AWSTemplateFormatVersion: 2010-09-09 Description: Portfolio setup for Service Catalog with EC2 and VPC products. (fdp-1p4da46nc) Metadata: 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: (Mandatory) Network details to build Parameters: - RepoRootURL - Label: default: (Mandatory) Portfolio Information Parameters: - LabelAdminRole - Label: default: (Optional) Enables network security restrictions, secondary network with windows bastion host. Parameters: - EnableSecNetwork - KeyNameLabel - InstanceType - WindowsAMI - MyIPAddress Parameters: RepoRootURL: Type: String Description: Root url for the repo containing the product templates. Default: https://951467776731-sagemaker-selfservice.s3.us-east-1.amazonaws.com LabelAdminRole: Type: String Description: Name of the Role that can make use of the products, this adds the permissions to access the portfolio in SC and KMS Default: IibsAdminAccess-DO-NOT-DELETE EnableSecNetwork: Type: String Description: This enables the second VPC and restrict Pre-Signed URLs to deny public access Default: false AllowedValues: - true - false KeyNameLabel: Description: DO THIS FIRST - Key-pair to retrieve password for bastion host Type: String Default: BURNER InstanceType: Description: Instance type of the bastion host Type: String Default: 't2.small' WindowsAMI: Description: AMI of the Windows Bastion host Type: String Default: 'ami-09d496c26aa745869' MyIPAddress: Description: What is your public IP to restrict the bastion security group i.e 72.21.196.65/32 Type: String Conditions: EnableSecNetworkCondition: !Equals [!Ref 'EnableSecNetwork', 'true'] Resources: Network: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub '${RepoRootURL}/Network.yaml' Parameters: VPCCIDR: '172.29.10.0/24' PrivateSubnet1ACIDR: '172.29.10.0/26' SecGroupFromIP: !Ref MyIPAddress Network2: Type: 'AWS::CloudFormation::Stack' Condition: EnableSecNetworkCondition DependsOn: Network Properties: TemplateURL: !Sub '${RepoRootURL}/Network-2.yaml' TimeoutInMinutes: 5 Parameters: VPCCIDR: '192.168.100.0/24' PrivateSubnet1ACIDR: '192.168.100.0/24' AmazonProvidedDNSParam: '172.29.10.2' KeyNameLabel: !Ref KeyNameLabel InstanceType: !Ref 'InstanceType' WindowsAMI: !Ref 'WindowsAMI' SCEC2portfolio: Type: 'AWS::ServiceCatalog::Portfolio' Properties: ProviderName: 'IT Services' Description: 'Service Catalog Sample Portfolio' DisplayName: !Sub 'Service Catalog Portfolio ${AWS::StackName}' NotebookLaunchConstraintRole: Type: 'AWS::CloudFormation::Stack' DependsOn: Network Properties: TemplateURL: !Sub '${RepoRootURL}/SC-Notebook-Constrain.yaml' TimeoutInMinutes: 5 Parameters: EnableVpcRestrictions: !Ref EnableSecNetwork SageMakerNotebookProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' DependsOn: - Network - NotebookLaunchConstraintRole Properties: Name: 'SageMaker Notebook' Distributor: "IT" Owner: "IT" SupportDescription: "Please call any time for support" SupportEmail: "info@example.com" SupportUrl: "https://www.example.com" ProvisioningArtifactParameters: - Name: "Sage Maker Notebook" Description: "This product creates a SageMaker product asking in which network to place it." Info: LoadTemplateFromURL: !Sub '${RepoRootURL}/SageMaker-Notebook-Product.yaml' SageMakerNoteBookLaunchConstrain: Type: AWS::ServiceCatalog::LaunchRoleConstraint DependsOn: - NotebookLaunchConstraintRole - SageMakerNotebookProduct - PortfolioProductSageMakerNotebookAssoc Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref SageMakerNotebookProduct RoleArn: !GetAtt NotebookLaunchConstraintRole.Outputs.OutSCSageMakerLaunchRole PortfolioProductSageMakerNotebookAssoc: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref SageMakerNotebookProduct DeveloperPolicy: Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub '${RepoRootURL}/DeveloperPolicy.yaml' TimeoutInMinutes: 5 Parameters: URLLambdaARN: !GetAtt 'NotebookWatcher.Outputs.FunctionARN' URLLambdaRole: !GetAtt 'NotebookLaunchConstraintRole.Outputs.OutURLInstanciatorLambdaRoleExecution' AdminRole: !Ref LabelAdminRole CMK: DependsOn: DeveloperPolicy Type: 'AWS::CloudFormation::Stack' Properties: TemplateURL: !Sub '${RepoRootURL}/CMK-KMS.yaml' TimeoutInMinutes: 5 Parameters: Service: 'ALL_SERVICES' AdminRole: !Ref LabelAdminRole NotebookWatcher: Type: 'AWS::CloudFormation::Stack' DependsOn: SageMakerNotebookProduct Properties: TemplateURL: !Sub '${RepoRootURL}/Watcher.yaml' TimeoutInMinutes: 5 Parameters: ProductARN: !Sub arn:aws:catalog:${AWS::Region}:${AWS::AccountId}:product/${SageMakerNotebookProduct} ProlicyName: 'DeveloperPassRoleToSageMakerNotebookManagedPolicy' SageMakerUrlProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Name: 'URL for SageMaker Notebook' Distributor: "IT" Owner: "IT" SupportDescription: "Please call any time for support" SupportEmail: "info@example.com" SupportUrl: "https://www.example.com" ProvisioningArtifactParameters: - Name: "PreSign URL for SageMaker Notebook" Description: "This product retrieves a SageMaker URL." Info: LoadTemplateFromURL: !Sub '${RepoRootURL}/PreSignedURL-SageMaker.yml' PortfolioProductURLAssoc: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref SageMakerUrlProduct MLDataPrepProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Name: 'ML Data Prep' Distributor: "IT" Owner: "IT" SupportDescription: "Please call any time for support" SupportEmail: "info@example.com" SupportUrl: "https://www.example.com" ProvisioningArtifactParameters: - Name: "Prepare data for ML" Description: "This product prepares dataset as per predefined rules for modeling." Info: LoadTemplateFromURL: !Sub '${RepoRootURL}/ML-Data-Prep.yaml' MLDataPrepLaunchConstraint: Type: AWS::ServiceCatalog::LaunchRoleConstraint DependsOn: NotebookLaunchConstraintRole Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref MLDataPrepProduct RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/MLDataPrep-Launch-Role PortfolioMLDataPrepAssoc: Type: "AWS::ServiceCatalog::PortfolioProductAssociation" Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref MLDataPrepProduct MLModelTrainProduct: Type: AWS::ServiceCatalog::CloudFormationProduct Properties: Name: ML Train Model xgboost-100-3 Distributor: IT Owner: IT SupportDescription: Please call any time for support SupportEmail: info@example.com SupportUrl: https://www.example.com ProvisioningArtifactParameters: - Name: Train xgboost model Description: This product trains a ML model Info: LoadTemplateFromURL: !Sub '${RepoRootURL}/ML-Model-Train.yaml' MLDataPrepLaunchConstraint: Type: AWS::ServiceCatalog::LaunchRoleConstraint DependsOn: NotebookLaunchConstraintRole Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref MLModelTrainProduct RoleArn: !GetAtt 'NotebookLaunchConstraintRole.Outputs.OutMLDataPrepLaunchRole' PortfolioMLModelTrainAssoc: Type: AWS::ServiceCatalog::PortfolioProductAssociation Properties: PortfolioId: !Ref SCEC2portfolio ProductId: !Ref MLModelTrainProduct PortfolioPrincipalAssociation: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" Properties: PortfolioId: !Ref SCEC2portfolio PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${LabelAdminRole}' PrincipalType: "IAM" PortfolioPrincipalAssociationDeveloper: Type: "AWS::ServiceCatalog::PortfolioPrincipalAssociation" DependsOn: DeveloperPolicy Properties: PortfolioId: !Ref SCEC2portfolio PrincipalARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/Developer' PrincipalType: "IAM"