AWSTemplateFormatVersion: "2010-09-09" Description: AWS resources for building an example ML inference container with ArmNN Parameters: CodeCommitRepositoryName: Type: String Description: CodeCommit repository name (must exist already) MinLength: 1 ContainerImageName: Type: String Description: Container image name for ECR MinLength: 1 Resources: ECRRepository: Type: AWS::ECR::Repository Properties: ImageScanningConfiguration: ScanOnPush: true CodeBuildRole: Type: AWS::IAM::Role Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "Asterisks are required" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyName: CodeBuildPolicy PolicyDocument: Version: "2012-10-17" Statement: - Sid: CloudWatchLogsPolicy Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - "*" - Sid: CodeCommitPolicy Effect: Allow Action: - "codecommit:GitPull" Resource: - !Sub "arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepositoryName}" - Sid: ECRPolicy Effect: Allow Action: - ecr:PutImage - ecr:BatchCheckLayerAvailability - ecr:CompleteLayerUpload - ecr:UploadLayerPart - ecr:InitiateLayerUpload Resource: - !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ECRRepository}" - Sid: ECRAuthPolicy Effect: Allow Action: - ecr:GetAuthorizationToken Resource: - "*" CodeBuildProject: Type: AWS::CodeBuild::Project Metadata: cfn_nag: rules_to_suppress: - id: W32 reason: "No build output artifacts to encrypt" Properties: ServiceRole: !GetAtt CodeBuildRole.Arn Artifacts: Type: NO_ARTIFACTS Environment: ComputeType: BUILD_GENERAL1_SMALL Type: ARM_CONTAINER Image: "aws/codebuild/amazonlinux2-aarch64-standard:2.0" PrivilegedMode: true EnvironmentVariables: - Name: ECR_REPO_NAME Value: !Ref ECRRepository Source: BuildSpec: !Sub | version: 0.2 phases: build: commands: - "echo 'Building container image with ArmNN'" - "docker build -t $ECR_REPO_NAME:${ContainerImageName} ." - "echo 'Pushing container image to ECR'" - "aws ecr get-login-password --region ${AWS::Region} | docker login --username AWS --password-stdin ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com" - "docker tag $ECR_REPO_NAME:${ContainerImageName} ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/$ECR_REPO_NAME:${ContainerImageName}" - "docker push ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/$ECR_REPO_NAME:${ContainerImageName}" Type: CODECOMMIT Location: !Sub "https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${CodeCommitRepositoryName}" Outputs: ECRRepo: Description: Name of the ECR repository created Value: !Ref ECRRepository Export: Name: ECRRepositoryName ECRContainerImage: Description: Name of the ECR container image Value: !Ref ContainerImageName Export: Name: ContainerImageName