feat(vpcendpoint): added nat gateway for lambda and removed loggroup check for summarization (#757)

Author: dineshSajwan

package-lock.json

@@ -112,7 +112,7 @@ export function buildVpc(scope: Construct, props: BuildVpcProps): IVpc {
     return props?.existingVpc;
   }
 
-  let defaultVpcProps = createDefaultIsolatedVpcProps();
+  let defaultVpcProps = createDefaultVpcProps();
 
   let cumulativeProps: VpcProps = defaultVpcProps;
 
@@ -229,16 +229,27 @@ function AddInterfaceEndpoint(scope: Construct, vpc: IVpc, service: EndpointDefi
   });
 }
 
-export function createDefaultIsolatedVpcProps(): VpcProps {
+export function createDefaultVpcProps(): VpcProps {
   return {
-    natGateways: 0,
     subnetConfiguration: [
       {
-        cidrMask: 18,
-        name: 'isolated',
+        cidrMask: 24,
+        name: 'public',
+        subnetType: SubnetType.PUBLIC,
+      },
+      {
+        cidrMask: 24,
+        name: 'private_isolated',
         subnetType: SubnetType.PRIVATE_ISOLATED,
       },
+      {
+        cidrMask: 24,
+        name: 'private_egress',
+        subnetType: SubnetType.PRIVATE_WITH_EGRESS,
+      },
     ],
+    ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
+
   } as VpcProps;
 }
 

src/common/helpers/vpc-helper.ts

@@ -221,7 +221,6 @@ export class QaAppsyncOpensearch extends BaseClass {
       vpc_helper.AddAwsServiceEndpoint(scope, this.vpc, [
         vpc_helper.ServiceEndpointTypeEnum.S3,
         vpc_helper.ServiceEndpointTypeEnum.BEDROCK_RUNTIME,
-        vpc_helper.ServiceEndpointTypeEnum.APP_SYNC,
       ]);
     }
 
@@ -541,7 +540,7 @@ export class QaAppsyncOpensearch extends BaseClass {
       description: 'Lambda function for question answering',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769 * 4),
       timeout: Duration.minutes(15),

src/patterns/gen-ai/aws-qa-appsync-opensearch/index.ts

@@ -41,7 +41,7 @@ import {
 } from '../../../common/helpers/kendra-helper';
 import { buildDockerLambdaFunction } from '../../../common/helpers/lambda-builder-helper';
 import { lambdaMemorySizeLimiter } from '../../../common/helpers/utils';
-import { AddAwsServiceEndpoint, buildVpc, createDefaultIsolatedVpcProps, ServiceEndpointTypeEnum } from '../../../common/helpers/vpc-helper';
+import { AddAwsServiceEndpoint, buildVpc, createDefaultVpcProps, ServiceEndpointTypeEnum } from '../../../common/helpers/vpc-helper';
 import { DockerLambdaCustomProps } from '../../../common/props/DockerLambdaCustomProps';
 
 /**
@@ -243,7 +243,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
 
     if (props.deployVpc || props.existingVpc) {
       this.vpc = buildVpc(scope, {
-        defaultVpcProps: createDefaultIsolatedVpcProps(),
+        defaultVpcProps: createDefaultVpcProps(),
         existingVpc: props.existingVpc,
         userVpcProps: props.vpcProps,
         constructVpcProps: {
@@ -396,7 +396,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
       description: 'Lambda function for pre-signed links generation',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769),
       timeout: Duration.minutes(15),
@@ -419,7 +419,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
       description: 'Lambda function for Kendra  sync job starting',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769),
       timeout: Duration.minutes(15),
@@ -442,7 +442,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
       description: 'Lambda function for getting kendra sync status',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769),
       timeout: Duration.minutes(15),
@@ -464,7 +464,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
       description: 'Lambda function for Kendra job status updates',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769),
       timeout: Duration.minutes(15),
@@ -497,7 +497,7 @@ export class RagAppsyncStepfnKendra extends BaseClass {
       description: 'Lambda for starting execution',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769),
       timeout: Duration.minutes(15),

src/patterns/gen-ai/aws-rag-appsync-stepfn-kendra/index.ts

@@ -259,14 +259,12 @@ export class RagAppsyncStepfnOpensearch extends BaseClass {
     } else {
       this.vpc = vpc_helper.buildVpc(scope, {
         defaultVpcProps: props?.vpcProps,
-        vpcName: 'ragAppSyncStepfnOsVpc',
+        vpcName: 'ragAppSyncOsVpc',
       });
-
       //vpc endpoints
       vpc_helper.AddAwsServiceEndpoint(scope, this.vpc, [
         vpc_helper.ServiceEndpointTypeEnum.S3,
         vpc_helper.ServiceEndpointTypeEnum.BEDROCK_RUNTIME,
-        vpc_helper.ServiceEndpointTypeEnum.APP_SYNC,
       ]);
     }
 
@@ -461,7 +459,7 @@ export class RagAppsyncStepfnOpensearch extends BaseClass {
       description: 'Lambda function for validating input files formats',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769 * 4),
       timeout: Duration.minutes(15),
@@ -614,7 +612,7 @@ export class RagAppsyncStepfnOpensearch extends BaseClass {
       description: 'Lambda function for converting files from their input format to text',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769 * 4),
       timeout: Duration.minutes(15),
@@ -746,7 +744,7 @@ export class RagAppsyncStepfnOpensearch extends BaseClass {
       description: 'Lambda function for creating documents chunks, embeddings and storing them in Amazon Opensearch',
       vpc: this.vpc,
       tracing: this.lambdaTracing,
-      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [this.securityGroup],
       memorySize: lambdaMemorySizeLimiter(this, 1_769 * 4),
       timeout: Duration.minutes(15),

src/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/index.ts

@@ -258,7 +258,10 @@ export class SummarizationAppsyncStepfn extends BaseClass {
     if (props?.existingVpc) {
       this.vpc = props.existingVpc;
     } else {
-      this.vpc = new ec2.Vpc(this, 'Vpc', props.vpcProps);
+      this.vpc = vpc_helper.buildVpc(scope, {
+        defaultVpcProps: props?.vpcProps,
+        vpcName: 'sumAppSyncStepFnVpc',
+      });
       // vpc endpoints
       vpc_helper.AddAwsServiceEndpoint(scope, this.vpc, [vpc_helper.ServiceEndpointTypeEnum.S3,
         vpc_helper.ServiceEndpointTypeEnum.BEDROCK_RUNTIME, vpc_helper.ServiceEndpointTypeEnum.REKOGNITION]);
@@ -800,6 +803,11 @@ export class SummarizationAppsyncStepfn extends BaseClass {
     const logGroupName = generatePhysicalNameV2(this, logGroupPrefix,
       { maxLength: maxGeneratedNameLength, lower: true });
 
+    const summarizationLogGroup = new logs.LogGroup(this, 'summarizationLogGroup', {
+      logGroupName: logGroupName,
+      retention: logs.RetentionDays.ONE_WEEK,
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
 
     // step function definition
     const definition = inputValidationTask.next(
@@ -816,7 +824,7 @@ export class SummarizationAppsyncStepfn extends BaseClass {
       definitionBody: sfn.DefinitionBody.fromChainable(definition),
       timeout: Duration.minutes(15),
       logs: {
-        destination: getLoggroup(this, logGroupName),
+        destination: summarizationLogGroup,
         level: sfn.LogLevel.ALL,
       },
       tracingEnabled: this.enablexray,
@@ -875,17 +883,3 @@ export class SummarizationAppsyncStepfn extends BaseClass {
   }
 }
 
-function getLoggroup(stack: Construct, logGroupName: string) {
-  const existingLogGroup = logs.LogGroup.fromLogGroupName(
-    stack, 'ExistingSummarizationLogGroup', logGroupName);
-
-  if (existingLogGroup.logGroupName) {
-    return existingLogGroup;
-  } else {
-    return new logs.LogGroup(stack, 'SummarizationLogGroup', {
-      logGroupName: logGroupName,
-      retention: logs.RetentionDays.ONE_MONTH,
-      removalPolicy: RemovalPolicy.DESTROY,
-    });
-  }
-}

src/patterns/gen-ai/aws-summarization-appsync-stepfn/index.ts

@@ -14,7 +14,7 @@ import { App, Stack, Aspects } from 'aws-cdk-lib';
 import { Match, Template } from 'aws-cdk-lib/assertions';
 import { Vpc } from 'aws-cdk-lib/aws-ec2';
 import { AwsSolutionsChecks } from 'cdk-nag';
-import { buildVpc, AddAwsServiceEndpoint, createDefaultIsolatedVpcProps, ServiceEndpointTypeEnum } from '../../../../src/common/helpers/vpc-helper';
+import { buildVpc, AddAwsServiceEndpoint, createDefaultVpcProps, ServiceEndpointTypeEnum } from '../../../../src/common/helpers/vpc-helper';
 
 describe('VPC Utilities', () => {
   let app: App;
@@ -28,7 +28,7 @@ describe('VPC Utilities', () => {
 
   describe('buildVpc', () => {
     it('creates a VPC with default isolated configuration', () => {
-      buildVpc(stack, { defaultVpcProps: createDefaultIsolatedVpcProps(), vpcName: 'testVpc' });
+      buildVpc(stack, { defaultVpcProps: createDefaultVpcProps(), vpcName: 'testVpc' });
 
       // Assert VPC is created with expected properties
       const template = Template.fromStack(stack);
@@ -39,14 +39,30 @@ describe('VPC Utilities', () => {
 
       // Assert subnets are created as expected
       template.hasResourceProperties('AWS::EC2::Subnet', {
-        CidrBlock: Match.stringLikeRegexp('^(10\.0\.0\.0|10\.0\.64\.0)\/18$'),
-        MapPublicIpOnLaunch: false,
-        VpcId: Match.anyValue(), // Use anyValue if you're not asserting the exact VPC ID
-        // If you need to assert on Tags, ensure they match the expected structure
+        CidrBlock: Match.stringLikeRegexp('^10\.0\.[0-5]\.0\/24$'),
+        VpcId: Match.anyValue(),
         Tags: Match.arrayWith([
-          Match.objectLike({ Key: 'aws-cdk:subnet-name', Value: 'isolated' }),
+          Match.objectLike({
+            Key: 'aws-cdk:subnet-name',
+            Value: Match.stringLikeRegexp('^(private_isolated|private_egress|public)$'),
+          }),
         ]),
       });
+
+      // Assert that we have the expected number of subnets
+      template.resourceCountIs('AWS::EC2::Subnet', 6);
+
+      // Assert that we have subnets with each expected type
+      ['private_isolated', 'private_egress', 'public'].forEach(subnetType => {
+        template.hasResourceProperties('AWS::EC2::Subnet', {
+          Tags: Match.arrayWith([
+            Match.objectLike({
+              Key: 'aws-cdk:subnet-name',
+              Value: subnetType,
+            }),
+          ]),
+        });
+      });
     });
 
   });

test/patterns/gen-ai/aws-rag-appsync-stepfn-kendra/vpc-helper.test.ts

@@ -49,10 +49,15 @@ describe('RAG Appsync Stepfn Open search construct', () => {
             cidrMask: 24,
           },
           {
-            name: 'private',
+            name: 'isolated',
             subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
             cidrMask: 24,
           },
+          {
+            name: 'private',
+            subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+            cidrMask: 24,
+          },
         ],
       },
     );

test/patterns/gen-ai/aws-rag-appsync-stepfn-opensearch/aws-rag-appsync-stepfn-opensearch-serverless.test.ts

@@ -50,10 +50,15 @@ describe('RAG Appsync Stepfn Open search construct', () => {
             cidrMask: 24,
           },
           {
-            name: 'private',
+            name: 'isolated',
             subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
             cidrMask: 24,
           },
+          {
+            name: 'private',
+            subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+            cidrMask: 24,
+          },
         ],
       },
     );