PI-2526 Switch to cross-account SageMaker connector (#4541)

* PI-2526 Switch to cross-account SageMaker connector

* Fix embedding of text chunks

* Set endpoint name for all envs

* Switch to environment-specific endpoint names

Author: marcus-bcl

projects/person-search-index-from-delius/container/pipelines/contact/index/bedrock-connector.json

@@ -0,0 +1,27 @@
+{
+  "name": "sagemaker-embeddings",
+  "description": "Generate text embeddings using a model provided by a SageMaker endpoint in an external account",
+  "version": 1,
+  "protocol": "aws_sigv4",
+  "credential": {
+    "roleArn": "${CONNECTOR_ROLE_ARN}",
+    "externalAccountRoleArn": "${CONNECTOR_EXTERNAL_ACCOUNT_ROLE_ARN}"
+  },
+  "parameters": {
+    "region": "eu-west-2",
+    "service_name": "sagemaker"
+  },
+  "actions": [
+    {
+      "action_type": "predict",
+      "method": "POST",
+      "url": "https://runtime.sagemaker.eu-west-2.amazonaws.com/endpoints/${SAGEMAKER_ENDPOINT_NAME}/invocations",
+      "headers": {
+        "content-type": "application/json"
+      },
+      "request_body": "[${parameters.input}]",
+      "pre_process_function": "connector.pre_process.default.embedding",
+      "post_process_function": "connector.post_process.default.embedding"
+    }
+  ]
+}

projects/person-search-index-from-delius/container/pipelines/contact/index/sagemaker-connector.json

@@ -5,39 +5,39 @@ eval "$(sentry-cli bash-hook --no-environ)"
 
 ## Create model group if it doesn't exist
 echo Searching for existing model group...
-model_group_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/model_groups/_search" --data '{"query":{"match":{"name":"bedrock_model_group"}}}' | jq -r '.hits.hits[0]._id // ""')
+model_group_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/model_groups/_search" --data '{"query":{"match":{"name":"sagemaker_model_group"}}}' | jq -r '.hits.hits[0]._id // ""')
 if [ -z "$model_group_id" ]; then
   echo Creating model group...
   model_group=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/model_groups/_register" --data '{
-    "name": "bedrock_model_group",
-    "description": "A model group for Bedrock models"
+    "name": "sagemaker_model_group",
+    "description": "A model group for SageMaker models"
   }')
   if [ "$(jq -r '.status' <<<"$model_group")" != "CREATED" ]; then fail "Failed to create model group: $model_group"; fi
   model_group_id=$(jq -r '.model_group_id' <<<"$model_group")
 else
   echo "Found model group with id=$model_group_id"
 fi
 
-## Create Bedrock connector if it doesn't exist
+## Create SageMaker connector if it doesn't exist
 echo Searching for existing connector...
-connector_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/connectors/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"bedrock-${BEDROCK_MODEL_NAME}\"}}}" | jq -r '.hits.hits[0]._id // ""')
+connector_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/connectors/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"sagemaker-embeddings\"}}}" | jq -r '.hits.hits[0]._id // ""')
 if [ -z "$connector_id" ]; then
   echo Creating connector...
-  connector_body=$(envsubst < /pipelines/contact/index/bedrock-connector.json)
+  connector_body=$(envsubst < /pipelines/contact/index/sagemaker-connector.json)
   connector_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/connectors/_create" --data "$connector_body" | jq -r '.connector_id')
 else
   echo "Found connector with id=$connector_id"
 fi
 
 ## Register model if it doesn't exist
 model_body="{
-  \"name\": \"bedrock-${BEDROCK_MODEL_NAME}\",
-  \"description\": \"Bedrock embedding model\",
+  \"name\": \"sagemaker-embeddings\",
+  \"description\": \"SageMaker embedding model\",
   \"function_name\": \"remote\",
   \"model_group_id\": \"${model_group_id}\",
   \"connector_id\": \"${connector_id}\"
 }"
-model_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/models/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"bedrock-${BEDROCK_MODEL_NAME}\"}}}" | jq -r '.hits.hits[0]._id // ""')
+model_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/models/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"sagemaker-embeddings\"}}}" | jq -r '.hits.hits[0]._id // ""')
 if [ -z "$model_id" ]; then
   echo Registering model...
   curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/models/_register" --data "${model_body}"

projects/person-search-index-from-delius/container/scripts/deploy-semantic-model.sh

@@ -13,7 +13,11 @@ curl_json -XPUT "${SEARCH_INDEX_HOST}/_cluster/settings" --data '{
     "action.auto_create_index": "false",
     "plugins.ml_commons.only_run_on_ml_node": "false",
     "plugins.ml_commons.model_access_control_enabled": "false",
-    "plugins.ml_commons.native_memory_threshold": "90"
+    "plugins.ml_commons.native_memory_threshold": "90",
+    "plugins.ml_commons.trusted_connector_endpoints_regex": [
+        "^https://bedrock-runtime\\..*[a-z0-9-]\\.amazonaws\\.com/.*$",
+        "^https://runtime\\.sagemaker\\..*[a-z0-9-]\\.amazonaws\\.com/.*$"
+    ]
   }
 }'
 
@@ -39,9 +43,8 @@ if grep -q 'contact' <<<"$PIPELINES_ENABLED"; then
   fi
 
   # Setup semantic search for contacts
-  export BEDROCK_MODEL_NAME=amazon.titan-embed-text-v2:0
   /scripts/deploy-semantic-model.sh
-  model_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/models/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"bedrock-${BEDROCK_MODEL_NAME}\"}}}" | jq -r '.hits.hits[0]._id // ""')
+  model_id=$(curl_json -XPOST "${SEARCH_INDEX_HOST}/_plugins/_ml/models/_search" --data "{\"query\":{\"match\":{\"name.keyword\":\"sagemaker-embeddings\"}}}" | jq -r '.hits.hits[0]._id // ""')
   export model_id
   echo "Deployed semantic search model. model_id=${model_id}"
   envsubst < /pipelines/contact/index/ingest-pipeline.tpl.json > /pipelines/contact/index/ingest-pipeline.json

projects/person-search-index-from-delius/container/scripts/startup.sh

@@ -93,10 +93,16 @@ spec:
                       name: person-search-index-from-delius-sentry
                       key: CONTACT_REINDEXING_SENTRY_MONITOR_ID
                       optional: false
-                - name: BEDROCK_CONNECTOR_IAM_ROLE_ARN
+                - name: CONNECTOR_ROLE_ARN
                   valueFrom:
                     secretKeyRef:
                       name: person-search-index-from-delius-opensearch
-                      key: bedrock_role_arn
+                      key: connector_role_arn
+                      optional: false
+                - name: CONNECTOR_EXTERNAL_ACCOUNT_ROLE_ARN
+                  valueFrom:
+                    secretKeyRef:
+                      name: person-search-index-from-delius-opensearch
+                      key: connector_external_account_role_arn
                       optional: false
           restartPolicy: Never

projects/person-search-index-from-delius/deploy/templates/contact-reindex-cronjob.yml

@@ -8,6 +8,7 @@ generic-service:
 
   env:
     SENTRY_ENVIRONMENT: dev
+    SAGEMAKER_ENDPOINT_NAME: hmpps-probation-search-dev-sagemaker-endpoint
 
 generic-prometheus-alerts:
   businessHoursOnly: true

projects/person-search-index-from-delius/deploy/values-dev.yml

@@ -7,6 +7,7 @@ generic-service:
 
   env:
     SENTRY_ENVIRONMENT: preprod
+    SAGEMAKER_ENDPOINT_NAME: hmpps-probation-search-preprod-sagemaker-endpoint
 
 generic-prometheus-alerts:
   businessHoursOnly: true

projects/person-search-index-from-delius/deploy/values-preprod.yml

@@ -4,6 +4,7 @@ generic-service:
 
   env:
     SENTRY_ENVIRONMENT: prod
+    SAGEMAKER_ENDPOINT_NAME: hmpps-probation-search-prod-sagemaker-endpoint
 
   namespace_secrets:
     common:

projects/person-search-index-from-delius/deploy/values-prod.yml

@@ -40,7 +40,8 @@ generic-service:
       JDBC_PASSWORD: DB_PASSWORD
     person-search-index-from-delius-opensearch:
       SEARCH_INDEX_HOST: url
-      BEDROCK_CONNECTOR_IAM_ROLE_ARN: bedrock_role_arn
+      CONNECTOR_ROLE_ARN: connector_role_arn
+      CONNECTOR_EXTERNAL_ACCOUNT_ROLE_ARN: connector_external_account_role_arn
     person-search-index-from-delius-sentry:
       SENTRY_DSN: SENTRY_DSN
     person-search-index-from-delius-person-queue: