AWSTemplateFormatVersion: '2010-09-09' Description: VPC Mode with no internet access - Provision an Amazon SageMaker Studio domain, a user profile, and the JupyterServer app. Parameters: UserProfileName: Type: String Description: User profile name Default: default-user CoreNetworkingStackName: Description: Name of the networking stack you created earlier Type: String Mappings: SageMakerImageRegionToAccountMap: us-east-1: accountid: '081325390199' us-east-2: accountid: '429704687514' us-west-1: accountid: '742091327244' us-west-2: accountid: '236514542706' af-south-1: accountid: '559312083959' ap-east-1: accountid: '493642496378' ap-south-1: accountid: '394103062818' ap-northeast-2: accountid: '806072073708' ap-southeast-1: accountid: '492261229750' ap-southeast-2: accountid: '452832661640' ap-northeast-1: accountid: '102112518831' ca-central-1: accountid: '310906938811' eu-central-1: accountid: '936697816551' eu-west-1: accountid: '470317259841' eu-west-2: accountid: '712779665605' eu-west-3: accountid: '615547856133' eu-north-1: accountid: '243637512696' eu-south-1: accountid: '592751261982' sa-east-1: accountid: '782484402741' Resources: StudioDomain: Type: AWS::SageMaker::Domain Properties: AuthMode: IAM AppNetworkAccessType: "VpcOnly" DefaultUserSettings: ExecutionRole: !GetAtt SageMakerExecutionRole.Arn SecurityGroups: - Fn::ImportValue: !Sub '${CoreNetworkingStackName}-SecurityGroup' DomainName: !Sub '${AWS::StackName}' SubnetIds: - Fn::ImportValue: !Sub '${CoreNetworkingStackName}-Subnet1' - Fn::ImportValue: !Sub '${CoreNetworkingStackName}-Subnet2' VpcId: Fn::ImportValue: !Sub '${CoreNetworkingStackName}-VPC' UserProfile: Type: AWS::SageMaker::UserProfile Properties: DomainId: !Ref StudioDomain UserProfileName: !Ref UserProfileName UserSettings: ExecutionRole: !GetAtt SageMakerExecutionRole.Arn JupyterServerAppSettings: DefaultResourceSpec: InstanceType: system SageMakerImageArn: Fn::Sub: - 'arn:aws:sagemaker:${AWS::Region}:${AccountId}:image/jupyter-server-3' - AccountId: !FindInMap [SageMakerImageRegionToAccountMap, !Ref 'AWS::Region', accountid] JupyterServerApp: Type: AWS::SageMaker::App DependsOn: UserProfile Properties: AppName: default AppType: JupyterServer DomainId: !Ref StudioDomain UserProfileName: !Ref UserProfileName ResourceSpec: SageMakerImageArn: Fn::Sub: - 'arn:aws:sagemaker:${AWS::Region}:${AccountId}:image/jupyter-server-3' - AccountId: !FindInMap [SageMakerImageRegionToAccountMap, !Ref 'AWS::Region', accountid] DataScienceApp: Type: AWS::SageMaker::App DependsOn: UserProfile Properties: AppName: datascience-ml-t3-medium AppType: KernelGateway DomainId: !Ref StudioDomain UserProfileName: !Ref UserProfileName ResourceSpec: InstanceType: ml.t3.medium SageMakerImageArn: Fn::Sub: - 'arn:aws:sagemaker:${AWS::Region}:${AccountId}:image/sagemaker-data-science-38' - AccountId: !FindInMap [SageMakerImageRegionToAccountMap, !Ref 'AWS::Region', accountid] SageMakerExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'AmazonSageMakerExecutionRole-${AWS::StackName}' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess - arn:aws:iam::aws:policy/AmazonS3FullAccess Outputs: StudioDomainArn: Description: The Amazon Resource Name of the Amazon SageMaker Studio domain Value: !GetAtt StudioDomain.DomainArn UserProfileArn: Description: The Amazon Resource Name of the Amazon SageMaker Studio user profile Value: !GetAtt UserProfile.UserProfileArn