PyPI - bedrock-agentcore-starter-toolkit - Versions diffs - 0.0.1__py3-none-any.whl → 0.1.1__py3-none-any.whl - Mend - Supply Chain Defender

bedrock-agentcore-starter-toolkit 0.0.1py3-none-any.whl → 0.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of bedrock-agentcore-starter-toolkit might be problematic. Click here for more details.

Files changed (50) hide show

bedrock_agentcore_starter_toolkit/services/codebuild.py ADDED Viewed

@@ -0,0 +1,332 @@
+"""CodeBuild service for ARM64 container builds."""
+import fnmatch
+import logging
+import os
+import tempfile
+import time
+import zipfile
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import List
+import boto3
+from botocore.exceptions import ClientError
+from ..operations.runtime.create_role import get_or_create_codebuild_execution_role
+class CodeBuildService:
+    """Service for managing CodeBuild projects and builds for ARM64."""
+    def __init__(self, session: boto3.Session):
+        """Initialize CodeBuild service with AWS session."""
+        self.session = session
+        self.client = session.client("codebuild")
+        self.s3_client = session.client("s3")
+        self.iam_client = session.client("iam")
+        self.logger = logging.getLogger(__name__)
+        self.source_bucket = None
+    def get_source_bucket_name(self, account_id: str) -> str:
+        """Get S3 bucket name for CodeBuild sources."""
+        region = self.session.region_name
+        return f"bedrock-agentcore-codebuild-sources-{account_id}-{region}"
+    def ensure_source_bucket(self, account_id: str) -> str:
+        """Ensure S3 bucket exists for CodeBuild sources."""
+        bucket_name = self.get_source_bucket_name(account_id)
+        try:
+            self.s3_client.head_bucket(Bucket=bucket_name)
+            self.logger.debug("Using existing S3 bucket: %s", bucket_name)
+        except ClientError:
+            # Create bucket
+            region = self.session.region_name
+            self.s3_client.create_bucket(Bucket=bucket_name, CreateBucketConfiguration={"LocationConstraint": region})
+            # Set lifecycle to cleanup old builds
+            self.s3_client.put_bucket_lifecycle_configuration(
+                Bucket=bucket_name,
+                LifecycleConfiguration={
+                    "Rules": [{"ID": "DeleteOldBuilds", "Status": "Enabled", "Filter": {}, "Expiration": {"Days": 7}}]
+                },
+            )
+            self.logger.info("Created S3 bucket: %s", bucket_name)
+        return bucket_name
+    def upload_source(self, agent_name: str) -> str:
+        """Upload current directory to S3, respecting .dockerignore patterns."""
+        account_id = self.session.client("sts").get_caller_identity()["Account"]
+        bucket_name = self.ensure_source_bucket(account_id)
+        self.source_bucket = bucket_name
+        # Parse .dockerignore patterns
+        ignore_patterns = self._parse_dockerignore()
+        with tempfile.NamedTemporaryFile(suffix=".zip", delete=False) as temp_zip:
+            try:
+                with zipfile.ZipFile(temp_zip.name, "w", zipfile.ZIP_DEFLATED) as zipf:
+                    for root, dirs, files in os.walk("."):
+                        # Convert to relative path
+                        rel_root = os.path.relpath(root, ".")
+                        if rel_root == ".":
+                            rel_root = ""
+                        # Filter directories
+                        dirs[:] = [
+                            d
+                            for d in dirs
+                            if not self._should_ignore(
+                                os.path.join(rel_root, d) if rel_root else d, ignore_patterns, is_dir=True
+                            )
+                        ]
+                        for file in files:
+                            file_rel_path = os.path.join(rel_root, file) if rel_root else file
+                            # Skip if matches ignore pattern
+                            if self._should_ignore(file_rel_path, ignore_patterns, is_dir=False):
+                                continue
+                            file_path = Path(root) / file
+                            zipf.write(file_path, file_rel_path)
+                # Create agent-organized S3 key: agentname/timestamp.zip
+                timestamp = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
+                s3_key = f"{agent_name}/{timestamp}.zip"
+                self.s3_client.upload_file(temp_zip.name, bucket_name, s3_key)
+                self.logger.info("Uploaded source to S3: %s", s3_key)
+                return f"s3://{bucket_name}/{s3_key}"
+            finally:
+                os.unlink(temp_zip.name)
+    def _normalize_s3_location(self, source_location: str) -> str:
+        """Convert s3:// URL to bucket/key format for CodeBuild."""
+        return source_location.replace("s3://", "") if source_location.startswith("s3://") else source_location
+    def create_codebuild_execution_role(self, account_id: str, ecr_repository_arn: str, agent_name: str) -> str:
+        """Get or create CodeBuild execution role using shared role creation logic."""
+        return get_or_create_codebuild_execution_role(
+            session=self.session,
+            logger=self.logger,
+            region=self.session.region_name,
+            account_id=account_id,
+            agent_name=agent_name,
+            ecr_repository_arn=ecr_repository_arn,
+            source_bucket_name=self.get_source_bucket_name(account_id),
+        )
+    def create_or_update_project(
+        self, agent_name: str, ecr_repository_uri: str, execution_role: str, source_location: str
+    ) -> str:
+        """Create or update CodeBuild project for ARM64 builds."""
+        project_name = f"bedrock-agentcore-{agent_name}-builder"
+        buildspec = self._get_arm64_buildspec(ecr_repository_uri)
+        # CodeBuild expects S3 location without s3:// prefix (bucket/key format)
+        codebuild_source_location = self._normalize_s3_location(source_location)
+        project_config = {
+            "name": project_name,
+            "source": {
+                "type": "S3",
+                "location": codebuild_source_location,
+                "buildspec": buildspec,
+            },
+            "artifacts": {
+                "type": "NO_ARTIFACTS",
+            },
+            "environment": {
+                "type": "ARM_CONTAINER",  # ARM64 images require ARM_CONTAINER environment type
+                "image": "aws/codebuild/amazonlinux2-aarch64-standard:3.0",
+                "computeType": "BUILD_GENERAL1_LARGE",  # 4 vCPUs, 7GB RAM for faster builds
+                "privilegedMode": True,  # Required for Docker
+            },
+            "serviceRole": execution_role,
+        }
+        try:
+            self.client.create_project(**project_config)
+            self.logger.info("Created CodeBuild project: %s", project_name)
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "ResourceAlreadyExistsException":
+                self.client.update_project(**project_config)
+                self.logger.info("Updated CodeBuild project: %s", project_name)
+            else:
+                raise
+        return project_name
+    def start_build(self, project_name: str, source_location: str) -> str:
+        """Start a CodeBuild build."""
+        # CodeBuild expects S3 location without s3:// prefix (bucket/key format)
+        codebuild_source_location = self._normalize_s3_location(source_location)
+        response = self.client.start_build(
+            projectName=project_name,
+            sourceLocationOverride=codebuild_source_location,
+        )
+        return response["build"]["id"]
+    def wait_for_completion(self, build_id: str, timeout: int = 900):
+        """Wait for CodeBuild to complete with detailed phase tracking."""
+        self.logger.info("Starting CodeBuild monitoring...")
+        # Phase tracking variables
+        current_phase = None
+        phase_start_time = None
+        build_start_time = time.time()
+        while time.time() - build_start_time < timeout:
+            response = self.client.batch_get_builds(ids=[build_id])
+            build = response["builds"][0]
+            status = build["buildStatus"]
+            build_phase = build.get("currentPhase", "UNKNOWN")
+            # Track phase changes
+            if build_phase != current_phase:
+                # Log previous phase completion (if any)
+                if current_phase and phase_start_time:
+                    phase_duration = time.time() - phase_start_time
+                    self.logger.info("✅ %s completed in %.1fs", current_phase, phase_duration)
+                # Log new phase start
+                current_phase = build_phase
+                phase_start_time = time.time()
+                total_duration = phase_start_time - build_start_time
+                self.logger.info("🔄 %s started (total: %.0fs)", current_phase, total_duration)
+            # Check for completion
+            if status == "SUCCEEDED":
+                # Log final phase completion
+                if current_phase and phase_start_time:
+                    phase_duration = time.time() - phase_start_time
+                    self.logger.info("✅ %s completed in %.1fs", current_phase, phase_duration)
+                total_duration = time.time() - build_start_time
+                minutes, seconds = divmod(int(total_duration), 60)
+                self.logger.info("🎉 CodeBuild completed successfully in %dm %ds", minutes, seconds)
+                return
+            elif status in ["FAILED", "FAULT", "STOPPED", "TIMED_OUT"]:
+                # Log failure with phase info
+                if current_phase:
+                    self.logger.error("❌ Build failed during %s phase", current_phase)
+                raise RuntimeError(f"CodeBuild failed with status: {status}")
+            time.sleep(5)
+        total_duration = time.time() - build_start_time
+        minutes, seconds = divmod(int(total_duration), 60)
+        raise TimeoutError(f"CodeBuild timed out after {minutes}m {seconds}s (current phase: {current_phase})")
+    def _get_arm64_buildspec(self, ecr_repository_uri: str) -> str:
+        """Get optimized buildspec for ARM64 Docker."""
+        return f"""
+version: 0.2
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION |
+        docker login --username AWS --password-stdin {ecr_repository_uri}
+      - export DOCKER_BUILDKIT=1
+      - export BUILDKIT_PROGRESS=plain
+  build:
+    commands:
+      - echo Build started on `date`
+      - echo Building ARM64 Docker image with BuildKit processing...
+      - export DOCKER_BUILDKIT=1
+      - docker buildx create --name arm64builder --use || true
+      - docker buildx build --platform linux/arm64 --load -t bedrock-agentcore-arm64 .
+      - docker tag bedrock-agentcore-arm64:latest {ecr_repository_uri}:latest
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Pushing ARM64 image to ECR...
+      - docker push {ecr_repository_uri}:latest
+"""
+    def _parse_dockerignore(self) -> List[str]:
+        """Parse .dockerignore file and return list of patterns."""
+        dockerignore_path = Path(".dockerignore")
+        patterns = []
+        if dockerignore_path.exists():
+            with open(dockerignore_path, "r") as f:
+                for line in f:
+                    line = line.strip()
+                    if line and not line.startswith("#"):
+                        patterns.append(line)
+            self.logger.info("Using .dockerignore with %d patterns", len(patterns))
+        else:
+            # Default patterns if no .dockerignore
+            patterns = [
+                ".git",
+                "__pycache__",
+                "*.pyc",
+                ".DS_Store",
+                "node_modules",
+                ".venv",
+                "venv",
+                "*.egg-info",
+                ".bedrock_agentcore.yaml",  # Always exclude config
+            ]
+            self.logger.info("No .dockerignore found, using default exclude patterns")
+        return patterns
+    def _should_ignore(self, path: str, patterns: List[str], is_dir: bool = False) -> bool:
+        """Check if path should be ignored based on dockerignore patterns."""
+        # Normalize path
+        if path.startswith("./"):
+            path = path[2:]
+        should_ignore = False  # Default state: don't ignore
+        for pattern in patterns:
+            # Handle negation patterns
+            if pattern.startswith("!"):
+                if self._matches_pattern(path, pattern[1:], is_dir):
+                    should_ignore = False  # Negation pattern: don't ignore
+            else:
+                # Regular ignore patterns
+                if self._matches_pattern(path, pattern, is_dir):
+                    should_ignore = True  # Regular pattern: ignore
+        return should_ignore
+    def _matches_pattern(self, path: str, pattern: str, is_dir: bool) -> bool:
+        """Check if path matches a dockerignore pattern."""
+        # Directory-specific patterns
+        if pattern.endswith("/"):
+            if not is_dir:
+                return False
+            pattern = pattern[:-1]
+        # Exact match
+        if path == pattern:
+            return True
+        # Glob pattern match
+        if fnmatch.fnmatch(path, pattern):
+            return True
+        # Directory prefix match
+        if is_dir and pattern in path.split("/"):
+            return True
+        # File in ignored directory
+        if not is_dir and any(fnmatch.fnmatch(part, pattern) for part in path.split("/")):
+            return True
+        return False

bedrock_agentcore_starter_toolkit/services/ecr.py ADDED Viewed

@@ -0,0 +1,84 @@
+"""ECR (Elastic Container Registry) service integration."""
+import base64
+import boto3
+from ..utils.runtime.container import ContainerRuntime
+def get_account_id() -> str:
+    """Get AWS account ID."""
+    return boto3.client("sts").get_caller_identity()["Account"]
+def get_region() -> str:
+    """Get AWS region."""
+    return boto3.Session().region_name or "us-west-2"
+def create_ecr_repository(repo_name: str, region: str) -> str:
+    """Create or get existing ECR repository."""
+    ecr = boto3.client("ecr", region_name=region)
+    try:
+        response = ecr.create_repository(repositoryName=repo_name)
+        return response["repository"]["repositoryUri"]
+    except ecr.exceptions.RepositoryAlreadyExistsException:
+        response = ecr.describe_repositories(repositoryNames=[repo_name])
+        return response["repositories"][0]["repositoryUri"]
+def get_or_create_ecr_repository(agent_name: str, region: str) -> str:
+    """Get existing ECR repository or create a new one (idempotent).
+    Args:
+        agent_name: Name of the agent
+        region: AWS region
+    Returns:
+        ECR repository URI
+    """
+    # Generate deterministic repository name based on agent name
+    repo_name = f"bedrock-agentcore-{agent_name}"
+    ecr = boto3.client("ecr", region_name=region)
+    try:
+        # Step 1: Check if repository already exists
+        response = ecr.describe_repositories(repositoryNames=[repo_name])
+        existing_repo_uri = response["repositories"][0]["repositoryUri"]
+        print(f"✅ Reusing existing ECR repository: {existing_repo_uri}")
+        return existing_repo_uri
+    except ecr.exceptions.RepositoryNotFoundException:
+        # Step 2: Repository doesn't exist, create it
+        print(f"Repository doesn't exist, creating new ECR repository: {repo_name}")
+        return create_ecr_repository(repo_name, region)
+def deploy_to_ecr(local_tag: str, repo_name: str, region: str, container_runtime: ContainerRuntime) -> str:
+    """Build and push image to ECR."""
+    ecr = boto3.client("ecr", region_name=region)
+    # Get or create repository
+    ecr_uri = create_ecr_repository(repo_name, region)
+    # Get auth token
+    auth_data = ecr.get_authorization_token()["authorizationData"][0]
+    token = base64.b64decode(auth_data["authorizationToken"]).decode("utf-8")
+    username, password = token.split(":")
+    # Login to ECR
+    if not container_runtime.login(auth_data["proxyEndpoint"], username, password):
+        raise RuntimeError("Failed to login to ECR")
+    # Tag and push
+    ecr_tag = f"{ecr_uri}:latest"
+    if not container_runtime.tag(local_tag, ecr_tag):
+        raise RuntimeError("Failed to tag image")
+    if not container_runtime.push(ecr_tag):
+        raise RuntimeError("Failed to push image to ECR")
+    return ecr_tag