aspects.of(app).add(new AwsSolutionsChecks({verbose: true})); +Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true })); diff --git a/cli/magic-create.ts b/cli/magic-create.ts index 2bd638a7d..d36a1864d 100644 --- a/cli/magic-create.ts +++ b/cli/magic-create.ts @@ -213,9 +213,7 @@ async function processCreateOptions(options: any): Promise { type: "confirm", name: "kendraEnterprise", message: "Do you want to enable Kendra Enterprise Edition?", - initial: - options.kendraEnterprise || - false, + initial: options.kendraEnterprise || false, skip(): boolean { return !(this as any).state.answers.ragsToEnable.includes("kendra"); }, @@ -336,7 +334,7 @@ async function processCreateOptions(options: any): Promise { enabled: false, createIndex: false, external: [{}], - enterprise: false + enterprise: false, }, }, embeddingsModels: [{}], @@ -366,8 +364,7 @@ async function processCreateOptions(options: any): Promise { config.rag.engines.kendra.enabled = config.rag.engines.kendra.createIndex || kendraExternal.length > 0; config.rag.engines.kendra.external = [...kendraExternal]; - config.rag.engines.kendra.enterprise = - answers.kendraEnterprise + config.rag.engines.kendra.enterprise = answers.kendraEnterprise; console.log("\n✨ This is the chosen configuration:\n"); console.log(JSON.stringify(config, undefined, 2)); @@ -383,4 +380,4 @@ async function processCreateOptions(options: any): Promise { ).create ? createConfig(config) : console.log("Skipping"); -} \ No newline at end of file +} diff --git a/lib/authentication/index.ts b/lib/authentication/index.ts index 338781b7a..08523aaf6 100644 --- a/lib/authentication/index.ts +++ b/lib/authentication/index.ts @@ -74,11 +74,13 @@ export class Authentication extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(userPool, - [ - {id: "AwsSolutions-COG1", reason: "Default password policy requires min length of 8, digits, lowercase characters, symbols and uppercase characters: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.PasswordPolicy.html"}, - {id: "AwsSolutions-COG2", reason: "MFA not required for user usage."} - ] - ); + NagSuppressions.addResourceSuppressions(userPool, [ + { + id: "AwsSolutions-COG1", + reason: + "Default password policy requires min length of 8, digits, lowercase characters, symbols and uppercase characters: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.PasswordPolicy.html", + }, + { id: "AwsSolutions-COG2", reason: "MFA not required for user usage." }, + ]); } } diff --git a/lib/aws-genai-llm-chatbot-stack.ts b/lib/aws-genai-llm-chatbot-stack.ts index 0a2209980..9c5e566c6 100644 --- a/lib/aws-genai-llm-chatbot-stack.ts +++ b/lib/aws-genai-llm-chatbot-stack.ts @@ -160,15 +160,20 @@ export class AwsGenAILLMChatbotStack extends cdk.Stack { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ - `/${this.stackName}/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource` + `/${this.stackName}/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource`, ], [ - {id: "AwsSolutions-L1", reason: "Lambda function created implicitly by CDK."}, + { + id: "AwsSolutions-L1", + reason: "Lambda function created implicitly by CDK.", + }, ] ); - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/Authentication/IdentityPool/AuthenticatedRole/DefaultPolicy/Resource`, `/${this.stackName}/Authentication/UserPool/smsRole/Resource`, @@ -184,47 +189,66 @@ export class AwsGenAILLMChatbotStack extends cdk.Stack { `/${this.stackName}/ChatBotApi/RestApi/GraphQLApiHandler/ServiceRole/DefaultPolicy/Resource`, `/${this.stackName}/ChatBotApi/Realtime/Resolvers/lambda-resolver/ServiceRole/Resource`, `/${this.stackName}/ChatBotApi/Realtime/Resolvers/outgoing-message-handler/ServiceRole/Resource`, - `/${this.stackName}/ChatBotApi/Realtime/Resolvers/outgoing-message-handler/ServiceRole/DefaultPolicy/Resource` + `/${this.stackName}/ChatBotApi/Realtime/Resolvers/outgoing-message-handler/ServiceRole/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); if (ideficsModels.length > 0) { - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/IdeficsInterface/IdeficsInterfaceRequestHandler/ServiceRole/DefaultPolicy/Resource`, `/${this.stackName}/IdeficsInterface/IdeficsInterfaceRequestHandler/ServiceRole/Resource`, - `/${this.stackName}/IdeficsInterface/S3IntegrationRole/DefaultPolicy/Resource` + `/${this.stackName}/IdeficsInterface/S3IntegrationRole/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, `/${this.stackName}/IdeficsInterface/ChatbotFilesPrivateApi/DeploymentStage.prod/Resource`, [ - {id: "AwsSolutions-APIG3", reason: "WAF not required due to configured Cognito auth."} + { + id: "AwsSolutions-APIG3", + reason: "WAF not required due to configured Cognito auth.", + }, ] ); - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/IdeficsInterface/ChatbotFilesPrivateApi/Default/{object}/ANY/Resource`, - `/${this.stackName}/IdeficsInterface/ChatbotFilesPrivateApi/Default/{object}/ANY/Resource` + `/${this.stackName}/IdeficsInterface/ChatbotFilesPrivateApi/Default/{object}/ANY/Resource`, ], [ - {id: "AwsSolutions-APIG4", reason: "Private API within a VPC."}, - {id: "AwsSolutions-COG4", reason: "Private API within a VPC."} + { id: "AwsSolutions-APIG4", reason: "Private API within a VPC." }, + { id: "AwsSolutions-COG4", reason: "Private API within a VPC." }, ] ); } // RAG configuration if (props.config.rag.enabled) { - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/RagEngines/DataImport/FileImportBatchJob/FileImportJobRole/DefaultPolicy/Resource`, `/${this.stackName}/RagEngines/DataImport/FileImportBatchJob/FileImportContainer/ExecutionRole/DefaultPolicy/Resource`, @@ -245,16 +269,26 @@ export class AwsGenAILLMChatbotStack extends cdk.Stack { `/${this.stackName}/RagEngines/DataImport/RssSubscription/triggerRssIngestorsFunction/ServiceRole/Resource`, `/${this.stackName}/RagEngines/DataImport/RssSubscription/triggerRssIngestorsFunction/ServiceRole/DefaultPolicy/Resource`, `/${this.stackName}/RagEngines/DataImport/RssSubscription/crawlQueuedRssPostsFunction/ServiceRole/Resource`, - `/${this.stackName}/RagEngines/DataImport/RssSubscription/crawlQueuedRssPostsFunction/ServiceRole/DefaultPolicy/Resource` + `/${this.stackName}/RagEngines/DataImport/RssSubscription/crawlQueuedRssPostsFunction/ServiceRole/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); - if (props.config.rag.engines.aurora.enabled || props.config.rag.engines.opensearch.enabled) { - NagSuppressions.addResourceSuppressionsByPath(this, + if ( + props.config.rag.engines.aurora.enabled || + props.config.rag.engines.opensearch.enabled + ) { + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/RagEngines/SageMaker/Model/MultiAB24A/CodeBuildRole/DefaultPolicy/Resource`, `/${this.stackName}/RagEngines/SageMaker/Model/MultiAB24A/OnEventHandler/ServiceRole/Resource`, @@ -269,18 +303,29 @@ export class AwsGenAILLMChatbotStack extends cdk.Stack { `/${this.stackName}/RagEngines/SageMaker/Model/MultiAB24A/SageMakerExecutionRole/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); if (props.config.rag.engines.aurora.enabled) { - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, `/${this.stackName}/RagEngines/AuroraPgVector/AuroraDatabase/Secret/Resource`, [ - {id: "AwsSolutions-SMG4", reason: "Secret created implicitly by CDK."} + { + id: "AwsSolutions-SMG4", + reason: "Secret created implicitly by CDK.", + }, ] ); - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/RagEngines/AuroraPgVector/DatabaseSetupFunction/ServiceRole/Resource`, `/${this.stackName}/RagEngines/AuroraPgVector/DatabaseSetupProvider/framework-onEvent/ServiceRole/Resource`, @@ -290,56 +335,83 @@ export class AwsGenAILLMChatbotStack extends cdk.Stack { `/${this.stackName}/RagEngines/AuroraPgVector/CreateAuroraWorkspace/CreateAuroraWorkspace/Role/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); } if (props.config.rag.engines.opensearch.enabled) { - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/RagEngines/OpenSearchVector/CreateOpenSearchWorkspace/CreateOpenSearchWorkspaceFunction/ServiceRole/Resource`, `/${this.stackName}/RagEngines/OpenSearchVector/CreateOpenSearchWorkspace/CreateOpenSearchWorkspaceFunction/ServiceRole/DefaultPolicy/Resource`, `/${this.stackName}/RagEngines/OpenSearchVector/CreateOpenSearchWorkspace/CreateOpenSearchWorkspace/Role/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); } } if (props.config.rag.engines.kendra.enabled) { - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ `/${this.stackName}/RagEngines/KendraRetrieval/CreateAuroraWorkspace/CreateKendraWorkspace/Role/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM4", reason: "IAM role implicitly created by CDK."}, - {id: "AwsSolutions-IAM5", reason: "IAM role implicitly created by CDK."}, + { + id: "AwsSolutions-IAM4", + reason: "IAM role implicitly created by CDK.", + }, + { + id: "AwsSolutions-IAM5", + reason: "IAM role implicitly created by CDK.", + }, ] ); - NagSuppressions.addResourceSuppressionsByPath(this, + NagSuppressions.addResourceSuppressionsByPath( + this, [ - `/${this.stackName}/RagEngines/KendraRetrieval/KendraRole/DefaultPolicy/Resource` + `/${this.stackName}/RagEngines/KendraRetrieval/KendraRole/DefaultPolicy/Resource`, ], [ - {id: "AwsSolutions-IAM5", reason: "Access to all log groups required for CloudWatch log group creation."}, + { + id: "AwsSolutions-IAM5", + reason: + "Access to all log groups required for CloudWatch log group creation.", + }, ] ); } } // Implicitly created resources with changing paths - NagSuppressions.addStackSuppressions(this, - [ - {id: "CdkNagValidationFailure", reason: "Intrinstic function references."}, - ] - ); + NagSuppressions.addStackSuppressions(this, [ + { + id: "CdkNagValidationFailure", + reason: "Intrinstic function references.", + }, + ]); // Lambda functions still using Python 3.11 even though latest runtime is 3.12. Can be removed after upgrade. - NagSuppressions.addStackSuppressions(this, - [ - {id: "AwsSolutions-L1", reason: "Not yet upgraded from Python 3.11 to 3.12."}, - ] - ); + NagSuppressions.addStackSuppressions(this, [ + { + id: "AwsSolutions-L1", + reason: "Not yet upgraded from Python 3.11 to 3.12.", + }, + ]); } } diff --git a/lib/chatbot-api/chatbot-dynamodb-tables/index.ts b/lib/chatbot-api/chatbot-dynamodb-tables/index.ts index 3da50fa33..7b4b7726a 100644 --- a/lib/chatbot-api/chatbot-dynamodb-tables/index.ts +++ b/lib/chatbot-api/chatbot-dynamodb-tables/index.ts @@ -21,7 +21,7 @@ export class ChatBotDynamoDBTables extends Construct { billingMode: dynamodb.BillingMode.PAY_PER_REQUEST, encryption: dynamodb.TableEncryption.AWS_MANAGED, removalPolicy: cdk.RemovalPolicy.DESTROY, - pointInTimeRecovery: true + pointInTimeRecovery: true, }); sessionsTable.addGlobalSecondaryIndex({ diff --git a/lib/chatbot-api/chatbot-s3-buckets/index.ts b/lib/chatbot-api/chatbot-s3-buckets/index.ts index ab0324fe0..79ec464bb 100644 --- a/lib/chatbot-api/chatbot-s3-buckets/index.ts +++ b/lib/chatbot-api/chatbot-s3-buckets/index.ts @@ -22,7 +22,7 @@ export class ChatBotS3Buckets extends Construct { autoDeleteObjects: true, transferAcceleration: true, enforceSSL: true, - serverAccessLogsBucket: logsBucket, + serverAccessLogsBucket: logsBucket, cors: [ { allowedHeaders: ["*"], @@ -44,10 +44,11 @@ export class ChatBotS3Buckets extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(logsBucket, - [ - {id: "AwsSolutions-S1", reason: "Logging bucket does not require it's own access logs."}, - ] - ); + NagSuppressions.addResourceSuppressions(logsBucket, [ + { + id: "AwsSolutions-S1", + reason: "Logging bucket does not require it's own access logs.", + }, + ]); } } diff --git a/lib/chatbot-api/index.ts b/lib/chatbot-api/index.ts index 0f8eaf9a4..155894112 100644 --- a/lib/chatbot-api/index.ts +++ b/lib/chatbot-api/index.ts @@ -119,10 +119,12 @@ export class ChatBotApi extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(loggingRole, - [ - {id: "AwsSolutions-IAM5", reason: "Access to all log groups required for CloudWatch log group creation."}, - ] - ); + NagSuppressions.addResourceSuppressions(loggingRole, [ + { + id: "AwsSolutions-IAM5", + reason: + "Access to all log groups required for CloudWatch log group creation.", + }, + ]); } } diff --git a/lib/chatbot-api/websocket-api.ts b/lib/chatbot-api/websocket-api.ts index ba45d5b17..933a35df7 100644 --- a/lib/chatbot-api/websocket-api.ts +++ b/lib/chatbot-api/websocket-api.ts @@ -84,11 +84,9 @@ export class RealtimeGraphqlApiBackend extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(messagesTopic, - [ - {id: "AwsSolutions-SNS2", reason: "No sensitive data in topic."}, - {id: "AwsSolutions-SNS3", reason: "No sensitive data in topic."}, - ] - ); + NagSuppressions.addResourceSuppressions(messagesTopic, [ + { id: "AwsSolutions-SNS2", reason: "No sensitive data in topic." }, + { id: "AwsSolutions-SNS3", reason: "No sensitive data in topic." }, + ]); } } diff --git a/lib/model-interfaces/idefics/index.ts b/lib/model-interfaces/idefics/index.ts index 40b6f0c1c..f6330b142 100644 --- a/lib/model-interfaces/idefics/index.ts +++ b/lib/model-interfaces/idefics/index.ts @@ -54,9 +54,13 @@ export class IdeficsInterface extends Construct { } ); - const logGroup = new logs.LogGroup(this, "ChatbotFilesPrivateApiAccessLogs", { - removalPolicy: RemovalPolicy.DESTROY - }); + const logGroup = new logs.LogGroup( + this, + "ChatbotFilesPrivateApiAccessLogs", + { + removalPolicy: RemovalPolicy.DESTROY, + } + ); const api = new apigateway.RestApi(this, "ChatbotFilesPrivateApi", { deployOptions: { @@ -200,7 +204,7 @@ export class IdeficsInterface extends Construct { props.shared.configParameter.grantRead(requestHandler); const deadLetterQueue = new sqs.Queue(this, "DLQ", { - enforceSSL: true + enforceSSL: true, }); const queue = new sqs.Queue(this, "Queue", { removalPolicy: cdk.RemovalPolicy.DESTROY, @@ -232,12 +236,14 @@ export class IdeficsInterface extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(integrationRole, - [ - {id: "AwsSolutions-IAM4", reason: "Access to all log groups required for CloudWatch log group creation."}, - {id: "AwsSolutions-IAM5", reason: "Access limited to KMS resources."} - ] - ); + NagSuppressions.addResourceSuppressions(integrationRole, [ + { + id: "AwsSolutions-IAM4", + reason: + "Access to all log groups required for CloudWatch log group creation.", + }, + { id: "AwsSolutions-IAM5", reason: "Access limited to KMS resources." }, + ]); } public addSageMakerEndpoint({ diff --git a/lib/model-interfaces/langchain/index.ts b/lib/model-interfaces/langchain/index.ts index 17ba84935..65ff876a9 100644 --- a/lib/model-interfaces/langchain/index.ts +++ b/lib/model-interfaces/langchain/index.ts @@ -196,7 +196,7 @@ export class LangChainInterface extends Construct { ); const deadLetterQueue = new sqs.Queue(this, "DLQ", { - enforceSSL: true + enforceSSL: true, }); const queue = new sqs.Queue(this, "Queue", { @@ -207,7 +207,7 @@ export class LangChainInterface extends Construct { queue: deadLetterQueue, maxReceiveCount: 3, }, - enforceSSL: true + enforceSSL: true, }); queue.addToResourcePolicy( diff --git a/lib/models/index.ts b/lib/models/index.ts index ddbfce29b..986efeace 100644 --- a/lib/models/index.ts +++ b/lib/models/index.ts @@ -102,29 +102,32 @@ export class Models extends Construct { }); } - if ( props.config.llms?.sagemaker.includes( SupportedSageMakerModels.Mistral7b_Instruct2 ) ) { - const mistral7bInstruct2 = new SageMakerModel(this, "Mistral7BInstruct2", { - vpc: props.shared.vpc, - region: cdk.Aws.REGION, - model: { - type: DeploymentType.Container, - modelId: "mistralai/Mistral-7B-Instruct-v0.2", - container: ContainerImages.HF_PYTORCH_LLM_TGI_INFERENCE_1_3_3, - instanceType: "ml.g5.2xlarge", - containerStartupHealthCheckTimeoutInSeconds: 300, - env: { - SM_NUM_GPUS: JSON.stringify(1), - MAX_INPUT_LENGTH: JSON.stringify(2048), - MAX_TOTAL_TOKENS: JSON.stringify(4096), - MAX_CONCURRENT_REQUESTS: JSON.stringify(4), + const mistral7bInstruct2 = new SageMakerModel( + this, + "Mistral7BInstruct2", + { + vpc: props.shared.vpc, + region: cdk.Aws.REGION, + model: { + type: DeploymentType.Container, + modelId: "mistralai/Mistral-7B-Instruct-v0.2", + container: ContainerImages.HF_PYTORCH_LLM_TGI_INFERENCE_1_3_3, + instanceType: "ml.g5.2xlarge", + containerStartupHealthCheckTimeoutInSeconds: 300, + env: { + SM_NUM_GPUS: JSON.stringify(1), + MAX_INPUT_LENGTH: JSON.stringify(2048), + MAX_TOTAL_TOKENS: JSON.stringify(4096), + MAX_CONCURRENT_REQUESTS: JSON.stringify(4), + }, }, - }, - }); + } + ); models.push({ name: mistral7bInstruct2.endpoint.endpointName!, @@ -136,31 +139,34 @@ export class Models extends Construct { ragSupported: true, }); } - if ( props.config.llms?.sagemaker.includes( SupportedSageMakerModels.Mixtral_8x7b_Instruct ) ) { - const mixtral8x7binstruct = new SageMakerModel(this, "Mixtral8x7binstruct", { - vpc: props.shared.vpc, - region: cdk.Aws.REGION, - model: { - type: DeploymentType.Container, - modelId: "mistralai/Mixtral-8x7B-Instruct-v0.1", - container: ContainerImages.HF_PYTORCH_LLM_TGI_INFERENCE_1_3_3, - instanceType: "ml.g5.48xlarge", - containerStartupHealthCheckTimeoutInSeconds: 300, - env: { - SM_NUM_GPUS: JSON.stringify(8), - MAX_INPUT_LENGTH: JSON.stringify(24576), - MAX_TOTAL_TOKENS: JSON.stringify(32768), - MAX_BATCH_PREFILL_TOKENS: JSON.stringify(24576), - MAX_CONCURRENT_REQUESTS: JSON.stringify(4), + const mixtral8x7binstruct = new SageMakerModel( + this, + "Mixtral8x7binstruct", + { + vpc: props.shared.vpc, + region: cdk.Aws.REGION, + model: { + type: DeploymentType.Container, + modelId: "mistralai/Mixtral-8x7B-Instruct-v0.1", + container: ContainerImages.HF_PYTORCH_LLM_TGI_INFERENCE_1_3_3, + instanceType: "ml.g5.48xlarge", + containerStartupHealthCheckTimeoutInSeconds: 300, + env: { + SM_NUM_GPUS: JSON.stringify(8), + MAX_INPUT_LENGTH: JSON.stringify(24576), + MAX_TOTAL_TOKENS: JSON.stringify(32768), + MAX_BATCH_PREFILL_TOKENS: JSON.stringify(24576), + MAX_CONCURRENT_REQUESTS: JSON.stringify(4), + }, }, - }, - }); + } + ); models.push({ name: mixtral8x7binstruct.endpoint.endpointName!, diff --git a/lib/rag-engines/aurora-pgvector/create-aurora-workspace.ts b/lib/rag-engines/aurora-pgvector/create-aurora-workspace.ts index cee67b917..32d9f51ba 100644 --- a/lib/rag-engines/aurora-pgvector/create-aurora-workspace.ts +++ b/lib/rag-engines/aurora-pgvector/create-aurora-workspace.ts @@ -123,9 +123,13 @@ export class CreateAuroraWorkspace extends Construct { .next(setReady) .next(new sfn.Succeed(this, "Success")); - const logGroup = new logs.LogGroup(this, "CreateAuroraWorkspaceSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY - }); + const logGroup = new logs.LogGroup( + this, + "CreateAuroraWorkspaceSMLogGroup", + { + removalPolicy: RemovalPolicy.DESTROY, + } + ); const stateMachine = new sfn.StateMachine(this, "CreateAuroraWorkspace", { definitionBody: sfn.DefinitionBody.fromChainable(workflow), @@ -134,8 +138,8 @@ export class CreateAuroraWorkspace extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, }); this.stateMachine = stateMachine; diff --git a/lib/rag-engines/aurora-pgvector/index.ts b/lib/rag-engines/aurora-pgvector/index.ts index b645cd788..043c4d963 100644 --- a/lib/rag-engines/aurora-pgvector/index.ts +++ b/lib/rag-engines/aurora-pgvector/index.ts @@ -26,7 +26,6 @@ export class AuroraPgVector extends Construct { constructor(scope: Construct, id: string, props: AuroraPgVectorProps) { super(scope, id); - const dbCluster = new rds.DatabaseCluster(this, "AuroraDatabase", { engine: rds.DatabaseClusterEngine.auroraPostgres({ version: rds.AuroraPostgresEngineVersion.VER_15_3, @@ -35,7 +34,7 @@ export class AuroraPgVector extends Construct { writer: rds.ClusterInstance.serverlessV2("ServerlessInstance"), vpc: props.shared.vpc, vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED }, - iamAuthentication: true + iamAuthentication: true, }); const databaseSetupFunction = new lambda.Function( @@ -101,11 +100,17 @@ export class AuroraPgVector extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(dbCluster, - [ - {id: "AwsSolutions-RDS10", reason: "Deletion protection disabled to allow deletion as part of the CloudFormation stack."}, - {id: "AwsSolutions-RDS2", reason: "Encryption cannot be enabled on an unencrypted DB Cluster, therefore enabling will destroy existing data. Docs provide instructions for users requiring it."} - ] - ); + NagSuppressions.addResourceSuppressions(dbCluster, [ + { + id: "AwsSolutions-RDS10", + reason: + "Deletion protection disabled to allow deletion as part of the CloudFormation stack.", + }, + { + id: "AwsSolutions-RDS2", + reason: + "Encryption cannot be enabled on an unencrypted DB Cluster, therefore enabling will destroy existing data. Docs provide instructions for users requiring it.", + }, + ]); } } diff --git a/lib/rag-engines/data-import/file-import-batch-job.ts b/lib/rag-engines/data-import/file-import-batch-job.ts index dc11fe738..6de6ec3ca 100644 --- a/lib/rag-engines/data-import/file-import-batch-job.ts +++ b/lib/rag-engines/data-import/file-import-batch-job.ts @@ -37,7 +37,9 @@ export class FileImportBatchJob extends Construct { "ManagedEc2EcsComputeEnvironment", { vpc: props.shared.vpc, - instanceTypes: [ec2.InstanceType.of(ec2.InstanceClass.M6A, ec2.InstanceSize.LARGE)], + instanceTypes: [ + ec2.InstanceType.of(ec2.InstanceClass.M6A, ec2.InstanceSize.LARGE), + ], maxvCpus: 4, minvCpus: 0, replaceComputeEnvironment: true, @@ -104,10 +106,16 @@ export class FileImportBatchJob extends Construct { timeout: cdk.Duration.minutes(30), retryAttempts: 3, retryStrategies: [ - batch.RetryStrategy.of(batch.Action.EXIT, batch.Reason.CANNOT_PULL_CONTAINER), - batch.RetryStrategy.of(batch.Action.EXIT, batch.Reason.custom({ - onExitCode: '137', - })), + batch.RetryStrategy.of( + batch.Action.EXIT, + batch.Reason.CANNOT_PULL_CONTAINER + ), + batch.RetryStrategy.of( + batch.Action.EXIT, + batch.Reason.custom({ + onExitCode: "137", + }) + ), ], }); @@ -182,12 +190,20 @@ export class FileImportBatchJob extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(fileImportJobRole, - [ - {id: "AwsSolutions-IAM4", reason: "Allow user freedom of model usage in Bedrock."}, - {id: "AwsSolutions-IAM5", reason: "Access to all log groups required for CloudWatch log group creation."}, - {id: "AwsSolutions-IAM5", reason: "S3 write access required for upload and processing buckets."} - ] - ); + NagSuppressions.addResourceSuppressions(fileImportJobRole, [ + { + id: "AwsSolutions-IAM4", + reason: "Allow user freedom of model usage in Bedrock.", + }, + { + id: "AwsSolutions-IAM5", + reason: + "Access to all log groups required for CloudWatch log group creation.", + }, + { + id: "AwsSolutions-IAM5", + reason: "S3 write access required for upload and processing buckets.", + }, + ]); } } diff --git a/lib/rag-engines/data-import/file-import-workflow.ts b/lib/rag-engines/data-import/file-import-workflow.ts index 274be8524..2f15f68fb 100644 --- a/lib/rag-engines/data-import/file-import-workflow.ts +++ b/lib/rag-engines/data-import/file-import-workflow.ts @@ -107,7 +107,7 @@ export class FileImportWorkflow extends Construct { }); const logGroup = new logs.LogGroup(this, "FileImportSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY + removalPolicy: RemovalPolicy.DESTROY, }); const workflow = setProcessing.next(fileImportJob).next(setProcessed); @@ -118,8 +118,8 @@ export class FileImportWorkflow extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, }); stateMachine.addToRolePolicy( diff --git a/lib/rag-engines/data-import/index.ts b/lib/rag-engines/data-import/index.ts index 5b9f22f2f..fb9b14688 100644 --- a/lib/rag-engines/data-import/index.ts +++ b/lib/rag-engines/data-import/index.ts @@ -53,8 +53,8 @@ export class DataImport extends Construct { "IngestionDeadLetterQueue", { visibilityTimeout: cdk.Duration.seconds(900), - enforceSSL: true - }, + enforceSSL: true, + } ); const ingestionQueue = new sqs.Queue(this, "IngestionQueue", { @@ -241,12 +241,12 @@ export class DataImport extends Construct { * CDK NAG suppression */ NagSuppressions.addResourceSuppressions( + [uploadLogsBucket, processingLogsBucket], [ - uploadLogsBucket, - processingLogsBucket - ], - [ - {id: "AwsSolutions-S1", reason: "Logging bucket does not require it's own access logs."} + { + id: "AwsSolutions-S1", + reason: "Logging bucket does not require it's own access logs.", + }, ] ); } diff --git a/lib/rag-engines/data-import/website-crawling-workflow.ts b/lib/rag-engines/data-import/website-crawling-workflow.ts index f92b7e67a..0ec6568bf 100644 --- a/lib/rag-engines/data-import/website-crawling-workflow.ts +++ b/lib/rag-engines/data-import/website-crawling-workflow.ts @@ -222,7 +222,7 @@ export class WebsiteCrawlingWorkflow extends Construct { .otherwise(setProcessed); const logGroup = new logs.LogGroup(this, "WebsiteCrawlingSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY + removalPolicy: RemovalPolicy.DESTROY, }); const stateMachine = new sfn.StateMachine(this, "WebsiteCrawling", { @@ -232,8 +232,8 @@ export class WebsiteCrawlingWorkflow extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, }); this.stateMachine = stateMachine; diff --git a/lib/rag-engines/kendra-retrieval/create-kendra-workspace.ts b/lib/rag-engines/kendra-retrieval/create-kendra-workspace.ts index b1b2fd60b..68d313f69 100644 --- a/lib/rag-engines/kendra-retrieval/create-kendra-workspace.ts +++ b/lib/rag-engines/kendra-retrieval/create-kendra-workspace.ts @@ -81,9 +81,13 @@ export class CreateKendraWorkspace extends Construct { .next(setReady) .next(new sfn.Succeed(this, "Success")); - const logGroup = new logs.LogGroup(this, "CreateKendraWorkspaceSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY - }); + const logGroup = new logs.LogGroup( + this, + "CreateKendraWorkspaceSMLogGroup", + { + removalPolicy: RemovalPolicy.DESTROY, + } + ); const stateMachine = new sfn.StateMachine(this, "CreateKendraWorkspace", { definitionBody: sfn.DefinitionBody.fromChainable(workflow), @@ -92,8 +96,8 @@ export class CreateKendraWorkspace extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, }); this.stateMachine = stateMachine; diff --git a/lib/rag-engines/kendra-retrieval/index.ts b/lib/rag-engines/kendra-retrieval/index.ts index 18deaed93..bc86ce468 100644 --- a/lib/rag-engines/kendra-retrieval/index.ts +++ b/lib/rag-engines/kendra-retrieval/index.ts @@ -50,7 +50,7 @@ export class KendraRetrieval extends Construct { removalPolicy: cdk.RemovalPolicy.DESTROY, autoDeleteObjects: true, enforceSSL: true, - serverAccessLogsBucket: logsBucket + serverAccessLogsBucket: logsBucket, }); const kendraRole = new iam.Role(this, "KendraRole", { @@ -67,7 +67,9 @@ export class KendraRetrieval extends Construct { dataBucket.grantRead(kendraRole); const kendraIndex = new kendra.CfnIndex(this, "Index", { - edition: props.config.rag?.engines.kendra?.enterprise ? "ENTERPRISE_EDITION" : "DEVELOPER_EDITION", + edition: props.config.rag?.engines.kendra?.enterprise + ? "ENTERPRISE_EDITION" + : "DEVELOPER_EDITION", name: indexName, roleArn: kendraRole.roleArn, documentMetadataConfigurations: [ diff --git a/lib/rag-engines/opensearch-vector/create-opensearch-workspace.ts b/lib/rag-engines/opensearch-vector/create-opensearch-workspace.ts index 7d73e37c8..2a7451d3e 100644 --- a/lib/rag-engines/opensearch-vector/create-opensearch-workspace.ts +++ b/lib/rag-engines/opensearch-vector/create-opensearch-workspace.ts @@ -141,9 +141,13 @@ export class CreateOpenSearchWorkspace extends Construct { .next(setReady) .next(new sfn.Succeed(this, "Success")); - const logGroup = new logs.LogGroup(this, "CreateOpenSearchWorkspaceSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY - }); + const logGroup = new logs.LogGroup( + this, + "CreateOpenSearchWorkspaceSMLogGroup", + { + removalPolicy: RemovalPolicy.DESTROY, + } + ); const stateMachine = new sfn.StateMachine( this, @@ -155,8 +159,8 @@ export class CreateOpenSearchWorkspace extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, } ); diff --git a/lib/rag-engines/workspaces/delete-workspace.ts b/lib/rag-engines/workspaces/delete-workspace.ts index f458eb5a4..0fbafd9cd 100644 --- a/lib/rag-engines/workspaces/delete-workspace.ts +++ b/lib/rag-engines/workspaces/delete-workspace.ts @@ -160,7 +160,7 @@ export class DeleteWorkspace extends Construct { .next(new sfn.Succeed(this, "Success")); const logGroup = new logs.LogGroup(this, "DeleteWorkspaceSMLogGroup", { - removalPolicy: RemovalPolicy.DESTROY + removalPolicy: RemovalPolicy.DESTROY, }); const stateMachine = new sfn.StateMachine(this, "DeleteWorkspace", { @@ -170,8 +170,8 @@ export class DeleteWorkspace extends Construct { tracingEnabled: true, logs: { destination: logGroup, - level: sfn.LogLevel.ALL - } + level: sfn.LogLevel.ALL, + }, }); this.stateMachine = stateMachine; diff --git a/lib/sagemaker-model/deploy-container-model.ts b/lib/sagemaker-model/deploy-container-model.ts index e08a655b1..da25280d2 100644 --- a/lib/sagemaker-model/deploy-container-model.ts +++ b/lib/sagemaker-model/deploy-container-model.ts @@ -90,8 +90,14 @@ export function deployContainerModel( * CDK NAG suppression */ NagSuppressions.addResourceSuppressions(executionRole, [ - {id: "AwsSolutions-IAM4", reason: "Gives user ability to deploy and delete endpoints from the UI."}, - {id: "AwsSolutions-IAM5", reason: "Gives user ability to deploy and delete endpoints from the UI."}, + { + id: "AwsSolutions-IAM4", + reason: "Gives user ability to deploy and delete endpoints from the UI.", + }, + { + id: "AwsSolutions-IAM5", + reason: "Gives user ability to deploy and delete endpoints from the UI.", + }, ]); return { model, endpoint }; diff --git a/lib/sagemaker-model/deploy-package-model.ts b/lib/sagemaker-model/deploy-package-model.ts index 73f7ddbb7..3d4aa03f2 100644 --- a/lib/sagemaker-model/deploy-package-model.ts +++ b/lib/sagemaker-model/deploy-package-model.ts @@ -65,8 +65,14 @@ export function deployPackageModel( * CDK NAG suppression */ NagSuppressions.addResourceSuppressions(executionRole, [ - {id: "AwsSolutions-IAM4", reason: "Gives user ability to deploy and delete endpoints from the UI."}, - {id: "AwsSolutions-IAM5", reason: "Gives user ability to deploy and delete endpoints from the UI."}, + { + id: "AwsSolutions-IAM4", + reason: "Gives user ability to deploy and delete endpoints from the UI.", + }, + { + id: "AwsSolutions-IAM5", + reason: "Gives user ability to deploy and delete endpoints from the UI.", + }, ]); return { model, endpoint }; diff --git a/lib/sagemaker-model/hf-custom-script-model/index.ts b/lib/sagemaker-model/hf-custom-script-model/index.ts index e1d4562f9..3e7959de3 100644 --- a/lib/sagemaker-model/hf-custom-script-model/index.ts +++ b/lib/sagemaker-model/hf-custom-script-model/index.ts @@ -297,27 +297,42 @@ export class HuggingFaceCustomScriptModel extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(codeBuildRole, - [ - {id: "AwsSolutions-IAM5", reason: "Access to all log groups required for CloudWatch log group creation."}, - ] - ); - NagSuppressions.addResourceSuppressions(codeBuildProject, - [ - {id: "AwsSolutions-CB4", reason: "Build is only ran as part of stack creation and does not contain external data."}, - {id: "AwsSolutions-CB3", reason: "Privileged mode is required as build project is used to build Docker images."} - ] - ); - NagSuppressions.addResourceSuppressions(executionRole, - [ - {id: "AwsSolutions-IAM4", reason: "Gives user ability to deploy and delete endpoints from the UI."}, - {id: "AwsSolutions-IAM5", reason: "Gives user ability to deploy and delete endpoints from the UI."}, - ] - ); - NagSuppressions.addResourceSuppressions(logsBucket, - [ - {id: "AwsSolutions-S1", reason: "Logging bucket does not require it's own access logs."} - ] - ); + NagSuppressions.addResourceSuppressions(codeBuildRole, [ + { + id: "AwsSolutions-IAM5", + reason: + "Access to all log groups required for CloudWatch log group creation.", + }, + ]); + NagSuppressions.addResourceSuppressions(codeBuildProject, [ + { + id: "AwsSolutions-CB4", + reason: + "Build is only ran as part of stack creation and does not contain external data.", + }, + { + id: "AwsSolutions-CB3", + reason: + "Privileged mode is required as build project is used to build Docker images.", + }, + ]); + NagSuppressions.addResourceSuppressions(executionRole, [ + { + id: "AwsSolutions-IAM4", + reason: + "Gives user ability to deploy and delete endpoints from the UI.", + }, + { + id: "AwsSolutions-IAM5", + reason: + "Gives user ability to deploy and delete endpoints from the UI.", + }, + ]); + NagSuppressions.addResourceSuppressions(logsBucket, [ + { + id: "AwsSolutions-S1", + reason: "Logging bucket does not require it's own access logs.", + }, + ]); } } diff --git a/lib/shared/index.ts b/lib/shared/index.ts index c0dfa91e5..155c9d670 100644 --- a/lib/shared/index.ts +++ b/lib/shared/index.ts @@ -64,11 +64,11 @@ export class Shared extends Construct { ], }); const logGroup = new logs.LogGroup(this, "FLowLogsLogGroup", { - removalPolicy: cdk.RemovalPolicy.DESTROY + removalPolicy: cdk.RemovalPolicy.DESTROY, }); - new ec2.FlowLog(this, 'FlowLog', { + new ec2.FlowLog(this, "FlowLog", { resourceType: ec2.FlowLogResourceType.fromVpc(vpc), - destination: ec2.FlowLogDestination.toCloudWatchLogs(logGroup) + destination: ec2.FlowLogDestination.toCloudWatchLogs(logGroup), }); } else { vpc = ec2.Vpc.fromLookup(this, "VPC", { @@ -168,15 +168,11 @@ export class Shared extends Construct { /** * CDK NAG suppression */ - NagSuppressions.addResourceSuppressions(xOriginVerifySecret, - [ - {id: "AwsSolutions-SMG4", reason: "Secret is generated by CDK."} - ] - ); - NagSuppressions.addResourceSuppressions(apiKeysSecret, - [ - {id: "AwsSolutions-SMG4", reason: "Secret value is blank."} - ] - ); + NagSuppressions.addResourceSuppressions(xOriginVerifySecret, [ + { id: "AwsSolutions-SMG4", reason: "Secret is generated by CDK." }, + ]); + NagSuppressions.addResourceSuppressions(apiKeysSecret, [ + { id: "AwsSolutions-SMG4", reason: "Secret value is blank." }, + ]); } } diff --git a/lib/shared/shared-asset-bundler.ts b/lib/shared/shared-asset-bundler.ts index 838e9d62a..960fe2d37 100644 --- a/lib/shared/shared-asset-bundler.ts +++ b/lib/shared/shared-asset-bundler.ts @@ -57,8 +57,15 @@ export class SharedAssetBundler extends Construct { { path: assetPath, bundling: { - image: DockerImage.fromBuild(path.posix.join(__dirname, "alpine-zip")), - command: ["zip", "-r", path.posix.join("/asset-output", "asset.zip"), "."], + image: DockerImage.fromBuild( + path.posix.join(__dirname, "alpine-zip") + ), + command: [ + "zip", + "-r", + path.posix.join("/asset-output", "asset.zip"), + ".", + ], volumes: this.sharedAssets.map((f) => ({ containerPath: path.posix.join(this.WORKING_PATH, path.basename(f)), hostPath: f, diff --git a/lib/user-interface/index.ts b/lib/user-interface/index.ts index 77e004e51..ff688c6b1 100644 --- a/lib/user-interface/index.ts +++ b/lib/user-interface/index.ts @@ -49,20 +49,24 @@ export class UserInterface extends Construct { websiteIndexDocument: "index.html", websiteErrorDocument: "index.html", enforceSSL: true, - serverAccessLogsBucket: uploadLogsBucket + serverAccessLogsBucket: uploadLogsBucket, }); const originAccessIdentity = new cf.OriginAccessIdentity(this, "S3OAI"); websiteBucket.grantRead(originAccessIdentity); props.chatbotFilesBucket.grantRead(originAccessIdentity); - const distributionLogsBucket = new s3.Bucket(this, "DistributionLogsBucket", { - objectOwnership: s3.ObjectOwnership.OBJECT_WRITER, - blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, - removalPolicy: cdk.RemovalPolicy.DESTROY, - autoDeleteObjects: true, - enforceSSL: true - }); + const distributionLogsBucket = new s3.Bucket( + this, + "DistributionLogsBucket", + { + objectOwnership: s3.ObjectOwnership.OBJECT_WRITER, + blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, + removalPolicy: cdk.RemovalPolicy.DESTROY, + autoDeleteObjects: true, + enforceSSL: true, + } + ); const distribution = new cf.CloudFrontWebDistribution( this, @@ -262,25 +266,24 @@ export class UserInterface extends Construct { * CDK NAG suppression */ NagSuppressions.addResourceSuppressions( - [ - uploadLogsBucket, - distributionLogsBucket - ], - [ - {id: "AwsSolutions-S1", reason: "Bucket is the server access logs bucket for websiteBucket."} - ] - ); - NagSuppressions.addResourceSuppressions(websiteBucket, - [ - {id: "AwsSolutions-S5", reason: "OAI is configured for read."} - ] - ); - NagSuppressions.addResourceSuppressions(distribution, + [uploadLogsBucket, distributionLogsBucket], [ - {id: "AwsSolutions-CFR1", reason: "No geo restrictions"}, - {id: "AwsSolutions-CFR2", reason: "WAF not required due to configured Cognito auth."}, - {id: "AwsSolutions-CFR4", reason: "TLS 1.2 is the default."} + { + id: "AwsSolutions-S1", + reason: "Bucket is the server access logs bucket for websiteBucket.", + }, ] ); + NagSuppressions.addResourceSuppressions(websiteBucket, [ + { id: "AwsSolutions-S5", reason: "OAI is configured for read." }, + ]); + NagSuppressions.addResourceSuppressions(distribution, [ + { id: "AwsSolutions-CFR1", reason: "No geo restrictions" }, + { + id: "AwsSolutions-CFR2", + reason: "WAF not required due to configured Cognito auth.", + }, + { id: "AwsSolutions-CFR4", reason: "TLS 1.2 is the default." }, + ]); } }