add npm ignore

xjiaqing · xjiaqing · commit aadd14d0a6db · 2025-02-18T13:43:59.000+08:00
diff --git a/.npmignore b/.npmignore
@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
diff --git a/README.md b/README.md
@@ -1,19 +1,37 @@
-# serverless-dify
+# sample-serverless-dify-stack
 
-Deploy a dify cluster using Amazon serverless stack.
+Deploy [dify](https://dify.ai/) cluster using Amazon serverless services with AWS CDK.
 
+![architecture](./resources/architecture.png)
+
+### Key Features
+
+1. **Simplified Container Deployment:** Leverages AWS Elastic Container Registry (ECR) as the container orchestration tool, significantly reducing the complexity and entry barrier of containerized deployment.
+
+2. **Cost-Effective Scalability:** Implements AWS Serverless technology stack to ensure economic efficiency through elastic scaling, optimizing resource utilization based on actual demand.
+
+### Requirements
+
+1. Node.js (version 14.x or later) and TypeScript/JavaScript development environment
+
+2. CDK bootstrapped in your target region, refer to [here](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html) for detailed setup instructions.
 
 ### Deploy 
 
+1. Prepare env values, copy `.env.example` to `.env` and update the env values;
+
+2. Deploy the cdk stack using following command:
 ```
-npm install aws-cdk-lib@2.150.0
 cdk deploy --region <region-code> --all --concurrency 5 --require-approval never
 ```
+3. After deploy, you can find the dify endpoint in output: 
+```
+ ✅  ServerlessDifyStack
 
-## Security
-
-See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
-
-## License
+✨  Deployment time: 435.37s
 
-This library is licensed under the MIT-0 License. See the LICENSE file.
+Outputs:
+ServerlessDifyStack.DifyEndpoint = Server-Ingre-xxxxxxx-xxxxxxx.us-east-1.elb.amazonaws.com
+Stack ARN:
+arn:aws:cloudformation:us-east-1:xxxxxxxx:stack/ServerlessDifyStack/16d8e980-ed22-11ef-b28b-xxxxxxxxxx
+```
diff --git a/bin/serverless-dify.ts b/bin/serverless-dify.ts
@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import * as cdk from 'aws-cdk-lib';
+import * as dotenv from 'dotenv';
 import 'source-map-support/register';
 import { CeleryBrokerStack } from '../lib/celery-broker-stack';
 import { DifyStack } from '../lib/dify-stack';
@@ -10,25 +11,10 @@ import { NetworkStack } from '../lib/network-stack';
 import { RedisStack } from '../lib/redis-stack';
 import { VectorStoreStack } from '../lib/vector-store-stack';
 
-const app = new cdk.App();
-
-// new ServerlessDifyStack(app, 'ServerlessDifyStack', {
-//   /* If you don't specify 'env', this stack will be environment-agnostic.
-//    * Account/Region-dependent features and context lookups will not work,
-//    * but a single synthesized template can be deployed anywhere. */
-
-//   /* Uncomment the next line to specialize this stack for the AWS Account
-//    * and Region that are implied by the current CLI configuration. */
-//   // env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },
-
-//   /* Uncomment the next line if you know exactly what Account and Region you
-//    * want to deploy the stack to. */
-//   // env: { account: '123456789012', region: 'us-east-1' },
-
-//   /* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */
-
-// });
+dotenv.config()
 
+// initialize cdk context
+const app = new cdk.App();
 
 // create network environment 
 const network = new NetworkStack(app, "ServerlessDifyNetworkStack", {})
@@ -59,12 +45,17 @@ const dify = new DifyStack(app, "ServerlessDifyStack", {
     redis: redis.exportProps(),
     celeryBroker: celeryBroker.exportProps(),
     smtp: {
-        host: "email-smtp.us-east-1.amazonaws.com",
-        port: 587,
-        username: "xxxxxxxxxxxxxxxxxxxxx",
-        password: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-        tls: true,
-        fromEmail: ""
+        host: process.env.SMTP_SERVER_HOST || 'email-smtp.us-east-1.amazonaws.com',
+        port: process.env.SMTP_SERVER_PORT || '578',
+        username: process.env.SMTP_SERVER_USERNAME || 'admin',
+        password: process.env.SMTP_SERVER_PASSWORD || 'admin',
+        tls: process.env.SMTP_SERVER_TLS_ENABLED == 'true' ? true : false,
+        fromEmail: process.env.SMTP_SERVER_SEND_FROM || 'admin@example.com'
+    },
+    difyVersion: {
+        api: process.env.DIFY_VERSION_API || 'latest',
+        web: process.env.DIFY_VERSION_WEB || 'latest',
+        sandbox: process.env.DIFY_VERSION_SANDBOX || 'latest'
     }
 })
 
diff --git a/cdk.json b/cdk.json
@@ -46,7 +46,7 @@
     "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
     "@aws-cdk/aws-redshift:columnId": true,
     "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
-    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-ec2:ipv4IgnoreEgressRule": true,
     "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
     "@aws-cdk/aws-kms:aliasNameRef": true,
     "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
@@ -68,4 +68,4 @@
     "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false
   }
-}
+}
diff --git a/lib/dify-stack.ts b/lib/dify-stack.ts
@@ -1,4 +1,4 @@
-import { Duration, Stack, StackProps } from "aws-cdk-lib";
+import { CfnOutput, Duration, Stack, StackProps } from "aws-cdk-lib";
 import { SecurityGroup, SubnetType } from "aws-cdk-lib/aws-ec2";
 import { Cluster, FargateService } from "aws-cdk-lib/aws-ecs";
 import { ApplicationListener, ApplicationProtocol, ListenerCondition } from "aws-cdk-lib/aws-elasticloadbalancingv2";
@@ -7,7 +7,7 @@ import { Construct } from "constructs";
 import { DifyApiTaskDefinitionStack } from "./task-definitions/dify-api";
 import { DifyWebTaskDefinitionStack } from "./task-definitions/dify-web";
 import { DifyWorkerTaskDefinitionStack } from "./task-definitions/dify-worker";
-import { DifyCeleryBrokerProps, DifyFileStoreProps, DifyIngressProps, DifyMetadataStoreProps, DifyNetworkProps, DifyRedisProps, DifyTaskDefinitionStackProps, DifyVectorStorePgProps, SmtpServerProps } from "./task-definitions/props";
+import { DifyCeleryBrokerProps, DifyFileStoreProps, DifyIngressProps, DifyMetadataStoreProps, DifyNetworkProps, DifyRedisProps, DifyTaskDefinitionStackProps, DifyVectorStorePgProps, DifyVersion, SmtpServerProps } from "./task-definitions/props";
 
 export interface DifyStackProps extends StackProps {
 
@@ -25,7 +25,9 @@ export interface DifyStackProps extends StackProps {
 
     readonly vectorStore: DifyVectorStorePgProps
 
-    readonly smtp: SmtpServerProps
+    readonly smtp: SmtpServerProps,
+
+    readonly difyVersion: DifyVersion
 }
 
 export class DifyStack extends Stack {
@@ -50,12 +52,15 @@ export class DifyStack extends Stack {
             metadataStore: props.metadataStore, vectorStore: props.vectorStore,
             apiSecretKey: new Secret(this, 'ServerlessDifyApiSecretKey', { generateSecretString: { passwordLength: 32 } }),
             sandboxCodeExecutionKey: new Secret(this, 'ServerlessDifySandboxCodeExecutionKey', { generateSecretString: { passwordLength: 32 } }),
-            stmp: props.smtp
+            stmp: props.smtp,
+            difyVersion: props.difyVersion
         }
 
         this.runApiService(difyTaskDefinitionStackProps)
         this.runWorkService(difyTaskDefinitionStackProps)
         this.runWebService(difyTaskDefinitionStackProps)
+
+        new CfnOutput(this, "DifyEndpoint", { value: props.ingress.lb.loadBalancerDnsName })
     }
 
 
@@ -73,15 +78,16 @@ export class DifyStack extends Stack {
         this.listener.addTargets('DifyApiTargets', {
             priority: 50000,
             targets: [service.loadBalancerTarget({ containerName: "main" })],
-            conditions: [ListenerCondition.pathPatterns(["/console/api/*", "/api/*", "/v1/", "/files/"])],
+            conditions: [ListenerCondition.pathPatterns(["/console/api/*", "/api/*", "/v1/*", "/files/*"])],
             targetGroupName: "serverless-dify-api-tg",
             port: DifyApiTaskDefinitionStack.DIFY_API_PORT,
             protocol: ApplicationProtocol.HTTP,
             healthCheck: {
                 path: DifyApiTaskDefinitionStack.HEALTHY_ENDPOINT,
-                healthyHttpCodes: '200',
+                healthyHttpCodes: '200-400',
                 interval: Duration.seconds(30),
-                timeout: Duration.seconds(5)
+                healthyThresholdCount: 3,
+                unhealthyThresholdCount: 10
             }
         })
 
diff --git a/lib/file-store-stack.ts b/lib/file-store-stack.ts
@@ -1,4 +1,4 @@
-import { RemovalPolicy, Stack, StackProps } from "aws-cdk-lib";
+import { Duration, RemovalPolicy, Stack, StackProps } from "aws-cdk-lib";
 import { Bucket } from "aws-cdk-lib/aws-s3";
 import { Construct } from "constructs";
 import { DifyFileStoreProps } from "./task-definitions/props";
@@ -10,9 +10,17 @@ export class FileStoreStack extends Stack {
     constructor(scope: Construct, id: string, props: StackProps) {
         super(scope, id, props)
 
-        this.bucket = new Bucket(this, 'ObjectStorage', {
-            removalPolicy: RemovalPolicy.DESTROY
+
+        this.bucket = new Bucket(this, 'ServerlessDifyObjectFileStore', {
+            removalPolicy: RemovalPolicy.DESTROY,
+            versioned: true,
         });
+
+        this.bucket.addLifecycleRule({
+            abortIncompleteMultipartUploadAfter: Duration.days(1),
+            noncurrentVersionExpiration: Duration.days(7),
+            noncurrentVersionsToRetain: 2,
+        })
     }
 
     public exportProps(): DifyFileStoreProps {
diff --git a/lib/task-definitions/dify-api.ts b/lib/task-definitions/dify-api.ts
@@ -1,6 +1,6 @@
-import { NestedStack, RemovalPolicy } from "aws-cdk-lib";
+import { Duration, NestedStack, RemovalPolicy } from "aws-cdk-lib";
 import { AppProtocol, AwsLogDriverMode, Compatibility, ContainerImage, CpuArchitecture, LogDriver, NetworkMode, OperatingSystemFamily, Protocol, Secret, TaskDefinition } from "aws-cdk-lib/aws-ecs";
-import { Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
 import { DifyTaskDefinitionStackProps } from "./props";
@@ -18,13 +18,23 @@ export class DifyApiTaskDefinitionStack extends NestedStack {
 
         const taskRole = new Role(this, 'ServerlessDifyClusterApiTaskRole', {
             assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
-            managedPolicies: [{ managedPolicyArn: 'arn:aws:iam::aws:policy/AdministratorAccess' }]
         })
+        taskRole.addToPrincipalPolicy(new PolicyStatement({
+            actions: [
+                'bedrock:InvokeModel',
+                'bedrock:InvokeModelWithResponseStream',
+                'bedrock:Rerank',
+                'bedrock:Retrieve',
+                'bedrock:RetrieveAndGenerate',
+            ],
+            resources: ['*']
+        }))
+
+        props.fileStore.bucket.grantReadWrite(taskRole)
 
         this.definition = new TaskDefinition(this, 'DifyApiTaskDefinitionStack', {
             family: "serverless-dify-api",
             taskRole: taskRole,
-            executionRole: taskRole,
             compatibility: Compatibility.EC2_AND_FARGATE,
             networkMode: NetworkMode.AWS_VPC,
             runtimePlatform: {
@@ -38,7 +48,7 @@ export class DifyApiTaskDefinitionStack extends NestedStack {
         this.definition.addContainer('api', {
             containerName: "main",
             essential: true,
-            image: ContainerImage.fromRegistry("langgenius/dify-api"),
+            image: ContainerImage.fromRegistry(`langgenius/dify-api:${props.difyVersion.api}`),
             cpu: 512,
             memoryLimitMiB: 1024,
             portMappings: [
@@ -58,6 +68,13 @@ export class DifyApiTaskDefinitionStack extends NestedStack {
                     logGroupName: '/ecs/serverless-dify/api'
                 }),
             }),
+            healthCheck: {
+                command: ['CMD-SHELL', 'curl -f http://localhost:5001/health || exit 1'],
+                interval: Duration.seconds(15),
+                startPeriod: Duration.seconds(90),
+                retries: 10,
+                timeout: Duration.seconds(5)
+            },
             environment: {
 
                 "MODE": "api",
@@ -127,7 +144,7 @@ export class DifyApiTaskDefinitionStack extends NestedStack {
 
         this.definition.addContainer('sandbox', {
             containerName: "sandbox",
-            image: ContainerImage.fromRegistry("langgenius/dify-sandbox"),
+            image: ContainerImage.fromRegistry(`langgenius/dify-sandbox:${props.difyVersion.sandbox}`),
             portMappings: [
                 { containerPort: 8194, hostPort: 8194, name: "serverless-dify-sandbox-8194-tcp", appProtocol: AppProtocol.http, protocol: Protocol.TCP }
             ],
diff --git a/lib/task-definitions/dify-web.ts b/lib/task-definitions/dify-web.ts
@@ -1,6 +1,6 @@
 import { NestedStack, RemovalPolicy } from "aws-cdk-lib";
 import { AppProtocol, AwsLogDriverMode, Compatibility, ContainerImage, CpuArchitecture, LogDriver, NetworkMode, OperatingSystemFamily, Protocol, TaskDefinition } from "aws-cdk-lib/aws-ecs";
-import { Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
 import { DifyTaskDefinitionStackProps } from "./props";
@@ -18,8 +18,13 @@ export class DifyWebTaskDefinitionStack extends NestedStack {
 
         const taskRole = new Role(this, 'ServerlessDifyClusterWebTaskRole', {
             assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
-            managedPolicies: [{ managedPolicyArn: 'arn:aws:iam::aws:policy/AdministratorAccess' }]
         })
+        taskRole.addToPrincipalPolicy(new PolicyStatement({
+            actions: ['bedrock:InvokeModel', 'bedrock:InvokeModelWithResponseStream'],
+            resources: ['*']
+        }))
+
+        props.fileStore.bucket.grantReadWrite(taskRole)
 
         this.definition = new TaskDefinition(this, 'DifyWebTaskDefinitionStack', {
             family: "serverless-dify-web",
@@ -38,7 +43,7 @@ export class DifyWebTaskDefinitionStack extends NestedStack {
         this.definition.addContainer('web', {
             containerName: "main",
             essential: true,
-            image: ContainerImage.fromRegistry("langgenius/dify-web"),
+            image: ContainerImage.fromRegistry(`langgenius/dify-web:${props.difyVersion.web}`),
             cpu: 512,
             memoryLimitMiB: 1024,
             portMappings: [{
diff --git a/lib/task-definitions/dify-worker.ts b/lib/task-definitions/dify-worker.ts
@@ -1,6 +1,6 @@
 import { NestedStack, RemovalPolicy } from "aws-cdk-lib";
 import { AwsLogDriverMode, Compatibility, ContainerImage, CpuArchitecture, LogDriver, NetworkMode, OperatingSystemFamily, Secret, TaskDefinition } from "aws-cdk-lib/aws-ecs";
-import { Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
+import { PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
 import { LogGroup, RetentionDays } from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
 import { DifyTaskDefinitionStackProps } from "./props";
@@ -14,9 +14,15 @@ export class DifyWorkerTaskDefinitionStack extends NestedStack {
 
         const taskRole = new Role(this, 'ServerlessDifyClusterWorkerTaskRole', {
             assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com'),
-            managedPolicies: [{ managedPolicyArn: 'arn:aws:iam::aws:policy/AdministratorAccess' }]
         })
 
+        taskRole.addToPrincipalPolicy(new PolicyStatement({
+            actions: ['bedrock:InvokeModel', 'bedrock:InvokeModelWithResponseStream'],
+            resources: ['*']
+        }))
+
+        props.fileStore.bucket.grantReadWrite(taskRole)
+
         this.definition = new TaskDefinition(this, 'DifyWorkerTaskDefinitionStack', {
             family: "serverless-dify-worker",
             taskRole: taskRole,
@@ -34,7 +40,7 @@ export class DifyWorkerTaskDefinitionStack extends NestedStack {
         this.definition.addContainer('worker', {
             containerName: "worker",
             essential: true,
-            image: ContainerImage.fromRegistry('langgenius/dify-api'),
+            image: ContainerImage.fromRegistry(`langgenius/dify-api:${props.difyVersion.api}`),
             command: ['worker'],
             cpu: 512,
             memoryLimitMiB: 1024,
diff --git a/lib/task-definitions/props.ts b/lib/task-definitions/props.ts
@@ -18,7 +18,9 @@ export interface DifyCeleryBrokerProps { hostname: string, port: string }
 
 export interface DifyIngressProps { lb: ApplicationLoadBalancer, listener: ApplicationListener }
 
-export interface SmtpServerProps { host: string, port: number, username: string, password: string, tls: boolean, fromEmail: string }
+export interface SmtpServerProps { host: string, port: string, username: string, password: string, tls: boolean, fromEmail: string }
+
+export interface DifyVersion { api: string, web: string, sandbox: string }
 
 export interface DifyTaskDefinitionStackProps extends StackProps {
 
@@ -40,4 +42,5 @@ export interface DifyTaskDefinitionStackProps extends StackProps {
 
     stmp: SmtpServerProps
 
+    difyVersion: DifyVersion
 }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +*.ts
 +!*.d.ts
++
 +# CDK asset staging directory
 +.cdk.staging
 +cdk.out