AWSTemplateFormatVersion: '2010-09-09' Description: A template to spin up resources for deploying the sentence relevance workload Parameters: EnvironmentName: Description: An environment name that is prefixed to resource names Type: String VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PublicSubnet1CIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: sentence_relevance_VPC InternetGateway: Type: AWS::EC2::InternetGateway InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnet1CIDR MapPublicIpOnLaunch: true PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPC GroupDescription: Enable access via port 8501 GroupName: PublicAccess8501 SecurityGroupIngress: IpProtocol: tcp FromPort: 8501 ToPort: 8501 CidrIp: 0.0.0.0/0 ECSCluster: Type: 'AWS::ECS::Cluster' Properties: ClusterName: My-Container-Cluster SentenceRelevanceRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - codebuild.amazonaws.com - sagemaker.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: ['arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'] Path: / Policies: - PolicyName: CodeBuild_ECR_Policy # This policy is based off of the IAM policy that is defined here: https://github.com/aws-samples/sagemaker-studio-image-build-cli and https://aws.amazon.com/blogs/machine-learning/using-the-amazon-sagemaker-studio-image-build-cli-to-build-container-images-from-your-studio-notebooks/ PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'codebuild:DeleteProject' - 'codebuild:CreateProject' - 'codebuild:BatchGetBuilds' - 'codebuild:StartBuild' Resource: !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/sagemaker-studio*' - Effect: Allow Action: 'logs:CreateLogGroup' Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*' - Effect: Allow Action: 'logs:CreateLogStream' Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/sagemaker-studio*' - Effect: Allow Action: - 'logs:GetLogEvents' - 'logs:PutLogEvents' Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/sagemaker-studio*:log-stream:*' - Effect: Allow Action: - ecr:CreateRepository - ecr:BatchGetImage - ecr:CompleteLayerUpload - ecr:DescribeImages - ecr:DescribeRepositories - ecr:UploadLayerPart - ecr:ListImages - ecr:InitiateLayerUpload - ecr:BatchCheckLayerAvailability - ecr:PutImage Resource: !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*' - Effect: Allow Action: ecr:GetAuthorizationToken Resource: "*" - Effect: Allow Action: - iam:GetRole - iam:ListRoles Resource: "*" - Effect: Allow Action: iam:PassRole Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*' Condition: StringLikeIfExists: iam:PassedToService: codebuild.amazonaws.com Outputs: VPC: Description: A reference to the created VPC Value: !Ref VPC PublicSubnets: Description: A list of the public subnets Value: !Join [ ",", [ !Ref PublicSubnet1 ]] PublicSubnet1: Description: A reference to the public subnet in the 1st Availability Zone Value: !Ref PublicSubnet1