AWSTemplateFormatVersion: "2010-09-09" Description: >- (SA0006) - sagemaker-dashboards-for-ml: Used as root template for Dashboards with ML with Amazon SageMaker Solution. Version 1 Parameters: ResourceName: Type: String Description: | Used to name resources created as part of this stack (and inside nested stacks too). Can be the same as the stack name used by AWS CloudFormation, but this field has extra constraints because it's used to name resources with restrictions (e.g. Amazon S3 bucket names cannot contain capital letters). AllowedPattern: '^[a-z0-9\-]+$' ConstraintDescription: "Only allowed to use lowercase letters, hyphens and/or numbers." AddDevelopmentStack: Type: String Description: | Add stack for dashboard development? Contains Amazon SageMaker Notebook Instance and associated Amazon S3 Bucket. Default: "true" AllowedValues: - "true" - "false" SageMakerNotebookInstanceType: Description: | Choose the instance type for the Amazon SageMaker Notebook Instance. Will only be used if the development stack was added. Type: String Default: "ml.t3.medium" SageMakerNotebookGitRepository: Description: | Choose the Git repository to clone on the Amazon SageMaker Notebook Instance. Can be a GitHub URL (e.g. https://github.com/aws-samples/sagemaker-ml-dashboards.git) or AWS CodeCommit URL (e.g. https://git-codecommit.us-west-2.amazonaws.com/v1/repos/sagemaker-ml-dashboards). You can fork the original GitHub repository and use the URL of the forked version. Will only be used if the development stack was added. Type: String SageMakerNotebookGitUserName: Description: | Choose the Git user name to use for commits on the Amazon SageMaker Notebook Instance. Type: String Default: "SageMaker Default User" AllowedPattern: "^.+$" ConstraintDescription: "Must not be blank." SageMakerNotebookGitUserEmail: Description: | Choose the Git user email to use for commits on the Amazon SageMaker Notebook Instance. Can be blank. Type: String Default: "" CustomDomain: Type: String Description: | If you intend to host the deployed dashboard on a custom domain or sub-domain (e.g. dashboard.example.com), specify that here. Otherwise, leave this blank and the auto-generated Application Load Balancer DNS Name will be used instead. When specified, this will be used in authentication callbacks. Default: "" ApplicationLoadBalancerSSLCertificate: Type: String Description: | If you intend to host the deployed dashboard on a custom domain or sub-domain (e.g. dashboard.example.com), specify the ARN of the AWS Certificate Manager certificate that should be used by the Application Load Balancer for HTTPS connections. Otherwise, leave this blank and a self-signed certificate be used instead, but be aware that this will lead to security warnings and should only be used for development purposes (not in production). Default: "" ApplicationLoadBalancerCIDRWhitelist: Type: String Description: | Specify the CIDR IP address range that is allowed to access the dashboard (via the Application Load Balancer). Use http://checkip.amazonaws.com/ to find the IP address of your current machine. Only use '0.0.0.0/0' if public access is required. Default: "0.0.0.0/0" AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' ConstraintDescription: "Must be a valid CIDR IP." ApplicationLoadBalancerStickySessions: Type: String Description: | Use sticky sessions to route all requests in a user session to the same dashboard server. Certain dashboard libraries may require this, but Streamlit does not. Default: "false" AllowedValues: - "true" - "false" AddCognitoAuthentication: Type: String Description: | Add Amazon Cognito authentication to dashboard? With authentication enabled, users access the dashboard with an individually assigned username and password. Default: "true" AllowedValues: - "true" - "false" CognitoAuthenticationSampleUserEmail: Type: String Description: | Specify an email address for the sample `dashboard_user` account. Used to send the temporary password for first-time dashboard access. A required field if using Amazon Cognito authentication, otherwise can leave blank. More users can be created through the Amazon Cognito Console or API. See the `CognitoUsersConsoleURL` output of this stack, for a link to the console where new users can be added. AllowedPattern: '^$|^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$' ConstraintDescription: "Must be a valid email address." Default: "" Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Parameters: - ResourceName - Label: default: Development Parameters: - AddDevelopmentStack - SageMakerNotebookInstanceType - SageMakerNotebookGitRepository - SageMakerNotebookGitUserName - SageMakerNotebookGitUserEmail - Label: default: Deployment Parameters: - CustomDomain - ApplicationLoadBalancerSSLCertificate - ApplicationLoadBalancerCIDRWhitelist - ApplicationLoadBalancerStickySessions - Label: default: Authentication Parameters: - AddCognitoAuthentication - CognitoAuthenticationSampleUserEmail ParameterLabels: ResourceName: default: Resource Name AddDevelopmentStack: default: Use Amazon SageMaker Notebook Instance for dashboard development? SageMakerNotebookInstanceType: default: Instance Type SageMakerNotebookGitRepository: default: Git Repository SageMakerNotebookGitUserName: default: Git User Name SageMakerNotebookGitUserEmail: default: Git User Email CustomDomain: default: Custom Domain Name ApplicationLoadBalancerSSLCertificate: default: SSL Certificate ApplicationLoadBalancerCIDRWhitelist: default: Security Group Inbound CIDR IP ApplicationLoadBalancerStickySessions: default: Use Sticky Sessions? AddCognitoAuthentication: default: Use Amazon Cognito Authentication? CognitoAuthenticationSampleUserEmail: default: Sample User Email Mappings: AWSRegionArch2ELBAccountID: us-east-1: id: 127311923021 us-east-2: id: 033677994240 us-west-1: id: 027434742980 us-west-2: id: 797873946194 af-south-1: id: 098369216593 ca-central-1: id: 985666609251 eu-central-1: id: 054676820928 eu-west-1: id: 156460612806 eu-west-2: id: 652711504416 eu-south-1: id: 635631232127 eu-west-3: id: 009996457667 eu-north-1: id: 897822967062 ap-east-1: id: 754344448648 ap-northeast-1: id: 582318560864 ap-northeast-2: id: 600734575887 ap-northeast-3: id: 383597477331 ap-southeast-1: id: 114774131450 ap-southeast-2: id: 783225319266 ap-south-1: id: 718504428378 me-south-1: id: 076674570225 sa-east-1: id: 507241528517 Conditions: AddDevelopmentStack: !Equals [!Ref AddDevelopmentStack, "true"] AddCognitoAuthentication: !Equals [!Ref AddCognitoAuthentication, "true"] Resources: S3Bucket: Type: "AWS::S3::Bucket" Properties: BucketName: !Sub ${ResourceName}-${AWS::Region}-${AWS::AccountId} PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 Metadata: cfn_nag: rules_to_suppress: - id: W35 reason: Avoids user having to manually create an Amazon S3 bucket for logs. - id: W51 reason: Current default access policy is sufficient. S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3Bucket PolicyDocument: Statement: - Action: "s3:PutObject" Effect: "Allow" Resource: !Sub "arn:aws:s3:::${S3Bucket}/logs/AWSLogs/${AWS::AccountId}/*" Principal: AWS: !Sub - "arn:aws:iam::${ELB_ID}:root" - { ELB_ID: !FindInMap [ AWSRegionArch2ELBAccountID, !Ref "AWS::Region", id, ], } - Action: "s3:PutObject" Effect: "Allow" Resource: !Sub "arn:aws:s3:::${S3Bucket}/logs/AWSLogs/${AWS::AccountId}/*" Principal: Service: "delivery.logs.amazonaws.com" Condition: StringEquals: s3:x-amz-acl: "bucket-owner-full-control" - Action: "s3:GetBucketAcl" Effect: "Allow" Resource: !Sub "arn:aws:s3:::${S3Bucket}" Principal: Service: "delivery.logs.amazonaws.com" DevelopmentStack: Type: "AWS::CloudFormation::Stack" Condition: AddDevelopmentStack Properties: TemplateURL: ./development/development.yaml Parameters: ResourceName: !Ref ResourceName SageMakerNotebookInstanceType: !Ref SageMakerNotebookInstanceType SageMakerNotebookGitRepository: !Ref SageMakerNotebookGitRepository SageMakerNotebookGitUserName: !Ref SageMakerNotebookGitUserName SageMakerNotebookGitUserEmail: !Ref SageMakerNotebookGitUserEmail SageMakerModel: !GetAtt DeploymentStack.Outputs.SageMakerModel ECRRepository: !GetAtt DeploymentStack.Outputs.ECRRepository ECSCluster: !GetAtt DeploymentStack.Outputs.ECSCluster ECSService: !GetAtt DeploymentStack.Outputs.ECSService DashboardURL: !GetAtt DeploymentStack.Outputs.DashboardURL ApplicationLoadBalancer: !GetAtt DeploymentStack.Outputs.ApplicationLoadBalancer AddCognitoAuthentication: !Ref AddCognitoAuthentication S3Bucket: !Ref S3Bucket DeploymentStack: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: ./deployment/deployment.yaml Parameters: ResourceName: !Ref ResourceName CustomDomain: !Ref CustomDomain ApplicationLoadBalancerSSLCertificate: !Ref ApplicationLoadBalancerSSLCertificate ApplicationLoadBalancerCIDRWhitelist: !Ref ApplicationLoadBalancerCIDRWhitelist ApplicationLoadBalancerStickySessions: !Ref ApplicationLoadBalancerStickySessions AddCognitoAuthentication: !Ref AddCognitoAuthentication CognitoAuthenticationSampleUserEmail: !Ref CognitoAuthenticationSampleUserEmail SageMakerModel: !Ref ResourceName S3Bucket: !Ref S3Bucket SolutionAssistant: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: ./assistants/solution-assistant/solution-assistant.yaml Parameters: ResourceName: !Ref ResourceName ECRRepository: !GetAtt DeploymentStack.Outputs.ECRRepository SageMakerModel: !GetAtt DeploymentStack.Outputs.SageMakerModel AddDevelopmentStack: !Ref AddDevelopmentStack S3BucketAssistant: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: ./assistants/bucket-assistant/bucket-assistant.yaml Parameters: ResourceName: !Ref ResourceName S3Bucket: !Ref S3Bucket Outputs: SageMakerNotebookInstanceURL: Condition: AddDevelopmentStack Description: | URL of Amazon SageMaker Notebook Instance for dashboard development. Will open in Jupyter tree view, showing all project files in the Git repository. Value: !GetAtt DevelopmentStack.Outputs.SageMakerNotebookInstanceURL DashboardURL: Description: | URL of dashboard. Will show 'Server Error' until the dashboard container is pushed to Amazon ECR and the Amazon ECS service is started. Value: !GetAtt DeploymentStack.Outputs.DashboardURL ApplicationLoadBalancerURL: Description: | URL of the Application Load Balancer. When `CustomDomain` was specified, you should add a CNAME record on the custom domain (or sub-domain) that points to this URL. Value: !GetAtt DeploymentStack.Outputs.ApplicationLoadBalancer CognitoUsersConsoleURL: Condition: AddCognitoAuthentication Description: | URL of the Amazon Cognito Console page for managing dashboard users (e.g. adding new users). Value: !GetAtt DeploymentStack.Outputs.CognitoUsersConsoleURL