chore: cdk deploy deps and syncing

Author: bencegadanyi1-nhs

packages/cdk/constructs/DelayResource.ts

@@ -0,0 +1,117 @@
+import {Construct} from "constructs"
+import {Duration, CustomResource} from "aws-cdk-lib"
+import {Function, Runtime, Code} from "aws-cdk-lib/aws-lambda"
+import {
+  Role,
+  ServicePrincipal,
+  PolicyDocument,
+  PolicyStatement,
+  Effect
+} from "aws-cdk-lib/aws-iam"
+import {Provider} from "aws-cdk-lib/custom-resources"
+
+export interface DelayResourceProps {
+  /**
+   * The delay time in seconds (default: 30 seconds)
+   */
+  readonly delaySeconds?: number
+
+  /**
+   * Optional description for the delay resource
+   */
+  readonly description?: string
+}
+
+/**
+ * a fix for an annoying time sync issue that adds a configurable delay
+ * to ensure AWS resources are fully available before dependent resources are created
+ */
+export class DelayResource extends Construct {
+  public readonly customResource: CustomResource
+  public readonly delaySeconds: number
+
+  constructor(scope: Construct, id: string, props: DelayResourceProps = {}) {
+    super(scope, id)
+
+    this.delaySeconds = props.delaySeconds || 30
+
+    // create IAM role for the delay Lambda function
+    const lambdaExecutionRole = new Role(this, "LambdaExecutionRole", {
+      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+      description: "Execution role for delay custom resource Lambda function",
+      inlinePolicies: {
+        LogsPolicy: new PolicyDocument({
+          statements: [
+            new PolicyStatement({
+              effect: Effect.ALLOW,
+              actions: [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+              ],
+              resources: ["*"]
+            })
+          ]
+        })
+      }
+    })
+
+    // create the delay Lambda function with inline Python code
+    const delayFunction = new Function(this, "DelayFunction", {
+      runtime: Runtime.PYTHON_3_12,
+      handler: "index.handler",
+      role: lambdaExecutionRole,
+      timeout: Duration.minutes(15), // max Lambda timeout to handle long delays
+      description: props.description || `Delay resource for ${this.delaySeconds} seconds`,
+      code: Code.fromInline(`
+from time import sleep
+import json
+import cfnresponse
+import uuid
+
+def handler(event, context):
+    wait_seconds = 0
+    id = str(uuid.uuid1())
+
+    print(f"Received event: {json.dumps(event, default=str)}")
+
+    try:
+        if event["RequestType"] in ["Create", "Update"]:
+            wait_seconds = int(event["ResourceProperties"].get("WaitSeconds", 0))
+            print(f"Waiting for {wait_seconds} seconds...")
+            sleep(wait_seconds)
+            print(f"Wait complete")
+
+        response = {
+            "TimeWaited": wait_seconds,
+            "Id": id,
+            "Status": "SUCCESS"
+        }
+
+        cfnresponse.send(event, context, cfnresponse.SUCCESS, response, f"Waiter-{id}")
+
+    except Exception as e:
+        print(f"Error: {str(e)}")
+        cfnresponse.send(event, context, cfnresponse.FAILED, {"Error": str(e)}, f"Waiter-{id}")
+`)
+    })
+
+    // create the custom resource provider
+    const provider = new Provider(this, "DelayProvider", {
+      onEventHandler: delayFunction,
+      logRetention: 14 // 14 days log retention
+    })
+
+    // create the custom resource that triggers the delay
+    this.customResource = new CustomResource(this, "DelayCustomResource", {
+      serviceToken: provider.serviceToken,
+      properties: {
+        WaitSeconds: this.delaySeconds,
+        Description: props.description || `Delay for ${this.delaySeconds} seconds`,
+        // timestamp to ensure updates trigger when properties change
+        Timestamp: Date.now()
+      }
+    })
+  }
+
+}

packages/cdk/nagSuppressions.ts

@@ -1,3 +1,4 @@
+/* eslint-disable max-len */
 
 import {Stack} from "aws-cdk-lib"
 import {NagPackSuppression, NagSuppressions} from "cdk-nag"
@@ -187,6 +188,97 @@ export const nagSuppressions = (stack: Stack) => {
     )
   })
 
+  // Suppress DelayResource IAM and runtime issues
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/PolicySyncWait/LambdaExecutionRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "DelayResource Lambda requires wildcard log permissions for CloudWatch logging."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/IndexReadyWait/LambdaExecutionRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "DelayResource Lambda requires wildcard log permissions for CloudWatch logging."
+      }
+    ]
+  )
+
+  // Suppress DelayProvider framework ServiceRole issues
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/PolicySyncWait/DelayProvider/framework-onEvent/ServiceRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/PolicySyncWait/DelayProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/IndexReadyWait/DelayProvider/framework-onEvent/ServiceRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "Auto-generated CDK Provider role uses AWS managed policy for Lambda execution."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/IndexReadyWait/DelayProvider/framework-onEvent/ServiceRole/DefaultPolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for Lambda invocation."
+      }
+    ]
+  )
+
+  // Suppress DelayFunction runtime version warnings
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/PolicySyncWait/DelayFunction/Resource",
+    [
+      {
+        id: "AwsSolutions-L1",
+        reason: "DelayResource uses Python 3.12 which is the latest stable runtime available for the delay functionality."
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/VectorIndex/IndexReadyWait/DelayFunction/Resource",
+    [
+      {
+        id: "AwsSolutions-L1",
+        reason: "DelayResource uses Python 3.12 which is the latest stable runtime available for the delay functionality."
+      }
+    ]
+  )
+
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/resources/VectorIndex.ts

@@ -2,6 +2,7 @@ import {Construct} from "constructs"
 import {CfnIndex} from "aws-cdk-lib/aws-opensearchserverless"
 import {VectorCollection} from "@cdklabs/generative-ai-cdk-constructs/lib/cdk-lib/opensearchserverless"
 import {RemovalPolicy} from "aws-cdk-lib"
+import {DelayResource} from "../constructs/DelayResource"
 
 export interface VectorIndexProps {
   readonly stackName: string
@@ -11,6 +12,8 @@ export interface VectorIndexProps {
 export class VectorIndex extends Construct {
   public readonly cfnIndex: CfnIndex
   public readonly indexName: string
+  public readonly policySyncWait: DelayResource
+  public readonly indexReadyWait: DelayResource
 
   constructor(scope: Construct, id: string, props: VectorIndexProps) {
     super(scope, id)
@@ -64,9 +67,31 @@ export class VectorIndex extends Construct {
       }
     })
 
-    cfnIndex.node.addDependency(props.collection.dataAccessPolicy)
+    // a fix for an annoying time sync issue that adds a small delay
+    // to ensure data access policies are synced before index creation
+    const policySyncWait = new DelayResource(this, "PolicySyncWait", {
+      delaySeconds: 15,
+      description: "Wait for OpenSearch data access policies to sync"
+    })
+
+    policySyncWait.customResource.node.addDependency(props.collection.dataAccessPolicy)
+
+    // Index depends on policy sync wait instead of directly on dataAccessPolicy
+    cfnIndex.node.addDependency(policySyncWait.customResource)
 
     cfnIndex.applyRemovalPolicy(RemovalPolicy.DESTROY)
+
+    // a fix for an annoying time sync issue that adds a small delay
+    // to ensure index is actually available for Bedrock
+    const indexReadyWait = new DelayResource(this, "IndexReadyWait", {
+      delaySeconds: 30,
+      description: "Wait for OpenSearch index to be fully available"
+    })
+
+    indexReadyWait.customResource.node.addDependency(cfnIndex)
+
     this.cfnIndex = cfnIndex
+    this.policySyncWait = policySyncWait
+    this.indexReadyWait = indexReadyWait
   }
 }

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -105,9 +105,7 @@ export class EpsAssistMeStack extends Stack {
       account
     })
 
-    vectorKB.knowledgeBase.node.addDependency(vectorIndex.cfnIndex)
-    vectorKB.knowledgeBase.node.addDependency(openSearchResources.collection)
-    vectorKB.knowledgeBase.node.addDependency(openSearchResources.collection.dataAccessPolicy)
+    vectorKB.knowledgeBase.node.addDependency(vectorIndex.indexReadyWait.customResource)
 
     // Create runtime policies with resource dependencies
     const runtimePolicies = new RuntimePolicies(this, "RuntimePolicies", {