Merge pull request #658 from VipulMascarenhas/update_aihub_policies

qiuosier · web-flow · commit 711c63a6f20f · 2025-10-08T12:28:58.000-04:00
Update AI Hub policies
diff --git a/.github/workflows/stack.yml b/.github/workflows/stack.yml
@@ -24,8 +24,6 @@ jobs:
       run: |
         set -euo pipefail
         RELEASE=$(cat VERSION)
-        # temporarily hardcode solution versions
-        AI_HUB_SOLUTION_VERSION=3.1
         
         # oci-ods-aqua
         STACKNAME=oci-ods-aqua
@@ -59,7 +57,6 @@ jobs:
           echo "aqua=${STACKNAME}"
           echo "ai_document_converter=${DOC_CONVERTER_STACKNAME}"
           echo "ai_translation=${TRANSLATION_STACKNAME}"
-          echo "ai_hub_solution_version=${AI_HUB_SOLUTION_VERSION}"
         } >> $GITHUB_OUTPUT
 
     - name: Prepare Release Notes
@@ -69,8 +66,6 @@ jobs:
         aqua="${{ steps.create_stacks.outputs.aqua }}"
         ai_document_converter="${{ steps.create_stacks.outputs.ai_document_converter }}"
         ai_translation="${{ steps.create_stacks.outputs.ai_translation }}"
-        ai_hub_solution_version="${{ steps.create_stacks.outputs.ai_hub_solution_version }}"
-        
         {
           printf '# Stacks - v%s\n\n' "$rel"
           printf '### %s\n' "$aqua"
@@ -84,8 +79,8 @@ jobs:
 
           printf '[magic_button]: https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg\n'
           printf '[magic_stack_aqua]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/%s/%s.zip\n' "$rel" "$aqua"
-          printf '[magic_stack_ai_document_converter]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/%s/%s.zip\n' "$ai_hub_solution_version" "$ai_document_converter"
-          printf '[magic_stack_ai_translation]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/%s/%s.zip\n' "$ai_hub_solution_version" "$ai_translation"
+          printf '[magic_stack_ai_document_converter]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/%s/%s.zip\n' "$rel" "$ai_document_converter"
+          printf '[magic_stack_ai_translation]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/%s/%s.zip\n' "$rel" "$ai_translation"
         } > release.md
 
     - name: Create Release
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.1
+4.0
diff --git a/ai-hub/ai-document-converter/policies/terraform/api_gateway.tf b/ai-hub/ai-document-converter/policies/terraform/api_gateway.tf
@@ -40,7 +40,7 @@ resource "oci_apigateway_deployment" "ai_application_apigateway_deployment" {
           type                               = "OAUTH2"
           use_cookies_for_intermediate_steps = "true"
           use_cookies_for_session            = "true"
-          max_expiry_duration_in_hours = 1
+          max_expiry_duration_in_hours       = 1
         }
         validation_policy {
           additional_validation_policy {
@@ -112,7 +112,7 @@ resource "oci_apigateway_deployment" "ai_application_apigateway_deployment" {
       }
       methods = ["ANY"]
       path    = "/{req*}"
-       request_policies {
+      request_policies {
         header_transformations {
           set_headers {
             items {
diff --git a/ai-hub/ai-document-converter/policies/terraform/container_instances.tf b/ai-hub/ai-document-converter/policies/terraform/container_instances.tf
@@ -4,7 +4,7 @@ resource "oci_container_instances_container_instance" "ai_container_instance" {
   compartment_id      = var.vcn_compartment_id
   containers {
     #Required
-    image_url = local.image
+    image_url = local.container_image
 
     #Optional
     environment_variables = {
diff --git a/ai-hub/ai-document-converter/policies/terraform/identity_app.tf b/ai-hub/ai-document-converter/policies/terraform/identity_app.tf
@@ -4,8 +4,8 @@ resource "oci_identity_domains_app" "ai_application_confidential_app" {
     well_known_id = "CustomWebAppTemplateId"
   }
   client_type               = "confidential"
-  description               = "Confidential Application for AI Translation Application"
-  display_name              = "ai__translation_application_confidential_app_${random_string.randomstring.result}"
+  description               = "Confidential Application for AI Document Converter Application"
+  display_name              = "ai__doc_converter_application_confidential_app_${random_string.randomstring.result}"
   schemas                   = ["urn:ietf:params:scim:schemas:oracle:idcs:App"]
   allowed_operations        = ["introspect"]
   idcs_endpoint             = data.oci_identity_domain.application_identity_domain.url
@@ -14,7 +14,7 @@ resource "oci_identity_domains_app" "ai_application_confidential_app" {
   bypass_consent            = true
   allowed_grants            = ["authorization_code", "client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer", "implicit"]
   all_url_schemes_allowed   = true
-  redirect_uris             = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui","https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/gradio", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/playground","https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/docs", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/callback"]
+  redirect_uris             = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/gradio", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/playground", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/docs", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/callback"]
   post_logout_redirect_uris = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/"]
   audience                  = oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname
 }
diff --git a/ai-hub/ai-document-converter/policies/terraform/model.tf b/ai-hub/ai-document-converter/policies/terraform/model.tf
@@ -29,7 +29,7 @@ data "archive_file" "model_zip" {
 resource "oci_datascience_model" "ai_model" {
   compartment_id = var.data_science_project_compartment_id
   project_id     = var.project_ocid
-  display_name = var.model_display_name
+  display_name   = var.model_display_name
   description    = local.model_desc
 
   # Upload artifact inline (ZIP created above)
diff --git a/ai-hub/ai-document-converter/policies/terraform/model_deployment.tf b/ai-hub/ai-document-converter/policies/terraform/model_deployment.tf
@@ -20,7 +20,7 @@ resource "oci_datascience_model_deployment" "ai_deployment" {
         # subnet_id = var.subnet_ocid
         subnet_id = local.app_subnet_id
       }
-      model_id = oci_datascience_model.ai_model.id
+      model_id       = oci_datascience_model.ai_model.id
       bandwidth_mbps = var.deployment_bandwidth_mbps
       scaling_policy {
         instance_count = var.deployment_instance_count
@@ -41,21 +41,37 @@ resource "oci_datascience_model_deployment" "ai_deployment" {
         MAX_OUTPUT_TOKEN              = var.multimodal_max_output_token
         GENAI_COMPARTMENT_OCID        = var.genai_compartment_ocid
         PROMPT_VERSION                = var.prompt_version,
-        MODEL_DEPLOY_CUSTOM_ENDPOINTS = "[{\"endpointURI\": \"/api/list\", \"httpMethods\": [\"GET\"]}, {\"endpointURI\": \"/api/convert\", \"httpMethods\": [\"POST\"]}, {\"endpointURI\": \"/api/convert/file\", \"httpMethods\": [\"POST\"]}]"
+        MODEL_DEPLOY_CUSTOM_ENDPOINTS = "[{\"endpointURI\": \"/api/list\", \"httpMethods\": [\"GET\"]}, {\"endpointURI\": \"/api/convert\", \"httpMethods\": [\"POST\"]}, {\"endpointURI\": \"/api/convert/file\", \"httpMethods\": [\"POST\"]}, {\"endpointURI\": \"/mcp/\", \"httpMethods\": [\"POST\"], \"streaming\": true}]"
       }
     }
   }
 
   # Logging, use the same log group and log ocid to reduce the variables.
-  category_log_details {
-    access {
-      log_group_id = var.log_group_ocid
-      log_id       = var.log_ocid
-    }
-    predict {
-      log_group_id = var.log_group_ocid
-      log_id       = var.log_ocid
+  dynamic "category_log_details" {
+    for_each = (
+      var.log_group_ocid != null && var.log_ocid != "" &&
+      var.log_group_ocid != null && var.log_ocid != ""
+    ) ? [1] : []
+
+    content {
+      access {
+        log_group_id = var.log_group_ocid
+        log_id       = var.log_ocid
+      }
+      predict {
+        log_group_id = var.log_group_ocid
+        log_id       = var.log_ocid
+      }
     }
   }
 
+  freeform_tags = {
+    "ai-hub-solution-name"       = "PDF to markdown conversion"
+    "ai_solution_playground_url" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/"
+    "ai_solution_mcp_endpoint" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/mcp"
+    "ai_solution_api_endpoint_list_apis" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/api/convert"
+  }
+
+  depends_on = [oci_identity_policy.ai_solution_policies]
+
 }
diff --git a/ai-hub/ai-document-converter/policies/terraform/output.tf b/ai-hub/ai-document-converter/policies/terraform/output.tf
@@ -3,11 +3,6 @@ output "base_url" {
   value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}"
 }
 
-output "mcp_endpoint" {
-  description = "MCP Endpoint"
-  value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}mcp"
-}
-
 output "playground_ui" {
   description = "Playground UI"
   value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}ui/playground"
@@ -23,17 +18,22 @@ output "api_schema" {
   value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}api/openapi.json"
 }
 
+output "mcp_endpoint" {
+  description = "MCP Endpoint"
+  value       = "${oci_datascience_model_deployment.ai_deployment.model_deployment_url}/predictWithResponseStream/mcp/"
+}
+
 output "api_endpoint_convert" {
   description = "API Endpoint - Convert PDF from Object Storage to Markdown"
-  value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}api/convert"
+  value       = "${oci_datascience_model_deployment.ai_deployment.model_deployment_url}/predict/api/convert"
 }
 
 output "api_endpoint_convert_file" {
   description = "API Endpoint - Convert PDF uploaded as file to Markdown"
-  value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}api/convert/file"
+  value       = "${oci_datascience_model_deployment.ai_deployment.model_deployment_url}/predict/api/convert/file"
 }
 
 output "api_endpoint_list_apis" {
   description = "API Endpoint - Supported APIs for Document Conversion"
-  value       = "${oci_apigateway_deployment.ai_application_apigateway_deployment.endpoint}api/list"
+  value       = "${oci_datascience_model_deployment.ai_deployment.model_deployment_url}/predict/api/list"
 }
diff --git a/ai-hub/ai-document-converter/policies/terraform/policies.tf b/ai-hub/ai-document-converter/policies/terraform/policies.tf
@@ -0,0 +1,26 @@
+resource "oci_identity_dynamic_group" "ai_solution_group" {
+  compartment_id = var.tenancy_ocid
+  description    = "Dynamic Group for AI Solution"
+  name           = "ai_solution_group-${random_string.randomstring.result}"
+  matching_rule  = "any { all {resource.type='datasciencemodeldeployment',resource.compartment.id='${var.data_science_project_compartment_id}'}, all {resource.type='apigateway',resource.compartment.id='${var.compartment_id}'},all {resource.type='computecontainerinstance',resource.compartment.id='${var.vcn_compartment_id}'},all {resource.type='datasciencejobrun', resource.compartment.id='${var.data_science_project_compartment_id}'}}"
+}
+
+locals {
+  policies = [
+    "allow service datascience to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage secret-family in compartment id ${var.vault_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use logging-family in compartment id ${var.log_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage data-science-family in compartment id ${var.data_science_project_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage generative-ai-family in tenancy",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to read repos in tenancy"
+  ]
+}
+
+resource "oci_identity_policy" "ai_solution_policies" {
+    compartment_id = "${var.tenancy_ocid}"
+    description    = "Dynamic group policies for AI Solution"
+    name           = "ai_solution_policies-${random_string.randomstring.result}"
+    statements     = local.policies
+    depends_on = [oci_identity_dynamic_group.ai_solution_group]
+}
diff --git a/ai-hub/ai-document-converter/policies/terraform/schema.yaml b/ai-hub/ai-document-converter/policies/terraform/schema.yaml
@@ -63,6 +63,9 @@ variableGroups:
       - data_science_project_compartment_id
       - project_ocid
       - deployment_display_name
+      - log_compartment_id
+      - log_group_ocid
+      - log_ocid
       
 
 variables:
@@ -264,6 +267,12 @@ variables:
     title: Model Deployment display name
     description: A user-friendly name to help you easily identify the Model Deployment resource in Data Science Project.
     required: true
+  log_compartment_id:
+    type: oci:identity:compartment:id
+    required: false
+    title: Logs Compartment Id
+    description: Compartment in which Log Group and Logs are present.
+    default: compartment_ocid
   log_group_ocid:
     type: string
     title: Log Group ocid
diff --git a/ai-hub/ai-document-converter/policies/terraform/variables.tf b/ai-hub/ai-document-converter/policies/terraform/variables.tf
@@ -94,17 +94,23 @@ variable "data_science_project_compartment_id" {
   type        = string
 }
 variable "project_ocid" {
-  type = string
+  type        = string
   description = "Data Science project in which resources needs to be created"
 }
 
+variable "log_compartment_id" {
+  description = "Compartment in which Logs are present"
+  type        = string
+}
 variable "log_group_ocid" {
-  type = string
+  type        = string
   description = "Log Group Ocid where logs will be stored"
+  default = ""
 }
 variable "log_ocid" {
-  type = string
+  type        = string
   description = "Log ocid where where logs needs to be stored"
+  default = ""
 }
 
 variable "shape" {
@@ -149,14 +155,14 @@ variable "multimodal_llm_provider" {
   default = "genai"
 }
 variable "genai_compartment_ocid" {
-  type = string
+  type        = string
   description = "Gen AI Compartment OCID"
 }
 variable "multimodal_model_name" {
   default = "openai.gpt-4.1-mini"
 }
 variable "multimodal_model_endpoint" {
-  default = "https://inference.generativeai.us-chicago-1.oci.oraclecloud.com"
+  default = "https://inference.generativeai.us-ashburn-1.oci.oraclecloud.com"
 }
 variable "multimodal_max_output_token" {
   default = 8192
@@ -172,8 +178,9 @@ locals {
   app_subnet_id    = (var.create_new_vcn ? oci_core_subnet.app_oci_core_subnet[0].id : var.existing_app_subnet_id)
   api_gw_subnet_id = (var.create_new_vcn ? oci_core_subnet.api_gw_oci_core_subnet[0].id : var.existing_api_gw_subnet_id)
 
-  image    = "dsmc://ai-document-converter:0.1.0-dev.15"
-  digest   = "sha256:01bf5e53ea01377c63c42c1c30c12f4885de94b39e3a1b4edf5d195bfdfa0c9d"
+  container_image = "iad.ocir.io/id1ytzpctjnn/dsmc/aisolution/ai_document_converter:0.1.0"
+  image      = "dsmc://ai_document_converter:0.1.0"
+  digest     = "sha256:73555609549a33bd5e06a1bc7b17c596067e72f0fb17babe054cf11152dbc060"
   model_desc = "Data Science Model for PDF to Markdown Converter Deployment"
-  md_desc  = "Deployment for PDF to Markdown Converter"
+  md_desc    = "Deployment for PDF to Markdown Converter"
 }
diff --git a/ai-hub/ai-translation/policies/terraform/api_gateway.tf b/ai-hub/ai-translation/policies/terraform/api_gateway.tf
@@ -40,6 +40,7 @@ resource "oci_apigateway_deployment" "ai_application_apigateway_deployment" {
           type                               = "OAUTH2"
           use_cookies_for_intermediate_steps = "true"
           use_cookies_for_session            = "true"
+          max_expiry_duration_in_hours       = 1
         }
         validation_policy {
           additional_validation_policy {
diff --git a/ai-hub/ai-translation/policies/terraform/container_instances.tf b/ai-hub/ai-translation/policies/terraform/container_instances.tf
@@ -4,7 +4,7 @@ resource "oci_container_instances_container_instance" "ai_container_instance" {
   compartment_id      = var.vcn_compartment_id
   containers {
     #Required
-    image_url = local.image
+    image_url = local.container_image
 
     #Optional
     environment_variables = {
@@ -16,7 +16,7 @@ resource "oci_container_instances_container_instance" "ai_container_instance" {
       NUM_WORKERS              = var.num_workers
       TASK_STORE               = "TMPDIR"
       LOG_DIR                  = var.translation_log_dir
-      PROJECT_COMPARTMENT_OCID = var.compartment_ocid
+      PROJECT_COMPARTMENT_OCID = var.data_science_project_compartment_id
       PROCESSING_JOB_OCID      = oci_datascience_job.ai_job.id
       OCI_CACHE_ENDPOINT       = var.oci_cache_endpoint
       BACKEND_MD_URL           = oci_datascience_model_deployment.ai_deployment.model_deployment_url
diff --git a/ai-hub/ai-translation/policies/terraform/datascience_job.tf b/ai-hub/ai-translation/policies/terraform/datascience_job.tf
@@ -3,7 +3,7 @@ resource "oci_datascience_job" "ai_job" {
   # Required
   display_name   = var.job_display_name
   description    = local.job_desc
-  compartment_id = var.compartment_ocid
+  compartment_id = var.data_science_project_compartment_id
   project_id     = var.project_ocid
 
   job_configuration_details {
@@ -31,8 +31,8 @@ resource "oci_datascience_job" "ai_job" {
     job_environment_type = "OCIR_CONTAINER"
     image                = local.image
     # image_digest         = local.digest
-    entrypoint           = local.job_entrypoint
-    cmd                  = local.job_cmd
+    entrypoint = local.job_entrypoint
+    cmd        = local.job_cmd
   }
 
   # Logging
diff --git a/ai-hub/ai-translation/policies/terraform/identity_app.tf b/ai-hub/ai-translation/policies/terraform/identity_app.tf
@@ -14,7 +14,7 @@ resource "oci_identity_domains_app" "ai_application_confidential_app" {
   bypass_consent            = true
   allowed_grants            = ["authorization_code", "client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer", "implicit"]
   all_url_schemes_allowed   = true
-  redirect_uris             = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/","https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/playground", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/docs", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/"]
+  redirect_uris             = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/playground", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/docs", "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/ui/"]
   post_logout_redirect_uris = ["https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/"]
   audience                  = oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname
 }
diff --git a/ai-hub/ai-translation/policies/terraform/model.tf b/ai-hub/ai-translation/policies/terraform/model.tf
@@ -27,9 +27,9 @@ data "archive_file" "model_zip" {
 
 # dummy Model catalog entry with artifact
 resource "oci_datascience_model" "ai_model" {
-  compartment_id = var.compartment_ocid
+  compartment_id = var.data_science_project_compartment_id
   project_id     = var.project_ocid
-  display_name = var.model_display_name
+  display_name   = var.model_display_name
   description    = local.model_desc
 
   # Upload artifact inline (ZIP created above)
diff --git a/ai-hub/ai-translation/policies/terraform/model_deployment.tf b/ai-hub/ai-translation/policies/terraform/model_deployment.tf
diff --git a/ai-hub/ai-translation/policies/terraform/output.tf b/ai-hub/ai-translation/policies/terraform/output.tf
diff --git a/ai-hub/ai-translation/policies/terraform/policies.tf b/ai-hub/ai-translation/policies/terraform/policies.tf
diff --git a/ai-hub/ai-translation/policies/terraform/schema.yaml b/ai-hub/ai-translation/policies/terraform/schema.yaml
diff --git a/ai-hub/ai-translation/policies/terraform/variables.tf b/ai-hub/ai-translation/policies/terraform/variables.tf
