Parameters:
emailAddress:
Type: String
AllowedPattern: .+
Description: (Required) An e-mail address with which to receive deployment notifications.
instanceType:
Type: String
Default: ml.t2.medium
Description: (Required) SageMaker Notebook instance type to host the AFA dashboard (e.g. ml.t2.medium, ml.t3.xlarge, ml.t3.2xlarge, ml.m4.4xlarge)
lambdamapFunctionName:
Type: String
Default: AfaLambdaMapFunction
lambdamapBranch:
Type: String
Default: main
afaBranch:
Type: String
Default: main
Resources:
AfaCodeBuildRole2413BF20:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Version: "2012-10-17"
Tags:
- Key: Project
Value: Afa
Metadata:
aws:cdk:path: AfaBootstrapStack/AfaCodeBuildRole/Resource
AfaCodeBuildRoleDefaultPolicy1EBDF2C9:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/codebuild/
- Ref: DeployStacksProject7C167385
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/codebuild/
- Ref: DeployStacksProject7C167385
- :*
- Action:
- codebuild:CreateReportGroup
- codebuild:CreateReport
- codebuild:UpdateReport
- codebuild:BatchPutTestCases
- codebuild:BatchPutCodeCoverages
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":codebuild:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :report-group/
- Ref: DeployStacksProject7C167385
- -*
Version: "2012-10-17"
PolicyName: AfaCodeBuildRoleDefaultPolicy1EBDF2C9
Roles:
- Ref: AfaCodeBuildRole2413BF20
Metadata:
aws:cdk:path: AfaBootstrapStack/AfaCodeBuildRole/DefaultPolicy/Resource
LambdaMapCodeBuildPolicyDCA4CAA6:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- cloudformation:CreateChangeSet
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:DescribeStacks
- cloudformation:DescribeStackEvents
- cloudformation:DescribeChangeSet
- cloudformation:ListChangeSets
- cloudformation:ListStackResources
- cloudformation:TagResources
- cloudformation:UpdateStack
- cloudformation:GetTemplate
- cloudformation:ExecuteChangeSet
- cloudformation:DeleteChangeSet
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/AfaLambdaMapStack*
- Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/
- Ref: AWS::StackName
- /*
- Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/AfaStack*
- Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/CDKToolkit/*
- Action:
- iam:DeletePolicy
- iam:CreateRole
- iam:AttachRolePolicy
- iam:PutRolePolicy
- iam:PassRole
- iam:DetachRolePolicy
- iam:DeleteRolePolicy
- iam:GetRole
- iam:GetPolicy
- iam:UpdateRoleDescription
- iam:DeleteRole
- iam:CreatePolicy
- iam:UpdateRole
- iam:GetRolePolicy
- iam:DeletePolicyVersion
- iam:TagRole
- iam:TagPolicy
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/AfaLambdaMapStack*
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/cdk-*
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/AfaStack*
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/cdk-*-
- Ref: AWS::AccountId
- "-"
- Ref: AWS::Region
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :policy/AfaLambdaMapStack*
- Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :policy/AfaStack*
- Fn::Join:
- ""
- - "arn:aws:lambda:*:"
- Ref: AWS::AccountId
- :policy/AfaLambdaMapStack*
- Fn::Join:
- ""
- - "arn:aws:lambda:*:"
- Ref: AWS::AccountId
- :policy/AfaStack*
- Action: logs:CreateLogStream
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/codebuild/
- Action:
- lambda:CreateFunction
- lambda:GetFunction
- lambda:ListTags
- lambda:UpdateFunctionCode
- lambda:TagResource
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:lambda:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":function:"
- Ref: lambdamapFunctionName
- Fn::Join:
- ""
- - "arn:aws:lambda:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :function:AfaStack*
- Action:
- s3:CreateBucket
- s3:GetObject*
- s3:GetBucketPolicy*
- s3:PutObject*
- s3:ListBucket
- s3:GetBucketLocation
- s3:GetEncryptionConfiguration
- s3:PutEncryptionConfiguration
- s3:PutBucketVersioning
- s3:SetBucketEncryption
- s3:PutAccountPublicAccessBlock
- s3:PutBucketLogging
- s3:PutBucketPublicAccessBlock
- s3:PutBucketTagging
- s3:PutBucketPolicy
- s3:PutObjectTagging
- s3:DeleteBucketPolicy
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource:
- arn:aws:s3:::cdk-*
- arn:aws:s3:::cdktoolkit-*
- Action:
- sagemaker:DescribeNotebookInstanceLifecycleConfig
- sagemaker:DeleteNotebookInstance
- sagemaker:StopNotebookInstance
- sagemaker:DescribeNotebookInstance
- sagemaker:CreateNotebookInstanceLifecycleConfig
- sagemaker:DeleteNotebookInstanceLifecycleConfig
- sagemaker:UpdateNotebookInstanceLifecycleConfig
- sagemaker:CreateNotebookInstance
- sagemaker:UpdateNotebookInstance
- sagemaker:addTags
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:sagemaker:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :notebook-instance/afastack*
- Fn::Join:
- ""
- - "arn:aws:sagemaker:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :notebook-instance-lifecycle-config/notebooklifecycleconfig*
- Action:
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:DescribeImages
- ecr:BatchGetImage
- ecr:GetLifecyclePolicy
- ecr:GetLifecyclePolicyPreview
- ecr:ListTagsForResource
- ecr:DescribeImageScanFindings
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:PutImage
- ecr:SetRepositoryPolicy
- ecr:PutImageScanningConfiguration
- ecr:PutImageTagMutability
- ecr:DeleteRepository
- ecr:TagResource
- ecr:UntagResource
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:ecr:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :repository/cdk-*-
- Ref: AWS::AccountId
- "-"
- Ref: AWS::Region
- Fn::Join:
- ""
- - "arn:aws:ecr:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :repository/aws-cdk/assets
- Action:
- ecr:GetAuthorizationToken
- ecr:CreateRepository
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource: "*"
- Action: ec2:DescribeAvailabilityZones
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource: "*"
- Action: sts:GetCallerIdentity
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource: "*"
- Action:
- ssm:GetParameter
- ssm:GetParameters
- ssm:GetParametersByPath
- ssm:PutParameter
- ssm:DeleteParameter
- ssm:ListTagsForResource
- ssm:AddTagsToResource
- ssm:RemoveTagsFromResource
- ssm:UntagResource
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ssm:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :parameter/cdk-bootstrap/*/version
- Action:
- kms:CreateKey
- kms:ListAliases
- kms:ListKeys
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: LambdaMapCodeBuildPolicyDCA4CAA6
Roles:
- Ref: AfaCodeBuildRole2413BF20
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: Certain actions require '*' resources.
DeployStacksProject7C167385:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: NO_ARTIFACTS
Environment:
ComputeType: BUILD_GENERAL1_SMALL
EnvironmentVariables:
- Name: BOOTSTRAP_STACK_NAME
Type: PLAINTEXT
Value:
Ref: AWS::StackName
- Name: LAMBDAMAP_REPO_URL
Type: PLAINTEXT
Value: https://github.com/aws-samples/lambdamap.git
- Name: LAMBDAMAP_BRANCH
Type: PLAINTEXT
Value:
Ref: lambdamapBranch
- Name: LAMBDAMAP_STACK_NAME
Type: PLAINTEXT
Value: AfaLambdaMapStack
- Name: LAMBDAMAP_FUNCTION_NAME
Type: PLAINTEXT
Value:
Ref: lambdamapFunctionName
- Name: EMAIL
Type: PLAINTEXT
Value:
Ref: emailAddress
- Name: INSTANCE_TYPE
Type: PLAINTEXT
Value:
Ref: instanceType
- Name: AFA_STACK_NAME
Type: PLAINTEXT
Value: AfaStack
- Name: AFA_BRANCH
Type: PLAINTEXT
Value:
Ref: afaBranch
- Name: AFA_REPO_URL
Type: PLAINTEXT
Value: https://github.com/aws-samples/simple-forecast-solution.git
Image: aws/codebuild/amazonlinux2-x86_64-standard:4.0
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: true
Type: LINUX_CONTAINER
ServiceRole:
Fn::GetAtt:
- AfaCodeBuildRole2413BF20
- Arn
Source:
BuildSpec: |-
{
"version": "0.2",
"phases": {
"install": {
"runtime-versions": {
"python": "3.9",
"nodejs": "16"
},
"commands": [
"export CDK_TAGS=$(aws cloudformation describe-stacks --stack-name=$BOOTSTRAP_STACK_NAME --query Stacks[0].Tags | python -c 'import sys, json; print(\" \".join(\"--tags \" + d[\"Key\"] + \"=\" + d[\"Value\"] for d in json.load(sys.stdin)))')",
"export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)",
"export BOOTSTRAP_URL=aws://$AWS_ACCOUNT_ID/$AWS_DEFAULT_REGION",
"npm i --silent --quiet --no-progress -g aws-cdk@2.45.0",
"(( [[ -n \"CDK_TAGS\" ]] ) && ( cdk bootstrap ${BOOTSTRAP_URL} )) || ( cdk bootstrap ${BOOTSTRAP_URL} )"
]
},
"build": {
"commands": [
"git clone $LAMBDAMAP_REPO_URL",
"cd lambdamap/",
"git checkout $LAMBDAMAP_BRANCH",
"make deploy STACK_NAME=$LAMBDAMAP_STACK_NAME CDK_TAGS=\"$CDK_TAGS\" FUNCTION_NAME=$LAMBDAMAP_FUNCTION_NAME EXTRA_CMDS=\"'git clone ${AFA_REPO_URL} ; cd ./simple-forecast-solution/ ; git checkout ${AFA_BRANCH} ; pip install -q --use-deprecated=legacy-resolver -e .'\"",
"cd ..",
"git clone $AFA_REPO_URL",
"cd simple-forecast-solution/",
"git checkout $AFA_BRANCH",
"pip install -q -r ./requirements.txt",
"make deploy-ui EMAIL=$EMAIL INSTANCE_TYPE=$INSTANCE_TYPE AFA_BRANCH=$AFA_BRANCH LAMBDAMAP_BRANCH=$LAMBDAMAP_BRANCH AFA_STACK_NAME=$AFA_STACK_NAME CDK_TAGS=\"$CDK_TAGS\""
]
}
}
}
Type: NO_SOURCE
Cache:
Type: NO_CACHE
EncryptionKey: alias/aws/s3
Tags:
- Key: Project
Value: Afa
Metadata:
aws:cdk:path: AfaBootstrapStack/DeployStacksProject/Resource
LambdaRole3A44B857:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Tags:
- Key: Project
Value: Afa
Metadata:
aws:cdk:path: AfaBootstrapStack/LambdaRole/Resource
LambdaPolicy7FF67BE6:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: codebuild:StartBuild
Effect: Allow
Resource:
Fn::GetAtt:
- DeployStacksProject7C167385
- Arn
- Action: codebuild:ListProjects
Condition:
ForAllValues:StringEquals:
aws:ResourceAccount:
Ref: AWS::AccountId
aws:SourceAccount:
Ref: AWS::AccountId
Effect: Allow
Resource: "*"
- Action:
- lambda:GetFunction
- lambda:ListTags
- lambda:TagResource
- lambda:InvokeFunction
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:lambda:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :function:DeployStacksFunction
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/lambda/
- Fn::Join:
- ""
- - "arn:aws:logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :log-group:/aws/lambda/
- Ref: AWS::StackName
- "*"
Version: "2012-10-17"
PolicyName: LambdaPolicy7FF67BE6
Roles:
- Ref: LambdaRole3A44B857
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: These actions require '*' resources.
DeployStacksFunction96A8E985:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile: |
import os
import json
import boto3
import cfnresponse
def lambda_handler(event, context):
client = boto3.client("codebuild")
client.start_build(projectName=os.environ["PROJECT_NAME"])
cfnresponse.send(event, context, cfnresponse.SUCCESS, {},
"CustomResourcePhysicalID")
return
Role:
Fn::GetAtt:
- LambdaRole3A44B857
- Arn
Environment:
Variables:
PROJECT_NAME:
Ref: DeployStacksProject7C167385
Handler: index.lambda_handler
Runtime: python3.9
Tags:
- Key: Project
Value: Afa
DependsOn:
- LambdaRole3A44B857
Metadata:
cfn_nag:
rules_to_suppress:
- id: W89
reason: Function does not access resources in a VPC.
- id: W92
reason: Function only runs once during CFN deploys.
- id: W58
reason: Function has permissions to write to CW logs.
CustomResource:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken:
Fn::GetAtt:
- DeployStacksFunction96A8E985
- Arn
DependsOn:
- DeployStacksProject7C167385
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: AfaBootstrapStack/CustomResource/Default
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/02NywrCMBBFv6X7dHxUF64LrkP7AZImEadNMpAHUkL+XZsiuLoHzoF7hssVjo14h1aqpTU4QR6jkAvrn44LL6yO2rOvf2QUFvJARm+uLieDcq1ppcIkKT0lNAoy9zRrGavdsTAj7KQE5HtyMiK5Tf64FNanEMkOOlDycr/5456cwloyvsYXuUMHNzh1zRwQW59cRKth2PcDhuUhw9kAAAA=
Metadata:
aws:cdk:path: AfaBootstrapStack/CDKMetadata/Default
Condition: CDKMetadataAvailable
Conditions:
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- af-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-south-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2