# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # The following template is designed to provision and configure a shared service secure environment for data science teams. # This template creates shared service infrastructure: a VPC with private subnets, data science administrator & service # catalog launch roles, shared ECR repository, shared CodeArtifact repository, shared data lake S3 bucket, detective control # lambda function and service catalog portfolio and products. # Lastly the template stores outputs into Parameter Store so they can be referenced later by SC products. Description: Creates Data Science Shared Service Infrastructure Outputs: AssumeDataScienceAdminRole: Description: URL for assuming the role of a data science admininstrator Value: !Sub 'https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName=${DataSciencePrincipals.Outputs.DSAdministratorName}&displayName=${DataSciencePrincipals.Outputs.DSAdministratorName}' QuickstartMode: Description: Whether this stack set was deployed as a quickstart Value: !Ref QuickstartMode Export: Name: !Sub '${SharedServiceStackSetName}-QuickstartMode' Parameters: SharedServiceStackSetName: Type: String Default: DSSharedServices Description: Name to be used as a common root across all shared service resources for reference from other Cloudformation stacks SageMakerStudioVpcCIDR: Type: String Default: 10.2.0.0/16 Description: CIDR range for SageMaker Studio VPC AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' SageMakerStudioSubnet1CIDR: Type: String Default: 10.2.1.0/24 Description: CIDR range for SageMaker Studio Subnet A AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' SageMakerStudioSubnet2CIDR: Type: String Default: 10.2.2.0/24 Description: CIDR range for SageMaker Studio Subnet B AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' SageMakerStudioSubnet3CIDR: Type: String Default: 10.2.3.0/24 Description: CIDR range for SageMaker Studio Subnet C AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' SharedECRRepositoryName: Type: String Default: ds-shared-container-images Description: Shared ECR Repository name to be used across all data science projects supported by this stack QuickstartMode: Type: String Default: true AllowedValues: - true - false Description: true indicates a quickstart-style deployment, false indicates a workshop deployment Conditions: IsAQuickstart: !Equals [ !Ref QuickstartMode, true ] Resources: DataScienceAdministratorPortfolio: Type: 'AWS::ServiceCatalog::Portfolio' Condition: IsAQuickstart Properties: ProviderName: 'Cloud Operations Team' Description: 'This portfolio is a collection of products designed to support managing data science teams' DisplayName: 'Data Science Administrator Portfolio' DSSageMakerStudioProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Condition: IsAQuickstart Properties: Name: 'SageMaker Studio Product' Description: 'Onboards SageMaker Studio Domain to the AWS Account.' Owner: 'Data Science Administration Office' ProvisioningArtifactParameters: - Name: 'DS SageMaker Studio v1' Info: LoadTemplateFromURL: 'https://s3.amazonaws.com/< S3_CFN_STAGING_BUCKET_PATH >/ds_env_sagemaker_studio.yaml' DSEnvironmentProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Condition: IsAQuickstart Properties: Name: 'Data Science Team Environment' Description: 'S3 buckets for hosting data and model, KMS Key and AWS Code Commit git repository to support data science teams.' Owner: 'Data Science Administration Office' ProvisioningArtifactParameters: - Name: 'DS Environment v1' Info: LoadTemplateFromURL: 'https://s3.amazonaws.com/< S3_CFN_STAGING_BUCKET_PATH >/ds_environment.yaml' DSUserProfileProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Condition: IsAQuickstart Properties: Name: 'Data Science Studio User Profile' Description: 'Creates a SageMaker Studio User Profile.' Owner: 'Data Science Administration Office' ProvisioningArtifactParameters: - Name: 'DS SageMaker Studio User Profile v1' Info: LoadTemplateFromURL: 'https://s3.amazonaws.com/< S3_CFN_STAGING_BUCKET_PATH >/ds_env_studio_user_profile_v1.yaml' SCPortfolioSageMakerStudioProductAssociation: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' Condition: IsAQuickstart Properties: PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSSageMakerStudioProduct SCPortfolioDSEnvironmentProductAssociation: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' Condition: IsAQuickstart Properties: PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSEnvironmentProduct SCPortfolioDSUserProfileProductAssociation : Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' Condition: IsAQuickstart Properties: PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSUserProfileProduct DSAdminPortfolioPrincipleAssociation: Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation' Condition: IsAQuickstart Properties: PortfolioId: !Ref DataScienceAdministratorPortfolio PrincipalARN: !GetAtt DataSciencePrincipals.Outputs.DSAdministratorArn PrincipalType: IAM DSSageMakerStudioProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' Condition: IsAQuickstart DependsOn: SCPortfolioSageMakerStudioProductAssociation Properties: Description: The Launch Role SC uses to launch product PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSSageMakerStudioProduct RoleArn: !GetAtt DataSciencePrincipals.Outputs.SCLaunchRoleArn DSEnvironmentProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' Condition: IsAQuickstart DependsOn: SCPortfolioDSEnvironmentProductAssociation Properties: Description: The Launch Role SC uses to launch product PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSEnvironmentProduct RoleArn: !GetAtt DataSciencePrincipals.Outputs.SCLaunchRoleArn DSUserProfileProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' Condition: IsAQuickstart DependsOn: SCPortfolioDSUserProfileProductAssociation Properties: Description: The Launch Role SC uses to launch product PortfolioId: !Ref DataScienceAdministratorPortfolio ProductId: !Ref DSUserProfileProduct RoleArn: !GetAtt DataSciencePrincipals.Outputs.SCLaunchRoleArn DataSciencePrincipals: Type: AWS::CloudFormation::Stack Properties: Parameters: StackSetName: !Ref SharedServiceStackSetName TemplateURL: ds_admin_principals.yaml SharedCloudArtifactRepository: Type: AWS::CloudFormation::Stack Properties: Parameters: StackSetName: !Ref SharedServiceStackSetName TemplateURL: ds_shared_code_artifact.yaml SharedDataScienceECR: Type: AWS::CloudFormation::Stack Properties: Parameters: SharedServiceStackSetName: !Ref SharedServiceStackSetName ECRRepositoryName: !Ref SharedECRRepositoryName TemplateURL: ds_shared_ecr.yaml SharedSageMakerNetwork: Type: AWS::CloudFormation::Stack Properties: Parameters: SharedServiceStackSetName: !Ref SharedServiceStackSetName SageMakerStudioVpcCIDR: !Ref SageMakerStudioVpcCIDR SageMakerStudioSubnet1CIDR: !Ref SageMakerStudioSubnet1CIDR SageMakerStudioSubnet2CIDR: !Ref SageMakerStudioSubnet2CIDR SageMakerStudioSubnet3CIDR: !Ref SageMakerStudioSubnet3CIDR TemplateURL: ds_shared_sagemaker_network.yaml Tags: - Key: Name Value: !Sub "ds-vpc-${SharedServiceStackSetName}" SharedDataLake: Type: AWS::CloudFormation::Stack DependsOn: SharedSageMakerNetwork Properties: Parameters: SharedServiceStackSetName: !Ref SharedServiceStackSetName TemplateURL: ds_shared_data_lake.yaml SageMakerDetectiveControl: Type: AWS::CloudFormation::Stack Properties: Parameters: StackSetName: !Ref SharedServiceStackSetName TemplateURL: ds_admin_detective.yaml