Skip to content

Commit

Permalink
Merge pull request #34 from nalbam/main
Browse files Browse the repository at this point in the history
Add MAX_THROTTLE_COUNT
  • Loading branch information
nalbam authored Jan 6, 2025
2 parents 8583680 + 044eeed commit def523e
Show file tree
Hide file tree
Showing 8 changed files with 326 additions and 15 deletions.
55 changes: 55 additions & 0 deletions .github/aws-role/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# aws role

```bash
export NAME="lambda-gurumi-ai-bot"
```

## create role

```bash
export DESCRIPTION="${NAME} role"

aws iam create-role --role-name "${NAME}" --description "${DESCRIPTION}" --assume-role-policy-document file://trust-policy.json | jq .

aws iam get-role --role-name "${NAME}" | jq .
```

## create policy

```bash
export DESCRIPTION="${NAME} policy"

aws iam create-policy --policy-name "${NAME}" --policy-document file://role-policy.json | jq .

export ACCOUNT_ID=$(aws sts get-caller-identity | jq .Account -r)
export POLICY_ARN="arn:aws:iam::${ACCOUNT_ID}:policy/${NAME}"

aws iam get-policy --policy-arn "${POLICY_ARN}" | jq .

aws iam create-policy-version --policy-arn "${POLICY_ARN}" --policy-document file://role-policy.json --set-as-default | jq .
```

## attach role policy

```bash
aws iam attach-role-policy --role-name "${NAME}" --policy-arn "${POLICY_ARN}"
# aws iam attach-role-policy --role-name "${NAME}" --policy-arn "arn:aws:iam::aws:policy/PowerUserAccess"
# aws iam attach-role-policy --role-name "${NAME}" --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
```

## add role-assume

```yaml

- name: configure aws credentials
uses: aws-actions/[email protected]
with:
role-to-assume: "arn:aws:iam::968005369378:role/lambda-gurumi-ai-bot"
role-session-name: github-actions-ci-bot
aws-region: ${{ env.AWS_REGION }}

- name: Sts GetCallerIdentity
run: |
aws sts get-caller-identity
```
56 changes: 56 additions & 0 deletions .github/aws-role/role-policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "arn:aws:cloudformation:*:*:stack/lambda-gurumi-ai-bot-*"
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:*:*:function:lambda-gurumi-ai-bot-*",
"arn:aws:lambda:*:*:function:gurumi-ai-bot-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "arn:aws:iam::*:role/lambda-gurumi-ai-bot-*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::lambda-gurumi-ai-bot-*",
"arn:aws:s3:::gurumi-ai-bot-*"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/lambda-gurumi-ai-bot-*",
"arn:aws:dynamodb:*:*:table/gurumi-ai-bot-*"
]
}
]
}
20 changes: 20 additions & 0 deletions .github/aws-role/trust-policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::968005369378:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:awskrug/lambda-gurumi-ai-bot:*"
}
}
}
]
}
21 changes: 15 additions & 6 deletions .github/workflows/5-sync-notion.yml.stop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:

env:
AWS_REGION: "us-east-1"
AWS_ROLE_NAME: "lambda-gurumi-ai-bot"

ENABLE_NOTION_SYNC: ${{ vars.ENABLE_NOTION_SYNC }}

Expand All @@ -18,9 +19,16 @@ env:

AWS_DEST_PATH: ${{ vars.AWS_DEST_PATH }}

AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}

NOTION_PAGE_NAME: "nalbam"
NOTION_PAGE_ID: "7aace0412a82431996f61a29225a95ec"

# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
sync:
runs-on: ubuntu-latest
Expand All @@ -47,21 +55,22 @@ jobs:
run: |
python bin/notion_exporter.py

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.AWS_ROLE_NAME }}"
role-session-name: github-actions-ci-bot
aws-region: ${{ env.AWS_REGION }}

- name: Sync to AWS S3 Data Source
if: env.ENABLE_NOTION_SYNC == 'Yes'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws s3 sync --delete --region ${{ env.AWS_REGION }} \
build/${{ env.NOTION_PAGE_NAME }}/ \
${{ env.AWS_DEST_PATH }}/${{ env.NOTION_PAGE_NAME }}/

- name: Sync to AWS Bedrock Knowledge Base
if: env.ENABLE_NOTION_SYNC == 'Yes' && env.KNOWLEDGE_BASE_ID != 'None' && env.DATA_SOURCE_ID != 'None'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws bedrock-agent start-ingestion-job \
--knowledge-base-id ${{ env.KNOWLEDGE_BASE_ID }} \
Expand Down
18 changes: 15 additions & 3 deletions .github/workflows/6-start-ingestion.yml.stop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,20 @@ on:

env:
AWS_REGION: "us-east-1"
AWS_ROLE_NAME: "lambda-gurumi-ai-bot"

ENABLE_NOTION_SYNC: ${{ vars.ENABLE_NOTION_SYNC }}

KNOWLEDGE_BASE_ID: ${{ vars.KNOWLEDGE_BASE_ID }}
DATA_SOURCE_ID: ${{ vars.DATA_SOURCE_ID }}

AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}

# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
ingestion:
runs-on: ubuntu-latest
Expand All @@ -31,11 +39,15 @@ jobs:
with:
python-version: 3.9

- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.AWS_ROLE_NAME }}"
role-session-name: github-actions-ci-bot
aws-region: ${{ env.AWS_REGION }}

- name: Sync to AWS Bedrock Knowledge Base
if: env.ENABLE_NOTION_SYNC == 'Yes' && env.KNOWLEDGE_BASE_ID != 'None' && env.DATA_SOURCE_ID != 'None'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws bedrock-agent start-ingestion-job \
--knowledge-base-id ${{ env.KNOWLEDGE_BASE_ID }} \
Expand Down
22 changes: 19 additions & 3 deletions .github/workflows/push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,29 @@ on:
- deploy

env:
AWS_REGION: "us-east-1"
AWS_ROLE_NAME: "lambda-gurumi-ai-bot"

AGENT_ALIAS_ID: ${{ vars.AGENT_ALIAS_ID }}
AGENT_ID: ${{ vars.AGENT_ID }}
ALLOWED_CHANNEL_IDS: ${{ vars.ALLOWED_CHANNEL_IDS }}
BOT_CURSOR: ${{ vars.BOT_CURSOR }}
DYNAMODB_TABLE_NAME: ${{ vars.DYNAMODB_TABLE_NAME }}
MAX_LEN_SLACK: ${{ vars.MAX_LEN_SLACK }}
MAX_THROTTLE_COUNT: ${{ vars.MAX_THROTTLE_COUNT }}
PERSONAL_MESSAGE: ${{ vars.PERSONAL_MESSAGE }}
SLACK_SAY_INTERVAL: ${{ vars.SLACK_SAY_INTERVAL }}
SYSTEM_MESSAGE: ${{ vars.SYSTEM_MESSAGE }}

AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}

# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
deploy:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -60,11 +68,19 @@ jobs:
echo "BOT_CURSOR=${BOT_CURSOR}" >> .env
echo "DYNAMODB_TABLE_NAME=${DYNAMODB_TABLE_NAME}" >> .env
echo "MAX_LEN_SLACK=${MAX_LEN_SLACK}" >> .env
echo "MAX_THROTTLE_COUNT=${MAX_THROTTLE_COUNT}" >> .env
echo "PERSONAL_MESSAGE=${PERSONAL_MESSAGE}" >> .env
echo "SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN}" >> .env
echo "SLACK_SAY_INTERVAL=${SLACK_SAY_INTERVAL}" >> .env
echo "SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET}" >> .env
echo "SYSTEM_MESSAGE=${SYSTEM_MESSAGE}" >> .env
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: "arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.AWS_ROLE_NAME }}"
role-session-name: github-actions-ci-bot
aws-region: ${{ env.AWS_REGION }}

- name: Deploy to AWS Lambda 🚀
run: npx serverless deploy --region us-east-1
run: npx serverless deploy --region ${{ env.AWS_REGION }}
Loading

0 comments on commit def523e

Please sign in to comment.