feature: support inter container traffic encryption for processing jobs

Author: szeinedd

src/sagemaker/model_monitor/model_monitoring.py

@@ -453,6 +453,10 @@ def update_monitoring_schedule(
         network_config_dict = None
         if self.network_config is not None:
             network_config_dict = self.network_config._to_request_dict()
+            if "EnableInterContainerTrafficEncryption" in network_config_dict:
+                raise ValueError(
+                    "EnableInterContainerTrafficEncryption is not supported in Model Monitor"
+                )
 
         self.sagemaker_session.update_monitoring_schedule(
             monitoring_schedule_name=self.monitoring_schedule_name,

src/sagemaker/network.py

@@ -20,24 +20,38 @@ class NetworkConfig(object):
     """Accepts network configuration parameters and provides a method to turn these parameters
     into a dictionary."""
 
-    def __init__(self, enable_network_isolation=False, security_group_ids=None, subnets=None):
+    def __init__(
+        self,
+        enable_network_isolation=False,
+        security_group_ids=None,
+        subnets=None,
+        encrypt_inter_container_traffic=None,
+    ):
         """Initialize a ``NetworkConfig`` instance. NetworkConfig accepts network configuration
         parameters and provides a method to turn these parameters into a dictionary.
 
         Args:
             enable_network_isolation (bool): Boolean that determines whether to enable
                 network isolation.
+            encrypt_inter_container_traffic (bool): Boolean that determines whether to
+                encrypt inter-container traffic.
             security_group_ids ([str]): A list of strings representing security group IDs.
             subnets ([str]): A list of strings representing subnets.
         """
         self.enable_network_isolation = enable_network_isolation
+        self.encrypt_inter_container_traffic = encrypt_inter_container_traffic
         self.security_group_ids = security_group_ids
         self.subnets = subnets
 
     def _to_request_dict(self):
         """Generates a request dictionary using the parameters provided to the class."""
         network_config_request = {"EnableNetworkIsolation": self.enable_network_isolation}
 
+        if self.encrypt_inter_container_traffic is not None:
+            network_config_request[
+                "EnableInterContainerTrafficEncryption"
+            ] = self.encrypt_inter_container_traffic
+
         if self.security_group_ids is not None or self.subnets is not None:
             network_config_request["VpcConfig"] = {}
 

tests/unit/test_processing.py

@@ -141,6 +141,7 @@ def test_sklearn_with_all_parameters(exists_mock, isfile_mock, ecr_prefix, sagem
             subnets=["my_subnet_id"],
             security_group_ids=["my_security_group_id"],
             enable_network_isolation=True,
+            encrypt_inter_container_traffic=True,
         ),
         sagemaker_session=sagemaker_session,
     )
@@ -330,6 +331,7 @@ def test_script_processor_with_all_parameters(exists_mock, isfile_mock, sagemake
             subnets=["my_subnet_id"],
             security_group_ids=["my_security_group_id"],
             enable_network_isolation=True,
+            encrypt_inter_container_traffic=True,
         ),
         sagemaker_session=sagemaker_session,
     )
@@ -386,6 +388,26 @@ def test_processor_with_required_parameters(sagemaker_session):
     sagemaker_session.process.assert_called_with(**expected_args)
 
 
+def test_processor_with_missing_network_config_parameters(sagemaker_session):
+    processor = Processor(
+        role=ROLE,
+        image_uri=CUSTOM_IMAGE_URI,
+        instance_count=1,
+        instance_type="ml.m4.xlarge",
+        sagemaker_session=sagemaker_session,
+        network_config=NetworkConfig(enable_network_isolation=True),
+    )
+
+    processor.run()
+
+    expected_args = _get_expected_args(processor._current_job_name)
+    del expected_args["app_specification"]["ContainerEntrypoint"]
+    expected_args["inputs"] = []
+    expected_args["network_config"] = {"EnableNetworkIsolation": True}
+
+    sagemaker_session.process.assert_called_with(**expected_args)
+
+
 def test_processor_with_all_parameters(sagemaker_session):
     processor = Processor(
         role=ROLE,
@@ -405,6 +427,7 @@ def test_processor_with_all_parameters(sagemaker_session):
             subnets=["my_subnet_id"],
             security_group_ids=["my_security_group_id"],
             enable_network_isolation=True,
+            encrypt_inter_container_traffic=True,
         ),
     )
 
@@ -580,6 +603,7 @@ def _get_expected_args_all_parameters(job_name):
         "environment": {"my_env_variable": "my_env_variable_value"},
         "network_config": {
             "EnableNetworkIsolation": True,
+            "EnableInterContainerTrafficEncryption": True,
             "VpcConfig": {
                 "SecurityGroupIds": ["my_security_group_id"],
                 "Subnets": ["my_subnet_id"],

tests/unit/test_session.py

@@ -131,6 +131,7 @@ def test_process(boto_session):
         },
         "environment": {"my_env_variable": 20},
         "network_config": {
+            "EnableInterContainerTrafficEncryption": True,
             "EnableNetworkIsolation": True,
             "VpcConfig": {
                 "SecurityGroupIds": ["my_security_group_id"],
@@ -219,6 +220,7 @@ def test_process(boto_session):
         },
         "Environment": {"my_env_variable": 20},
         "NetworkConfig": {
+            "EnableInterContainerTrafficEncryption": True,
             "EnableNetworkIsolation": True,
             "VpcConfig": {
                 "SecurityGroupIds": ["my_security_group_id"],