Coverage for gco/stacks/constants.py: 100%

29 statements  

« prev     ^ index     » next       coverage.py v7.14.1, created at 2026-06-15 15:07 +0000

1"""Pinned version constants for GCO infrastructure. 

2 

3Single source of truth for all version-pinned infrastructure components. 

4Centralising these makes it easy to: 

5 

61. See every pinned version at a glance 

72. Update versions in one place 

83. Let the dependency scanner (`.github/scripts/dependency-scan.sh`) 

9 find them with a simple import instead of regex scraping 

104. Write tests that assert versions haven't drifted 

11 

12When updating a version here, also check: 

13- ``lambda/helm-installer/charts.yaml`` for Helm chart versions 

14- ``requirements-lock.txt`` for Python dependency versions 

15- ``cdk.json`` context for ``kubernetes_version`` 

16 

17The dependency scanner runs monthly and opens an issue when any of 

18these fall behind the latest available release. 

19""" 

20 

21from __future__ import annotations 

22 

23# --------------------------------------------------------------------------- 

24# Lambda Runtime 

25# --------------------------------------------------------------------------- 

26# All Lambda functions in GCO use the same Python runtime. Changing this 

27# single constant updates every function across all stacks. 

28LAMBDA_PYTHON_RUNTIME = "PYTHON_3_14" 

29"""CDK enum name for the Lambda runtime (e.g. ``lambda_.Runtime.PYTHON_3_14``).""" 

30 

31# --------------------------------------------------------------------------- 

32# EKS Add-on Versions 

33# --------------------------------------------------------------------------- 

34# Pinned to specific eksbuild versions for reproducible deployments. 

35# The dependency scanner checks ``aws eks describe-addon-versions`` monthly 

36# and opens an issue when newer builds are available. 

37 

38EKS_ADDON_POD_IDENTITY_AGENT = "v1.3.10-eksbuild.3" 

39"""EKS Pod Identity Agent — enables IRSA and Pod Identity for service accounts.""" 

40 

41EKS_ADDON_METRICS_SERVER = "v0.8.1-eksbuild.6" 

42"""Kubernetes Metrics Server — provides CPU/memory metrics for HPA and ``kubectl top``.""" 

43 

44EKS_ADDON_EFS_CSI_DRIVER = "v3.2.0-eksbuild.1" 

45"""Amazon EFS CSI Driver — mounts EFS file systems as Kubernetes persistent volumes.""" 

46 

47EKS_ADDON_CLOUDWATCH_OBSERVABILITY = "v5.4.0-eksbuild.1" 

48"""Amazon CloudWatch Observability — Container Insights, Prometheus metrics, FluentBit logs.""" 

49 

50EKS_ADDON_FSX_CSI_DRIVER = "v1.9.0-eksbuild.1" 

51"""Amazon FSx CSI Driver — mounts FSx for Lustre file systems as Kubernetes persistent volumes.""" 

52 

53# --------------------------------------------------------------------------- 

54# Aurora PostgreSQL Engine Version 

55# --------------------------------------------------------------------------- 

56# Pinned to a specific minor version. The dependency scanner checks 

57# ``aws rds describe-db-engine-versions`` monthly for newer releases 

58# within the same major line. 

59 

60AURORA_POSTGRES_VERSION = "VER_17_9" 

61"""CDK enum name for the Aurora PostgreSQL engine version (e.g. ``rds.AuroraPostgresEngineVersion.VER_17_9``).""" 

62 

63AURORA_POSTGRES_VERSION_DISPLAY = "17.9" 

64"""Human-readable version string for documentation and logging.""" 

65# --------------------------------------------------------------------------- 

66# Analytics Environment Constants 

67# --------------------------------------------------------------------------- 

68# Pinned values consumed by the optional analytics environment (SageMaker 

69# Studio, EMR Serverless, Cognito hosted UI, and the always-on 

70# Cluster_Shared_Bucket in ``GCOGlobalStack``). Keeping them here lets the 

71# analytics stack, the regional stack, the global stack, and the tests import 

72# from a single source of truth. 

73 

74EMR_SERVERLESS_RELEASE_LABEL = "emr-7.13.0" 

75"""EMR Serverless Spark release label used for ``emrserverless.CfnApplication``. 

76 

77Pinned to a stable Spark release so analytics workloads get a reproducible 

78runtime across deployments. Update alongside the EKS add-ons above when a 

79newer EMR release is validated against the studio notebooks. 

80""" 

81 

82SAGEMAKER_ROLE_NAME_PREFIX = "AmazonSageMaker" 

83"""Required prefix for the SageMaker Studio execution role name. 

84 

85Amazon SageMaker requires execution roles used by Studio domains to have a 

86name that starts with ``AmazonSageMaker`` so that AWS-managed policies and 

87service-linked trust relationships resolve correctly. Any role name generated 

88for ``SageMaker_Execution_Role`` must begin with this prefix. 

89""" 

90 

91COGNITO_DOMAIN_PREFIX_DEFAULT = "gco-studio" 

92"""Default prefix for the Cognito hosted-UI domain. 

93 

94The full domain prefix is assembled at synth time by appending the account 

95id (e.g. ``gco-studio-123456789012``) so it stays globally unique within 

96``cognito.UserPoolDomain``. Operators may override the prefix through the 

97``analytics_environment.cognito.domain_prefix`` field in ``cdk.json``. 

98""" 

99 

100STUDIO_PRESIGNED_URL_EXPIRY_SECONDS = 300 

101"""Default expiry (in seconds) for SageMaker Studio presigned domain URLs. 

102 

103Five minutes matches the shortest window accepted by 

104``CreatePresignedDomainUrl`` while still giving a user enough time to click 

105the link after the ``/studio/login`` Lambda returns it. The presigned-URL 

106Lambda reads this through the ``URL_EXPIRES_SECONDS`` environment variable 

107and callers may override it per-request. 

108""" 

109 

110CLUSTER_SHARED_BUCKET_NAME_PREFIX = "gco-cluster-shared" 

111"""Name prefix for the always-on ``Cluster_Shared_Bucket`` in ``GCOGlobalStack``. 

112 

113The full bucket name is ``gco-cluster-shared-<account>-<global-region>``. 

114The prefix is what IAM policies and cdk-nag allow-list assertions 

115scope against, so it must stay stable across refactors even when the region 

116or account suffix changes. 

117""" 

118 

119CLUSTER_SHARED_SSM_PARAMETER_PREFIX = "/gco/cluster-shared-bucket" 

120"""SSM parameter namespace for the cluster-shared bucket metadata. 

121 

122``GCOGlobalStack`` writes ``<prefix>/name``, ``<prefix>/arn``, and 

123``<prefix>/region`` under this path; ``GCORegionalStack`` (always) and 

124``GCOAnalyticsStack`` (when enabled) read them back via 

125``cr.AwsCustomResource`` against the global region. Treat the full paths as 

126the contract — this prefix is the single place to change if the namespace 

127ever moves. 

128"""