Update integ test roles, run against Bedrock in us-east-2

clareliguori · clareliguori · commit 0f885fa0519c · 2025-03-31T21:16:17.000-07:00
diff --git a/.github/workflows/integ-tests.yml b/.github/workflows/integ-tests.yml
@@ -49,5 +49,7 @@ jobs:
 
       - name: Clean up
         if: always()
-        run: ./e2e_tests/clean_up_integ_test.sh
+        run: |
+          source src/python/.venv/bin/activate
+          ./e2e_tests/clean_up_integ_test.sh
         working-directory: ${{ github.workspace }}
diff --git a/README.md b/README.md
@@ -178,6 +178,9 @@ await this.client.connect(transport);
 
 First, install the [AWS CDK CLI](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html#getting_started_install).
 
+Request [Bedrock model access](https://us-east-2.console.aws.amazon.com/bedrock/home?region=us-east-2#/modelaccess)
+to Anthropic Claude 3.5 Sonnet v2 in region us-east-2.
+
 Install the mcp-lambda Python module from source:
 
 ```bash
@@ -194,7 +197,7 @@ uv run pyright
 uv run pytest
 ```
 
-Create an IAM role for the example Lambda functions:
+Create an IAM role for the example Lambda functions and bootstrap the account for CDK:
 
 ```bash
 aws iam create-role \
@@ -204,6 +207,8 @@ aws iam create-role \
 aws iam attach-role-policy \
   --role-name mcp-lambda-example-servers \
   --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+
+cdk bootstrap aws://<aws account id>/us-east-2
 ```
 
 Deploy the Lambda 'time' function - the deployed function will be named "mcp-server-time".
@@ -213,8 +218,6 @@ cd examples/servers/time/
 
 uv pip install -r requirements.txt
 
-cdk bootstrap aws://<aws account id>/us-east-2
-
 cdk deploy --app 'python3 cdk_stack.py'
 ```
 
@@ -241,8 +244,6 @@ npm link mcp-lambda
 
 npm run build
 
-cdk bootstrap aws://<aws account id>/us-east-2
-
 cdk deploy --app 'node lib/weather-alerts-mcp-server.js'
 ```
 
diff --git a/e2e_tests/python/main.py b/e2e_tests/python/main.py
@@ -25,7 +25,7 @@ class Configuration:
     def __init__(
         self,
         model_id="anthropic.claude-3-5-sonnet-20241022-v2:0",
-        region="us-west-2",
+        region="us-east-2",
     ) -> None:
         """Initialize configuration."""
         self.model_id = model_id
diff --git a/e2e_tests/setup/integ-test-authentication.yaml b/e2e_tests/setup/integ-test-authentication.yaml
@@ -1,13 +1,6 @@
 # This CloudFormation template configures an IAM identity provider that uses GitHub's OIDC,
 # enabling GitHub Actions to run the integration tests against the AWS account where this
 # template is deployed.
-#   aws cloudformation deploy \
-#       --template-file integ-test-authentication.yaml \
-#       --stack-name github-integ-test-identity-provider \
-#       --parameter-overrides GitHubOrg=awslabs RepositoryName=utilities-for-model-context-protocol-with-aws-lambda \
-#       --capabilities CAPABILITY_NAMED_IAM \
-#       --region us-east-2 \
-#       --profile mcp-lambda-cfn-integ-test-account
 
 Parameters:
   GitHubOrg:
@@ -69,58 +62,33 @@ Resources:
           # Allow integration tests to manage CloudFormation stacks to deploy the example MCP servers
           - Effect: Allow
             Action:
-              - "cloudformation:ContinueUpdateRollback"
-              - "cloudformation:CreateChangeSet"
-              - "cloudformation:DeleteChangeSet"
-              - "cloudformation:DeleteStack"
-              - "cloudformation:DescribeChangeSet"
-              - "cloudformation:DescribeStacks"
-              - "cloudformation:ExecuteChangeSet"
+              - "cloudformation:*"
             Resource:
               - !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/LambdaMcpServer-*"
           - Effect: Allow
             Action:
               - "ssm:GetParameter"
+              - "ssm:GetParameters"
             Resource:
               - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cdk-bootstrap/*/version"
-          # Allow CloudFormation to provision the resources for the example MCP servers
-          - Effect: Allow
-            Action:
-              - "lambda:*"
-              - "logs:*"
-            Resource: "*"
-            Condition:
-              "ForAnyValue:StringEquals":
-                "aws:CalledVia":
-                  - cloudformation.amazonaws.com
           - Effect: Allow
             Action:
               - "iam:PassRole"
             Resource:
-              - !GetAtt LambdaFunctionsRole.Arn
-            Condition:
-              "ForAnyValue:StringEquals":
-                "aws:CalledVia":
-                  - cloudformation.amazonaws.com
-          # Allow integration tests to upload templates and assets to the CDK bucket
+              - !Sub "arn:aws:iam::${AWS::AccountId}:role/cdk-*-cfn-exec-role-${AWS::AccountId}-${AWS::Region}"
+          # Allow CDK to manage templates and assets in the CDK bucket
           - Effect: Allow
             Action:
               - "s3:PutObject"
               - "s3:AbortMultipartUpload"
               - "s3:ListMultipartUploadParts"
-            Resource:
-              - "arn:aws:s3:::cdk*/*"
-          # Allow CloudFormation and Lambda to download templates and assets from the CDK bucket
-          - Effect: Allow
-            Action:
               - "s3:GetObject"
               - "s3:GetObjectVersion"
+              - "s3:ListBucket"
+              - "s3:GetBucketLocation"
+              - "s3:GetEncryptionConfiguration"
             Resource:
-              - "arn:aws:s3:::cdk*/*"
-            Condition:
-              "ForAnyValue:StringEquals":
-                "aws:CalledVia":
-                  - cloudformation.amazonaws.com
+              - "arn:aws:s3:::cdk*"
           # Allow integration tests to invoke Lambda functions and Bedrock models
           - Effect: Allow
             Action:
@@ -135,6 +103,38 @@ Resources:
       Roles:
         - !Ref IntegrationTestRole
 
+  # CDK will bootstrap a role with this policy, and will set it
+  # as the role for all deployed CloudFormation stacks
+  CdkCfnExecutionPolicy:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: mcp-lambda-integ-test-cdk-cfn-execution
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - "lambda:*"
+              - "logs:*"
+            Resource: "*"
+          - Effect: Allow
+            Action:
+              - "iam:PassRole"
+            Resource:
+              - !GetAtt LambdaFunctionsRole.Arn
+          - Effect: Allow
+            Action:
+              - "s3:GetObject"
+              - "s3:GetObjectVersion"
+            Resource:
+              - "arn:aws:s3:::cdk*"
+          - Effect: Allow
+            Action:
+              - "ssm:GetParameter"
+              - "ssm:GetParameters"
+            Resource:
+              - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cdk-bootstrap/*/version"
+
   LambdaFunctionsRole:
     Type: AWS::IAM::Role
     Properties:
diff --git a/e2e_tests/setup/setup.md b/e2e_tests/setup/setup.md
@@ -0,0 +1,16 @@
+To set up an AWS account for running integration tests on GitHub:
+
+```bash
+aws cloudformation deploy \
+    --template-file integ-test-authentication.yaml \
+    --stack-name github-integ-test-identity-provider \
+    --parameter-overrides GitHubOrg=awslabs RepositoryName=utilities-for-model-context-protocol-with-aws-lambda \
+    --capabilities CAPABILITY_NAMED_IAM \
+    --region us-east-2
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+
+cdk bootstrap \
+    aws://$AWS_ACCOUNT_ID/us-east-2 \
+    --cloudformation-execution-policies "arn:aws:iam::$AWS_ACCOUNT_ID:policy/mcp-lambda-integ-test-cdk-cfn-execution"
+```
diff --git a/e2e_tests/typescript/src/configuration.ts b/e2e_tests/typescript/src/configuration.ts
@@ -1,5 +1,5 @@
-import { BedrockRuntimeClient } from '@aws-sdk/client-bedrock-runtime';
-import * as fs from 'fs';
+import { BedrockRuntimeClient } from "@aws-sdk/client-bedrock-runtime";
+import * as fs from "fs";
 
 /**
  * Manages configuration for the MCP client and the Bedrock client.
@@ -12,8 +12,8 @@ export class Configuration {
    * Initialize configuration.
    */
   constructor(
-    modelId: string = 'anthropic.claude-3-5-sonnet-20241022-v2:0',
-    region: string = 'us-west-2'
+    modelId: string = "anthropic.claude-3-5-sonnet-20241022-v2:0",
+    region: string = "us-east-2"
   ) {
     this.modelId = modelId;
     this.region = region;
@@ -27,10 +27,10 @@ export class Configuration {
    */
   static loadConfig(filePath: string): Record<string, any> {
     try {
-      const fileContent = fs.readFileSync(filePath, 'utf8');
+      const fileContent = fs.readFileSync(filePath, "utf8");
       return JSON.parse(fileContent);
     } catch (e) {
-      if ((e as NodeJS.ErrnoException).code === 'ENOENT') {
+      if ((e as NodeJS.ErrnoException).code === "ENOENT") {
         throw new Error(`Configuration file not found: ${filePath}`);
       } else {
         throw new Error(`Error parsing configuration file: ${e}`);
diff --git a/examples/chatbots/python/main.py b/examples/chatbots/python/main.py
@@ -25,7 +25,7 @@ class Configuration:
     def __init__(
         self,
         model_id="anthropic.claude-3-5-sonnet-20241022-v2:0",
-        region="us-west-2",
+        region="us-east-2",
     ) -> None:
         """Initialize configuration."""
         self.model_id = model_id
diff --git a/examples/chatbots/typescript/src/configuration.ts b/examples/chatbots/typescript/src/configuration.ts
@@ -1,5 +1,5 @@
-import { BedrockRuntimeClient } from '@aws-sdk/client-bedrock-runtime';
-import * as fs from 'fs';
+import { BedrockRuntimeClient } from "@aws-sdk/client-bedrock-runtime";
+import * as fs from "fs";
 
 /**
  * Manages configuration for the MCP client and the Bedrock client.
@@ -12,8 +12,8 @@ export class Configuration {
    * Initialize configuration.
    */
   constructor(
-    modelId: string = 'anthropic.claude-3-5-sonnet-20241022-v2:0',
-    region: string = 'us-west-2'
+    modelId: string = "anthropic.claude-3-5-sonnet-20241022-v2:0",
+    region: string = "us-east-2"
   ) {
     this.modelId = modelId;
     this.region = region;
@@ -27,10 +27,10 @@ export class Configuration {
    */
   static loadConfig(filePath: string): Record<string, any> {
     try {
-      const fileContent = fs.readFileSync(filePath, 'utf8');
+      const fileContent = fs.readFileSync(filePath, "utf8");
       return JSON.parse(fileContent);
     } catch (e) {
-      if ((e as NodeJS.ErrnoException).code === 'ENOENT') {
+      if ((e as NodeJS.ErrnoException).code === "ENOENT") {
         throw new Error(`Configuration file not found: ${filePath}`);
       } else {
         throw new Error(`Error parsing configuration file: ${e}`);
