SageMaker example script update (#517)

* Add IAM rights to CloudWatch logs

* Add AWS CloudWatch logging

* Remove parameter parsing logic

* Add instruction comments to script

* Update logging text

* Update changelog

* Revise LC, fix Docker run issue

* revert version var name change

---------

Co-authored-by: Michael Chin <[email protected]>

Author: kmcginnes

Changelog.md

@@ -12,6 +12,9 @@
 - Requests executed in parallel for each label or class are now batched in
   groups of 10 to reduce chance of throttling errors
   (<https://github.com/aws/graph-explorer/pull/489>)
+- Updated the example SageMaker lifecycle configuration script and IAM policies
+  to include logging to CloudWatch
+  (<https://github.com/aws/graph-explorer/pull/517>)
 
 **Bug Fixes and Minor Changes**
 

additionaldocs/sagemaker/graph-explorer-neptune-analytics-policy.json

@@ -14,6 +14,18 @@
       "Resource": [
         "arn:[AWS_PARTITION]:sagemaker:[AWS_REGION]:[AWS_ACCOUNT_ID]:notebook-instance/*"
       ]
+    },
+    {
+      "Sid": "LogGroupAccess",
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": [
+        "arn:[AWS_PARTITION]:logs:[AWS_REGION]:[AWS_ACCOUNT_ID]:log-group:/aws/sagemaker/*"
+      ]
     }
   ]
 }

additionaldocs/sagemaker/graph-explorer-neptune-db-policy.json

@@ -14,6 +14,18 @@
       "Resource": [
         "arn:[AWS_PARTITION]:sagemaker:[AWS_REGION]:[AWS_ACCOUNT_ID]:notebook-instance/*"
       ]
+    },
+    {
+      "Sid": "LogGroupAccess",
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": [
+        "arn:[AWS_PARTITION]:logs:[AWS_REGION]:[AWS_ACCOUNT_ID]:log-group:/aws/sagemaker/*"
+      ]
     }
   ]
 }

additionaldocs/sagemaker/install-graph-explorer-lc.sh

@@ -2,26 +2,94 @@
 
 sudo -u ec2-user -i <<'EOF'
 
-echo "export GRAPH_NOTEBOOK_AUTH_MODE=DEFAULT" >> ~/.bashrc  # set to IAM instead of DEFAULT if cluster is IAM enabled
-echo "export GRAPH_NOTEBOOK_HOST=CHANGE-ME" >> ~/.bashrc
-echo "export GRAPH_NOTEBOOK_SERVICE=neptune-db" >> ~/.bashrc # set to `neptune-db` for Neptune database or `neptune-graph` for Neptune Analytics
-echo "export GRAPH_NOTEBOOK_PORT=8182" >> ~/.bashrc
-echo "export AWS_REGION=us-west-2" >> ~/.bashrc  # modify region if needed
+echo "export GRAPH_NOTEBOOK_SERVICE=neptune-db" >> ~/.bashrc # Set to `neptune-graph` for Neptune Analytics.
+echo "export GRAPH_NOTEBOOK_HOST=CHANGE-ME" >> ~/.bashrc # Set to the endpoint of your Neptune instance
+echo "export GRAPH_NOTEBOOK_PORT=8182" >> ~/.bashrc # Set to the port of your Neptune instance
+echo "export GRAPH_NOTEBOOK_AUTH_MODE=IAM" >> ~/.bashrc # Set to `DEFAULT` if using DB cluster that is not IAM enabled. Leave as `IAM` for Neptune Analytics.
+echo "export AWS_REGION=us-west-2" >> ~/.bashrc # Set to AWS region of Neptune instance and notebook.
+echo "export NEPTUNE_LOAD_FROM_S3_ROLE_ARN=" >> ~/.bashrc # Sets IAM role for Neptune DB bulk loads via graph-notebook.
 
 EXPLORER_VERSION=""
-for i in "$@"
-do
-case $i in
-    -ev=*|--explorer-version=*)
-    EXPLORER_VERSION="${i#*=}"
-    echo "set explorer version to ${EXPLORER_VERSION}"
-    shift
-    ;;
-esac
-done
+NOTEBOOK_VERSION=""
 
 source activate JupyterSystemEnv
+
+echo "installing Python 3 kernel"
+python3 -m ipykernel install --sys-prefix --name python3 --display-name "Python 3"
+
+echo "installing python dependencies..."
+pip uninstall NeptuneGraphNotebook -y # legacy uninstall when we used to install from source in s3
+
+pip install "jupyter_core<=5.3.2"
+pip install "jupyter_server<=2.7.3"
+pip install "jupyter-console<=6.4.0"
+pip install "jupyter-client<=6.1.12"
+pip install "ipywidgets==7.7.2"
+pip install "jupyterlab_widgets==1.1.1"
+pip install "notebook==6.4.12"
+pip install "nbclient<=0.7.0"
+pip install awswrangler
+
+if [[ ${NOTEBOOK_VERSION} == "" ]]; then
+  pip install --upgrade graph-notebook
+else
+  pip install --upgrade graph-notebook==${NOTEBOOK_VERSION}
+fi
+
+echo "installing nbextensions..."
+python -m graph_notebook.nbextensions.install
+
+echo "installing static resources..."
+python -m graph_notebook.static_resources.install
+
+echo "enabling visualization..."
+if [[ ${NOTEBOOK_VERSION//./} < 330 ]] && [[ ${NOTEBOOK_VERSION} != "" ]]; then
+  jupyter nbextension install --py --sys-prefix graph_notebook.widgets
+fi
+jupyter nbextension enable  --py --sys-prefix graph_notebook.widgets
+
+mkdir -p ~/SageMaker/Neptune
+cd ~/SageMaker/Neptune || exit
+python -m graph_notebook.notebooks.install
+chmod -R a+rw ~/SageMaker/Neptune/*
+
 source ~/.bashrc || exit
+HOST=${GRAPH_NOTEBOOK_HOST}
+PORT=${GRAPH_NOTEBOOK_PORT}
+SERVICE=${GRAPH_NOTEBOOK_SERVICE:-"neptune-db"}
+AUTH_MODE=${GRAPH_NOTEBOOK_AUTH_MODE}
+SSL=${GRAPH_NOTEBOOK_SSL}
+LOAD_FROM_S3_ARN=${NEPTUNE_LOAD_FROM_S3_ROLE_ARN}
+
+if [[ ${SSL} -eq "" ]]; then
+  SSL="True"
+fi
+
+echo "Creating config with
+HOST:                       ${HOST}
+PORT:                       ${PORT}
+SERVICE:                    ${SERVICE}
+AUTH_MODE:                  ${AUTH_MODE}
+SSL:                        ${SSL}
+AWS_REGION:                 ${AWS_REGION}"
+
+/home/ec2-user/anaconda3/envs/JupyterSystemEnv/bin/python -m graph_notebook.configuration.generate_config \
+  --host "${HOST}" \
+  --port "${PORT}" \
+  --neptune_service "${SERVICE}" \
+  --auth_mode "${AUTH_MODE}" \
+  --ssl "${SSL}" \
+  --load_from_s3_arn "${LOAD_FROM_S3_ARN}" \
+  --aws_region "${AWS_REGION}"
+
+echo "Adding graph_notebook.magics to ipython config..."
+if [[ ${NOTEBOOK_VERSION//./} > 341 ]] || [[ ${NOTEBOOK_VERSION} == "" ]]; then
+  /home/ec2-user/anaconda3/envs/JupyterSystemEnv/bin/python -m graph_notebook.ipython_profile.configure_ipython_profile
+else
+  echo "Skipping, unsupported on graph-notebook<=3.4.1"
+fi
+
+echo "graph-notebook installation complete."
 
 echo "Constructing explorer connection configuration..."
 
@@ -44,9 +112,7 @@ else
 fi
 
 NEPTUNE_URI="https://${GRAPH_NOTEBOOK_HOST}:${GRAPH_NOTEBOOK_PORT}"
-SERVICE=${GRAPH_NOTEBOOK_SERVICE:-"neptune-db"}
 AWS_REGION=${AWS_REGION}
-
 echo "AUTH_MODE from Lifecycle: ${GRAPH_NOTEBOOK_AUTH_MODE}"
 if [[ ${GRAPH_NOTEBOOK_AUTH_MODE} == "IAM" ]]; then
   IAM=true
@@ -56,7 +122,6 @@ fi
 
 echo "Explorer URI: ${EXPLORER_URI}"
 echo "Neptune URI: ${NEPTUNE_URI}"
-echo "Neptune Service: ${SERVICE}"
 echo "Explorer region: ${AWS_REGION}"
 echo "Explorer IAM auth mode: ${IAM}"
 
@@ -81,6 +146,10 @@ fi
 echo "Using explorer image tag: ${EXPLORER_ECR_TAG}"
 
 docker run -d -p 9250:9250 \
+  --log-driver=awslogs \
+  --log-opt awslogs-region=${AWS_REGION} \
+  --log-opt awslogs-group=/aws/sagemaker/NotebookInstances \
+  --log-opt awslogs-stream=${GRAPH_NOTEBOOK_NAME}/graph-explorer.log \
   --restart always \
   --env HOST=127.0.0.1 \
   --env PUBLIC_OR_PROXY_ENDPOINT=${EXPLORER_URI} \
@@ -90,11 +159,14 @@ docker run -d -p 9250:9250 \
   --env AWS_REGION=${AWS_REGION} \
   --env SERVICE_TYPE=${SERVICE} \
   --env PROXY_SERVER_HTTPS_CONNECTION=false \
-  --env NEPTUNE_NOTEBOOK=true public.ecr.aws/neptune/graph-explorer:${EXPLORER_ECR_TAG}
+  --env NEPTUNE_NOTEBOOK=true \
+  --env LOG_LEVEL=debug \
+  public.ecr.aws/neptune/graph-explorer:${EXPLORER_ECR_TAG}
 
 echo "Explorer installation done."
 
 conda /home/ec2-user/anaconda3/bin/deactivate
 echo "done."
 
+
 EOF