Merge branch 'master' into processing-job-codeartifact-support

Author: sage-maker

.github/workflows/security-monitoring.yml

@@ -0,0 +1,122 @@
+name: Security Monitoring
+
+on:
+  schedule:
+    - cron: '0 9 * * *'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+
+jobs:
+  check-code-scanning-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      code_scanning_alert_status: ${{ steps.check-code-scanning-alerts.outputs.code_scanning_alert_status }}
+    steps:
+      - name: Check for security alerts
+        id: check-code-scanning-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+              const ref = 'refs/heads/master';
+            
+              const codeScanningAlerts = await github.rest.codeScanning.listAlertsForRepo({
+                owner,
+                repo,
+                ref: ref
+              });
+              const activeCodeScanningAlerts = codeScanningAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('code_scanning_alert_status', activeCodeScanningAlerts.length > 0 ? '1': '0');
+            }
+            await checkAlerts();
+
+  check-dependabot-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      dependabot_alert_status: ${{ steps.check-dependabot-alerts.outputs.dependabot_alert_status }}
+    steps:
+      - name: Check for dependabot alerts
+        id: check-dependabot-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+            
+              const dependabotAlerts = await github.rest.dependabot.listAlertsForRepo({
+                owner,
+                repo,
+                headers: {
+                  'accept': 'applications/vnd.github+json'
+                }
+              }); 
+              const activeDependabotAlerts = dependabotAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('dependabot_alert_status', activeDependabotAlerts.length > 0 ? '1': '0');
+            }
+            await checkAlerts();
+
+  check-secret-scanning-alerts:
+    runs-on: ubuntu-latest
+    outputs:
+      secret_scanning_alert_status: ${{ steps.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}
+    steps:
+      - name: Check for secret scanning alerts
+        id: check-secret-scanning-alerts
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            async function checkAlerts() {
+              const owner = '${{ github.repository_owner }}';
+              const repo = '${{ github.event.repository.name }}';
+
+              const secretScanningAlerts = await github.rest.secretScanning.listAlertsForRepo({
+                owner,
+                repo,
+              }); 
+              const activeSecretScanningAlerts = secretScanningAlerts.data.filter(alert => alert.state === 'open');
+              core.setOutput('secret_scanning_alert_status', activeSecretScanningAlerts.length > 0 ? '1': '0');
+              console.log("Active Secret Scanning Alerts", activeSecretScanningAlerts);
+            }
+            await checkAlerts();
+
+  put-metric-data:
+    runs-on: ubuntu-latest
+    needs: [check-code-scanning-alerts, check-dependabot-alerts, check-secret-scanning-alerts]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@12e3392609eaaceb7ae6191b3f54bbcb85b5002b
+        with:
+          role-to-assume: ${{ secrets.MONITORING_ROLE_ARN }}
+          aws-region: us-west-2
+      - name: Put Code Scanning Alert Metric Data
+        run: |
+          if [ "${{ needs.check-code-scanning-alerts.outputs.code_scanning_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name CodeScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi
+      - name: Put Dependabot Alert Metric Data
+        run: |
+          if [ "${{ needs.check-dependabot-alerts.outputs.dependabot_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name DependabotAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi
+      - name: Put Secret Scanning Alert Metric Data
+        run: |
+          if [ "${{ needs.check-secret-scanning-alerts.outputs.secret_scanning_alert_status }}" == "1" ]; then
+            aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 1 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          else
+            aws cloudwatch put-metric-data --metric-name SecretScanningAlert --namespace SecurityMonitoringMetrics --value 0 --unit Count --dimensions ProjectName=sagemaker-python-sdk
+          fi

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## v2.228.0 (2024-08-06)
+
+### Features
+
+ * triton v24.05
+
+### Bug Fixes and Other Changes
+
+ * chore: telemetry for deployment configs
+ * censoring sensitive values from being logged
+ * update image_uri_configs  08-05-2024 07:17:38 PST
+ * enable uncompressed model artifacts upload to S3 for SAGEMAKER_ENDPOINT overwrite for TGI, TEI, MMS model servers
+ * ModelReference deployment for Alt Configs models
+ * Add optional typecheck for nullable parameters
+ * Update package metadata
+ * release TEI 1.4.0
+
 ## v2.227.0 (2024-07-30)
 
 ### Features

VERSION

@@ -1 +1 @@
-2.227.1.dev0
+2.228.1.dev0

requirements/extras/test_requirements.txt

@@ -13,7 +13,7 @@ awslogs==0.14.0
 black==24.3.0
 stopit==1.1.2
 # Update tox.ini to have correct version of airflow constraints file
-apache-airflow==2.9.2
+apache-airflow==2.9.3
 apache-airflow-providers-amazon==7.2.1
 attrs>=23.1.0,<24
 fabric==2.6.0

src/sagemaker/config/config_utils.py

@@ -20,6 +20,8 @@
 import logging
 import sys
 from typing import Callable
+import re
+from copy import deepcopy
 
 
 def get_sagemaker_config_logger():
@@ -67,6 +69,19 @@ def _log_sagemaker_config_single_substitution(source_value, config_value, config
     """
     logger = get_sagemaker_config_logger()
 
+    source_value_log_copy = deepcopy(source_value)
+    config_value_log_copy = deepcopy(config_value)
+
+    if isinstance(source_value_log_copy, dict):
+        for key in source_value_log_copy.keys():
+            if re.search(r"(secret|password|key|token)", key, re.IGNORECASE):
+                source_value_log_copy[key] = "***"
+
+    if isinstance(config_value_log_copy, dict):
+        for key in config_value_log_copy.keys():
+            if re.search(r"(secret|password|key|token)", key, re.IGNORECASE):
+                config_value_log_copy[key] = "***"
+
     if config_value is not None:
 
         if source_value is None:
@@ -79,7 +94,7 @@ def _log_sagemaker_config_single_substitution(source_value, config_value, config
                 logger.debug(
                     "Applied value\n  config key = %s\n  config value that will be used = %s",
                     config_key_path,
-                    config_value,
+                    config_value_log_copy,
                 )
             else:
                 logger.info(
@@ -102,8 +117,8 @@ def _log_sagemaker_config_single_substitution(source_value, config_value, config
                     "  source value that will be used = %s"
                 ),
                 config_key_path,
-                config_value,
-                source_value,
+                config_value_log_copy,
+                source_value_log_copy,
             )
         elif source_value is not None and config_value != source_value:
             # Sagemaker Config had a value defined that is NOT going to be used
@@ -117,8 +132,8 @@ def _log_sagemaker_config_single_substitution(source_value, config_value, config
                     "  source value that will be used = %s",
                 ),
                 config_key_path,
-                config_value,
-                source_value,
+                config_value_log_copy,
+                source_value_log_copy,
             )
     else:
         # nothing was specified in the config and nothing is being automatically applied

src/sagemaker/image_uri_config/pytorch.json

@@ -2378,6 +2378,7 @@
                     "us-gov-west-1": "442386744353",
                     "us-iso-east-1": "886529160074",
                     "us-isob-east-1": "094389454867",
+                    "us-isof-east-1": "303241398832",
                     "us-isof-south-1": "454834333376",
                     "us-west-1": "763104351884",
                     "us-west-2": "763104351884"

src/sagemaker/image_uri_config/sagemaker-tritonserver.json

@@ -7,6 +7,38 @@
 		"inference"
 	],
 	"versions": {
+                "24.05": {
+                        "registries": {
+                                "af-south-1": "626614931356",
+                                "il-central-1": "780543022126",
+                                "ap-east-1": "871362719292",
+                                "ap-northeast-1": "763104351884",
+                                "ap-northeast-2": "763104351884",
+                                "ap-northeast-3": "364406365360",
+                                "ap-south-1": "763104351884",
+                                "ap-southeast-1": "763104351884",
+                                "ap-southeast-2": "763104351884",
+                                "ap-southeast-3": "907027046896",
+                                "ca-central-1": "763104351884",
+                                "cn-north-1": "727897471807",
+                                "cn-northwest-1": "727897471807",
+                                "eu-central-1": "763104351884",
+                                "eu-north-1": "763104351884",
+                                "eu-west-1": "763104351884",
+                                "eu-west-2": "763104351884",
+                                "eu-west-3": "763104351884",
+                                "eu-south-1": "692866216735",
+                                "me-south-1": "217643126080",
+                                "sa-east-1": "763104351884",
+                                "us-east-1": "763104351884",
+                                "us-east-2": "763104351884",
+                                "us-west-1": "763104351884",
+                                "us-west-2": "763104351884",
+                                "ca-west-1": "204538143572"
+                        },
+                        "repository": "sagemaker-tritonserver",
+                        "tag_prefix": "24.05-py3"
+                },
 		"24.03": {
 			"registries": {
 				"af-south-1": "626614931356",
@@ -104,4 +136,4 @@
 			"tag_prefix": "23.12-py3"
 		}
 	}
-}
+}

src/sagemaker/image_uri_config/tensorflow.json

@@ -4401,6 +4401,7 @@
                     "us-gov-west-1": "442386744353",
                     "us-iso-east-1": "886529160074",
                     "us-isob-east-1": "094389454867",
+                    "us-isof-east-1": "303241398832",
                     "us-isof-south-1": "454834333376",
                     "us-west-1": "763104351884",
                     "us-west-2": "763104351884"

src/sagemaker/jumpstart/factory/estimator.py

@@ -69,6 +69,7 @@
     add_jumpstart_model_info_tags,
     get_eula_message,
     get_default_jumpstart_session_with_user_agent_suffix,
+    get_top_ranked_config_name,
     update_dict_if_key_not_present,
     resolve_estimator_sagemaker_config_field,
     verify_model_region_and_return_specs,
@@ -204,7 +205,9 @@ def get_init_kwargs(
 
     estimator_init_kwargs = _add_model_version_to_kwargs(estimator_init_kwargs)
     estimator_init_kwargs = _add_vulnerable_and_deprecated_status_to_kwargs(estimator_init_kwargs)
-    estimator_init_kwargs = _add_sagemaker_session_to_kwargs(estimator_init_kwargs)
+    estimator_init_kwargs = _add_sagemaker_session_with_custom_user_agent_to_kwargs(
+        estimator_init_kwargs
+    )
     estimator_init_kwargs = _add_region_to_kwargs(estimator_init_kwargs)
     estimator_init_kwargs = _add_instance_type_and_count_to_kwargs(estimator_init_kwargs)
     estimator_init_kwargs = _add_image_uri_to_kwargs(estimator_init_kwargs)
@@ -438,12 +441,17 @@ def _add_region_to_kwargs(kwargs: JumpStartKwargs) -> JumpStartKwargs:
     return kwargs
 
 
-def _add_sagemaker_session_to_kwargs(kwargs: JumpStartKwargs) -> JumpStartKwargs:
+def _add_sagemaker_session_with_custom_user_agent_to_kwargs(
+    kwargs: JumpStartKwargs,
+) -> JumpStartKwargs:
     """Sets session in kwargs based on default or override, returns full kwargs."""
     kwargs.sagemaker_session = (
         kwargs.sagemaker_session
         or get_default_jumpstart_session_with_user_agent_suffix(
-            kwargs.model_id, kwargs.model_version, kwargs.hub_arn
+            model_id=kwargs.model_id,
+            model_version=kwargs.model_version,
+            config_name=None,
+            is_hub_content=kwargs.hub_arn is not None,
         )
     )
     return kwargs
@@ -903,20 +911,16 @@ def _add_config_name_to_kwargs(
 ) -> JumpStartEstimatorInitKwargs:
     """Sets tags in kwargs based on default or override, returns full kwargs."""
 
-    specs = verify_model_region_and_return_specs(
+    kwargs.config_name = kwargs.config_name or get_top_ranked_config_name(
+        region=kwargs.region,
         model_id=kwargs.model_id,
-        version=kwargs.model_version,
+        model_version=kwargs.model_version,
+        sagemaker_session=kwargs.sagemaker_session,
         scope=JumpStartScriptScope.TRAINING,
-        region=kwargs.region,
-        tolerate_vulnerable_model=kwargs.tolerate_vulnerable_model,
+        model_type=kwargs.model_type,
         tolerate_deprecated_model=kwargs.tolerate_deprecated_model,
-        sagemaker_session=kwargs.sagemaker_session,
-        config_name=kwargs.config_name,
+        tolerate_vulnerable_model=kwargs.tolerate_vulnerable_model,
+        hub_arn=kwargs.hub_arn,
     )
 
-    if specs.training_configs and specs.training_configs.get_top_config_from_ranking():
-        kwargs.config_name = (
-            kwargs.config_name or specs.training_configs.get_top_config_from_ranking().config_name
-        )
-
     return kwargs