Description: |
  Template to create a service catalog product to launch a notebook

Parameters:
  ProjectName:
    Type: String
    AllowedPattern: '[A-Za-z0-9\-]*'
    Description: Please specify your project name.  Used as a suffix for project resource names.

  EnvType:
    Description: System Environment
    Type: String
    Default: dev

  QuickstartMode:
    Type: String
    Default: true
    Description: true indicates a quickstart-style deployment, false indicates a workshop deployment

Conditions: 
  IsAQuickstart: !Equals [ !Ref QuickstartMode, true ]

Resources:
  DSUserPortfolio:
    Type: AWS::ServiceCatalog::Portfolio 
    Properties:
      Description: !Sub 'Portfolio for ${ProjectName}-${EnvType} products'
      DisplayName: !Sub '${ProjectName}-${EnvType} products'
      ProviderName: !Sub '${ProjectName} Administration'
      Tags:
        - Key: ProjectName
          Value: !Ref ProjectName
        - Key: EnvironmentType
          Value: !Ref EnvType

  DSUserNotebookProduct:
    Type: AWS::ServiceCatalog::CloudFormationProduct
    Properties:
      Description: !Sub 'SageMaker ${EnvType} notebook for the ${ProjectName} project'
      Name: !Sub '${ProjectName} SageMaker ${EnvType} notebook'
      Owner: 'Data Science CoE'
      ProvisioningArtifactParameters:
        - Name: 'DS User Notebook v1'
          Info:
            LoadTemplateFromURL: !If
              - IsAQuickstart
              - 'https://s3.amazonaws.com/< S3_CFN_STAGING_BUCKET_PATH >/ds_notebook_v2.yaml'
              - 'https://s3.amazonaws.com/< S3_CFN_STAGING_BUCKET_PATH >/ds_notebook_v1.yaml' 

  DSUserNotebookProjectConstraint:
    Type: AWS::ServiceCatalog::LaunchTemplateConstraint
    Properties: 
      Description: Ensure the project name is the same as that associated with this portfolio.
      PortfolioId: !Ref DSUserPortfolio
      ProductId: !Ref DSUserNotebookProduct
      Rules: !Sub |
        {
          "ProjectNameConstraint": {
            "Assertions": [
              {
                "Assert": {
                  "Fn::Contains": [
                    [
                      "${ProjectName}"
                    ],
                    {
                      "Ref": "ProjectName"
                    }
                  ]
                },
                "AssertDescription": "Project Name can only be set to '${ProjectName}'"
              }
            ]
          }
        }

  SCPortfolioSageMakerProductAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioProductAssociation'
    Properties:
      PortfolioId: !Ref DSUserPortfolio
      ProductId: !Ref DSUserNotebookProduct

  DSAdminPortfolioPrincipalAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
    Properties:
      PortfolioId: !Ref DSUserPortfolio
      PrincipalARN: 
        Fn::ImportValue:
          !Sub 'ds-admin-role-${ProjectName}-${EnvType}-arn'
      PrincipalType: IAM

  DSUserPortfolioPrincipalAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
    Properties:
      PortfolioId: !Ref DSUserPortfolio
      PrincipalARN: 
        Fn::ImportValue:
          !Sub 'ds-user-role-${ProjectName}-${EnvType}-arn'
      PrincipalType: IAM
  
  SCLaunchRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: servicecatalog.amazonaws.com
            Action: 'sts:AssumeRole'
      RoleName: !Sub "ds-sc-launch-role-${ProjectName}-${EnvType}"
      Policies:
        - PolicyName: SCInlinePolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: Policy1
                Effect: Allow
                Action:
                  - 'iam:AttachRolePolicy'
                  - 'iam:CreatePolicy'
                  - 'iam:CreatePolicyVersion'
                  - 'iam:CreateRole'
                  - 'iam:DeletePolicy'
                  - 'iam:DeletePolicyVersion'
                  - 'iam:DeleteRole'
                  - 'iam:DetachRolePolicy'
                  - 'iam:ListPolicyVersions'
                  - 'iam:TagRole'
                  - 'kms:CreateGrant'
                  - 'kms:CreateKey'
                  - 'kms:DeleteAlias'
                  - 'kms:DeleteCustomKeyStore'
                  - 'kms:DeleteImportedKeyMaterial'
                  - 'kms:EnableKey'
                  - 'kms:EnableKeyRotation'
                  - 'kms:PutKeyPolicy'
                  - 'kms:ScheduleKeyDeletion'
                  - 'kms:TagResource'
                  - 'kms:UpdateAlias'
                  - 'kms:UpdateCustomKeyStore'
                  - 'kms:UpdateKeyDescription'
                  - 'ssm:AddTagsToResource'
                  - 'ssm:DeleteParameter'
                  - 'ssm:DeleteParameters'
                  - 'ssm:GetParameter'
                  - 'ssm:GetParameters'
                  - 'ssm:PutParameter'
                  - 'ssm:RemoveTagsFromResource'
                Resource: '*'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'
        - 'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
      Tags:
        - Key: ProjectName
          Value: !Ref ProjectName
        - Key: EnvironmentType
          Value: !Ref EnvType

  SCProductLaunchRoleConstraint:
    Type: 'AWS::ServiceCatalog::LaunchRoleConstraint'
    DependsOn: SCPortfolioSageMakerProductAssociation
    Properties:
      Description: The Launch Role SC uses to launch product
      PortfolioId: !Ref DSUserPortfolio
      ProductId: !Ref DSUserNotebookProduct
      RoleArn: !GetAtt SCLaunchRole.Arn

  SCLaunchRoleArn:
    Type: 'AWS::SSM::Parameter'
    Properties:
      Name: !Sub "ds-sc-launch-role-${ProjectName}-${EnvType}-arn"
      Type: String
      Value: !GetAtt SCLaunchRole.Arn
      Description: SSM-Parameter Service Catalog Launch Role Arn