Byo vpc mlstudio

[noah-paige]

Feature or Bugfix

• Feature

Detail

• Enable SageMaker Studio Domain to be deployed in a already provisioned VPC

Relates

• Allow for bring-your-own VPC for SageMaker domains #795

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)?
  • Is the input sanitized?
  • What precautions are you taking before deserializing the data you consume?
  • Is injection prevented by parametrizing queries?
  • Have you ensured no eval or similar functions are used?
• Does this PR introduce any functionality or component that requires authorization?
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  • Are you logging failed auth attempts?
• Are you using or adding any cryptographic features?
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored?
• Are you introducing any new policies/roles/users?
  • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[noah-paige]

Tested locally:
Backwards Compatibility

• Migration Script Upgrade (populates sagemaker_studio_domain table)
• Migration Script Downgrade and Re-Upgrade
• Env with MLStudio Enabled can view Studio Domain Details in Environment-MLStudio Tab
• Update Env Stack - Domain is not recreated
• ML Studio User —> Still access Studio from UI

Functionality

• Create Env and specify VPC and Subnets For ML Studio
  • VPC Not Found Error if VPC does not exist
  • Subnet Not Found Error if Subnet(s) do not exist
  • Subnet not in VPC Error if Subnet(s) a part of a different VPC
  • Create Successfully with appropriate VPC and Subnet specified
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab (if ML Studio Enabled)
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Disable ML Studio —> Env Updates and Domain Deleted
• Edit Environment and Re-Enable ML Studio with no VPC specified —> Env uses default (if present) or creates its own VPC

To test the same as above in AWS Deployment...

[noah-paige]

AWS TESTING
Backwards Compatibility

• Migration Script Upgrade (populates sagemaker_studio_domain table)
• Migration Script Downgrade and Re-Upgrade
• Env with MLStudio Enabled can view Studio Domain Details in Environment-MLStudio Tab
• Update Env Stack - Domain is not recreated (only KMS Alias is recreated to match name of domain)
• ML Studio User —> Still access Studio from UI
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Disable ML Studio —> Env Updates and Domain Deleted
• Edit Environment and Re-Enable ML Studio with no VPC specified —> Env creates new vpc (default not present)

Functionality

• Create Env and specify VPC and Subnets For ML Studio
  • VPC Not Found Error if VPC does not exist
  • Subnet Not Found Error if Subnet(s) do not exist
  • Subnet not in VPC Error if Subnet(s) a part of a different VPC
  • Specify VPC No Subnets —> Error - forced to specify Subnets if vpc id provided
  • Create Successfully with appropriate VPC and Subnet specified
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab (if ML Studio Enabled)
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Disable ML Studio —> Env Updates and Domain Deleted
• Edit Environment and Re-Enable ML Studio with no VPC specified —> Env uses default (if present)

[noah-paige]

Opening up this PR for review with the following questions/enhancements in mind:

Questions:

1. Should only the Env Admin be able to see ML Studio Tab in Environment or should any group in environment be able to see it? (Currently, only Env Admin can see details on ML Studio Tab since they are the only group who can enable/disable mlstudio env feature)
2. What is the best location to store ML Studio Domain APIs (create, get, delete)? Should this be a new MLStudio folder in services/graphql/...? (Currently ML Studio Domain APIs are in Environment folder since domains only created/deleted by enabling env feature flag and domain information only shown on env tab)

Enhancements:

• How best to update the sagemaker studio domain record for the environment with the domain id that is auto-generated by CDK/Cloudformation after the env stack is done creating/updating for the domain?

I think the enhancement could be implemented at a later date so can think on the best approach but open to ideas

[noah-paige]

I cleaned up a bit of the design for this PR so we are not calling 2 different APIs for create, update, and delete env

Using EnvironmentResource to register SagemakerStudioEnvironmentResource in ml studio module and call all the required operations on ml studio from there

Re-tested the same as above in AWS:
Functionality

• Create Env and specify VPC and Subnets For ML Studio
  • VPC Not Found Error if VPC does not exist
  • Subnet Not Found Error if Subnet(s) do not exist
  • Subnet not in VPC Error if Subnet(s) a part of a different VPC
  • Specify VPC No Subnets —> Error - forced to specify Subnets if vpc id provided
  • Create Successfully with appropriate VPC and Subnet specified
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab (if ML Studio Enabled)
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Disable ML Studio —> Env Updates and Domain Deleted
• Edit Environment and Re-Enable ML Studio with no VPC specified —> Env uses default (if present)
• Delete Environment —> Env and ML Studio deleted (from RDS + env stack)

Also tested with mlStudio turned off (i.e. active: false) in local deployment

[dlpzx]

Love this change, it was my main concern with the PR

[dlpzx]

The final implementation is way cleaner and more elegant :) :)

[dlpzx]

Testing locally. I changed some tests to cover more scenarios @noah-paige

• Pre-existing environment with MLStudio updates successfully. SageMaker domain does not get deleted/re-created
• Edit environment, disable ML Studio and update stack - SageMaker domain is deleted
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab - if ML Studio NOT Enabled it sees an empty table and the correct instructions
• Edit parameter, re-enable ML Studio and specify VPC and Subnets For ML Studio
  • VPC Not Found Error if VPC does not exist
  • Subnet Not Found Error if Subnet(s) do not exist
  • Subnet not in VPC Error if Subnet(s) a part of a different VPC
  • Specify VPC No Subnets —> Error - forced to specify Subnets if vpc id provided
  • Create Successfully with appropriate VPC and Subnet specified
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab (if ML Studio Enabled) ---> Yes, the functionality works but there is something weird with the frontend view (commented in the code)
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Re-Enable ML Studio with no VPC specified in ENVIRONMENT with default VPC —> Env uses default VPC
• Edit Environment and Re-Enable ML Studio with no VPC specified in ENVIRONMENT without default VPC —> Env creates new VPC
• Delete Environment —> If environment count_resources functions fail (the environment is not cleaned-up), the mlstudio is not deleted

[dlpzx]

The ObjectMetadata component looks a bit weird in the frontend, was it intentional?

[noah-paige]

I was just wanting to add all relevant information we could about domain - however the ObjectMetadata is esentially the same as the ObjectMetadata of the Environment in the Overview Tab - so I can remove and just keep ML Studio Information if you think that is cleaner from UX side?

[dlpzx]

I would remove it, first because it might lead to errors on users thinking that the domain was created at the environment creation time. And also because we need to do some tweaking for it to look good on all screen sizes

[dlpzx]

Testing AWS:

• CICD runs successfully
• Pre-existing environment with MLStudio (DEFAULT VPC) updates successfully. SageMaker domain does not get deleted/re-created
• Pre-existing environment with MLStudio (CREATED VPC) updates successfully. SageMaker domain does not get deleted/re-created, VPC does not get deleted/re-created
• Edit environment, disable ML Studio and update stack - SageMaker domain is deleted
• Edit parameter, re-enable ML Studio and specify VPC and Subnets For ML Studio
  • VPC Not Found Error if VPC does not exist
  • Subnet Not Found Error if Subnet(s) do not exist
  • Subnet not in VPC Error if Subnet(s) a part of a different VPC
  • Specify VPC No Subnets —> Error - forced to specify Subnets if vpc id provided
  • Create Successfully with appropriate VPC and Subnet specified
• Env Admin Can View Studio Domain Details in Environment-MLStudio Tab (if ML Studio Enabled) --> yes with the weird view
• Create ML Studio User, Access Studio from UI, and Delete ML Studio User
• Edit Environment and Re-Enable ML Studio with no VPC specified in ENVIRONMENT with default VPC —> Env uses default VPC

[noah-paige]

Finishing up these final 3 points and additional testing:

• Add SamlGroupName column to Studio Domain

• Remove ObjectMetaData from EnvironmentMLStudioView

• Edit update_env() in sagemaker studio domain to set vpcType, vpcId (if possible) and subnetIds (if possible)

  • I edited update_env() in sagemaker studio domain to set vpc information but I kept the extension stack as is because of the chance where a user calls update_stack() without first editing the environment... update_env() only runs on edits to the environment
  • Then in the case above an environment with mlstudio domain vpcType of unknown would try to create a new VPC and new Domain and would fail unless they first edit the stack to have the domain vpc information populated (if imported or default)
  • Also after far too much trial and error I discovered that specifying the subnets from the RDS table (i.e. domain.subnetIds) verse specifying the subnets from cdk VPC lookup (i.e. subnet.subnet_id for subnet in vpc.private_subnets) will cause Domain to recreate EVEN IF the subnets are the exact same 😞
  • Meaning we will likely still have to make a VPC boto3 call in extension stack to check if default vpc exists and go from there

[dlpzx]

Finishing up these final 3 points and additional testing:

* [x]  Add `SamlGroupName` column to Studio Domain

* [x]  Remove `ObjectMetaData` from `EnvironmentMLStudioView`

* [x]  Edit `update_env()` in sagemaker studio domain to set `vpcType`, `vpcId` (if possible) and `subnetIds` (if possible)
  
  * I edited  `update_env()` in sagemaker studio domain to set vpc information but I kept the extension stack as is because of the chance where a user calls `update_stack()` without first editing the environment... `update_env()` only runs on edits to the environment
  * Then in the case above an environment with mlstudio domain vpcType of `unknown` would try to create a new VPC and new Domain and would fail unless they first edit the stack to have the domain vpc information populated (if imported or default)
  * Also after far too much trial and error I discovered that specifying the subnets from the RDS table (i.e. `domain.subnetIds`) verse specifying the subnets from cdk VPC lookup (i.e. `subnet.subnet_id for subnet in vpc.private_subnets`) will cause Domain to recreate EVEN IF the subnets are the exact same 😞
  * Meaning we will likely still have to make a VPC boto3 call in extension stack to check if default vpc exists and go from there

Thank you! I will do a final testing but I think we are good! And regarding the last point, it might be related with some id that we are not aware of, strange. Great testing though, this is something that we would have not spotted by reading the documentation. So it seems like we will keep the tests in all places :) but at least we will update metadata as users use the MLStudio feature more (when they do update_env)

[dlpzx]

Tested the latest features:

• CICD pipeline runs successfully
• downgraded and re-upgraded migration scripts
• frontend changes
• update environment updates ML Studio info
• enable/disable ML Studio works as expected

Approving!

[dlpzx]

looks great!