--- AWSTemplateFormatVersion: 2010-09-09 Description: > This template deploys the Retail Demo Store SageMaker Notebook Instances. Parameters: ResourceBucket: Type: String Description: S3Bucket Bucket where the Resources are stored (cloudformation, images, lambda code) ResourceBucketRelativePath: Type: String Description: S3Bucket Path where the Resources are stored (cloudformation, images, lambda code) (i.e. path/path2), can be empty if resources are at the root of the bucket. MUST contain trailing / GitHubUser: Type: String Description: Your GitHub username. GitHubBranch: Type: String Description: The GitHub branch to use for deployments. Subnets: Type: String Subnet1: Type: String Subnet2: Type: String VpcId: Type: String ExperimentStrategyTable: Type: String Default: none StackBucketName: Type: String Default: none Uid: Type: String UserPoolId: Type: String Description: The Cognito user pool ID. PinpointAppId: Type: String EvidentlyProjectName: Type: String Conditions: UseDefaultGitHubUser: !Equals - !Ref GitHubUser - '' # ml.t3.medium instance type not available in all Sydney AZs (https://aws.amazon.com/releasenotes/sagemaker-instance-types-in-sydney-ap-southeast-2/) UseT3InstanceType: !Not [!Equals [!Ref 'AWS::Region', 'ap-southeast-2'] ] Resources: RetailDemoStoreGitHubRepo: Type: AWS::SageMaker::CodeRepository Properties: CodeRepositoryName: !Sub '${Uid}-demo-store' GitConfig: Branch: !Ref GitHubBranch RepositoryUrl: !Sub - 'https://github.com/${User}/retail-demo-store.git' - { User: !If [ UseDefaultGitHubUser, 'aws-samples', !Ref GitHubUser ] } NotebookInstance: Type: AWS::SageMaker::NotebookInstance Properties: NotebookInstanceName: !Sub ${Uid} InstanceType: !If [UseT3InstanceType, 'ml.t3.medium', 'ml.t2.medium'] # Ensure instance type is supported by all target regions in README before changing PlatformIdentifier: "notebook-al2-v2" RoleArn: !GetAtt ExecutionRole.Arn SubnetId: !Ref Subnet1 SecurityGroupIds: - !Ref SecurityGroup DefaultCodeRepository: !Sub '${Uid}-demo-store' Tags: - Key: "Uid" Value: !Ref Uid - Key: "PinpointAppId" Value: !Ref PinpointAppId - Key: "UserPoolId" Value: !Ref UserPoolId SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Notebook Instance Security Group VpcId: !Ref VpcId SecurityGroupIngress: - FromPort: 443 IpProtocol: tcp ToPort: 443 CidrIp: 0.0.0.0/0 ExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "sagemaker.amazonaws.com" Action: - "sts:AssumeRole" - Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" Policies: - PolicyName: "Global" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - codecommit:* Resource: !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:retaildemostore*' - Effect: "Allow" Action: - sagemaker:ListTags Resource: !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/*' - Effect: "Allow" Action: - cloudformation:DescribeStacks Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}*' - PolicyName: "0-StartHere" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - servicediscovery:DiscoverInstances - es:ListDomainNames - es:DescribeDomain - es:ListTags Resource: "*" - PolicyName: "1-Personalize" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - servicediscovery:DiscoverInstances - personalize:* Resource: '*' - Effect: "Allow" Action: - ssm:PutParameter - ssm:GetParameter Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/retaildemostore*' - Effect: "Allow" Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:GetBucketVersioning - s3:GetBucketPolicy Resource: - !Sub arn:aws:s3:::${StackBucketName}/* - !Sub arn:aws:s3:::${StackBucketName} - Effect: "Allow" Action: - s3:GetObject Resource: - !Sub arn:aws:s3:::${ResourceBucket}/${ResourceBucketRelativePath}csvs/* - Effect: "Allow" Action: - iam:GetRole - iam:GetRolePolicy - iam:PassRole Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${Uid}-PersonalizeS3' - Effect: "Allow" Action: - iam:UpdateAssumeRolePolicy Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}-mParticleKinesisCrossAccountRole' - Effect: "Allow" Action: - iam:CreatePolicy - iam:DeletePolicy Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/KinesismParticlePolicy' - Effect: "Allow" Action: - iam:CreateUser - iam:DeleteUser - iam:AttachUserPolicy - iam:DetachUserPolicy - iam:CreateAccessKey - iam:DeleteAccessKey Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:user/mParticleRetailDemoStoreKinesis' - Effect: Allow Action: - codepipeline:ListPipelines - codepipeline:ListTagsForResource Resource: - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*' - Effect: Allow Action: - codepipeline:StartPipelineExecution Resource: - !Sub 'arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*' Condition: StringEquals: aws:ResourceTag/RetailDemoStoreServiceName: 'web-ui' - Effect: Allow Action: # Notebook users should be able to start and stop training - events:DescribeRule - events:ListRules - events:EnableRule Resource: - !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/RetailDemoStore-PersonalizePreCreateScheduledRule' - PolicyName: "3-Experimentation" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - servicediscovery:DiscoverInstances - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeTags Resource: "*" - Effect: "Allow" Action: - ssm:PutParameter - ssm:GetParameter Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/retaildemostore*' - Effect: Allow Action: - dynamodb:* Resource: - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ExperimentStrategyTable}' - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ExperimentStrategyTable}/index/*' - Effect: Allow Action: - evidently:GetFeature - evidently:EvaluateFeature - evidently:CreateExperiment - evidently:StartExperiment - evidently:StopExperiment Resource: - !Sub 'arn:aws:evidently:${AWS::Region}:${AWS::AccountId}:project/${EvidentlyProjectName}' - !Sub 'arn:aws:evidently:${AWS::Region}:${AWS::AccountId}:project/${EvidentlyProjectName}/experiment/*' - !Sub 'arn:aws:evidently:${AWS::Region}:${AWS::AccountId}:project/${EvidentlyProjectName}/feature/*' - PolicyName: "4-Messaging" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - mobiletargeting:* - iam:GetRole - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeTags Resource: "*" - Effect: "Allow" Action: - lambda:GetFunction Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:RetailDemoStorePinpointRecommender' - PolicyName: "7-Location" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - geo:CreateMap - geo:DeleteMap Resource: - !Sub 'arn:aws:geo:${AWS::Region}:${AWS::AccountId}:map*' - Effect: Allow Action: - geo:PutGeofence - geo:CreateGeofenceCollection - geo:BatchDeleteGeofence - geo:DeleteGeofenceCollection - geo:ListGeofences - geo:ListGeofenceCollections Resource: - !Sub 'arn:aws:geo:${AWS::Region}:${AWS::AccountId}:geofence-collection*' - Effect: Allow Action: - geo:AssociateTrackerConsumer - geo:DisassociateTrackerConsumer - geo:CreateTracker - geo:DeleteTracker Resource: - !Sub 'arn:aws:geo:${AWS::Region}:${AWS::AccountId}:tracker*' - Effect: Allow Action: - geo:BatchUpdateDevicePosition - geo:BatchGetDevicePosition - geo:DescribeTracker - geo:GetDevicePosition - geo:GetDevicePositionHistory Resource: - !Sub 'arn:aws:geo:${AWS::Region}:${AWS::AccountId}:tracker/RetailDemoStoreLocationWorkshop*' - Effect: Allow Action: - geo:GetGeofence - geo:DescribeGeofenceCollection Resource: - !Sub "arn:aws:geo:${AWS::Region}:${AWS::AccountId}:geofence-collection/RetailDemoStoreLocationWorkshop*" - Effect: "Allow" Action: - events:PutRule - events:DeleteRule - events:PutTargets - events:RemoveTargets Resource: - !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/*' - Effect: Allow Action: - cognito-idp:AdminGetUser Resource: !Sub "arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPoolId}" - Effect: "Allow" Action: - lambda:AddPermission - lambda:CreateFunction - lambda:DeleteFunction Resource: - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:LocationNotebookEventHandler' - Effect: "Allow" Action: - iam:PassRole Resource: - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*' - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/LocationNotebookEventHandler:log-stream:*' - !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/LocationNotebookEventHandler' - Effect: Allow Action: - logs:CreateLogGroup Resource: '*' Outputs: NotebookInstanceId: Value: !Ref NotebookInstance