AWSTemplateFormatVersion: 2010-09-09
Description: SageMaker Service Catalog Setup (qs-1qojf6qen)
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: Environment Details
Parameters:
- ENVName
- RandomStringArn
- Label:
default: AWS Quick Start Configuration
Parameters:
- QSS3BucketName
- QSS3KeyPrefix
- QSS3BucketRegion
- Label:
default: Access to Service Catalog for DataScientist to launch SageMaker Product [By default IAM role will be enabled for launching SageMaker product]
Parameters:
- EnableIAMGroup
ParameterLabels:
EnableIAMGroup:
default: Enable IAM group access for Service catalog
RandomStringArn:
default: Random String Generator
ENVName:
default: Environment Name
QSS3BucketName:
default: Quick Start S3 Bucket Name
QSS3BucketRegion:
default: Quick Start S3 bucket region
QSS3KeyPrefix:
default: Quick Start S3 Key Prefix
Parameters:
ENVName:
Description: SageMaker Project name
Type: String
RandomStringArn:
Description: The ARN for the function that will generate the random value to be used in the naming of the S3 Buckets
Type: String
QSS3BucketName:
AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
ConstraintDescription: >-
Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
Description: S3 bucket name for the Quick Start assets.
Type: String
QSS3KeyPrefix:
AllowedPattern: "^[0-9a-zA-Z-/]*$"
ConstraintDescription: >-
Quick Start key prefix can include numbers, lowercase letters, uppercase
letters, hyphens (-), and forward slash (/).
Description: "The S3 key prefix for the Quick Start assets. The Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)."
Type: String
QSS3BucketRegion:
Default: 'us-east-2'
Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
Type: String
EnableIAMGroup:
Description: IAM Group for launching the SageMaker product (Optional)
Default: 'NO'
Type: String
AllowedValues:
- 'YES'
- 'NO'
Conditions:
UsingDefaultBucket: !Equals
- !Ref QSS3BucketName
- 'aws-quickstart'
IAMGroupCondition: !Not
- !Equals
- "NO"
- !Ref EnableIAMGroup
Resources:
RandomString:
Type: Custom::RandomString
Properties:
ServiceToken: !Ref RandomStringArn
Number: 8
SCEndUserRole:
Type: 'AWS::IAM::Role'
Properties:
Description: Provides full access to service catalog enduser capabilities
Tags:
- Key: Environment
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- Key: Name
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SCEndUserRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- sagemaker.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- !Join
- ''
- - 'arn:aws:iam::'
- 'aws'
- ':policy/AWSServiceCatalogEndUserFullAccess'
SCLaunchRole:
Type: 'AWS::IAM::Role'
Properties:
Description: Provides full access to service catalog to launch product
Tags:
- Key: Environment
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- Key: Name
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SCLaunchRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- servicecatalog.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SCLaunchPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: LambdaInvokePermission
Effect: Allow
Action:
- 'lambda:InvokeFunction'
Resource:
- !Join
- ''
- - 'arn:aws:lambda:'
- !Ref 'AWS::Region'
- ':'
- !Ref 'AWS::AccountId'
- ':function:*'
ManagedPolicyArns:
- !Join
- ''
- - 'arn:aws:iam::'
- 'aws'
- ':policy/IAMFullAccess'
- !Join
- ''
- - 'arn:aws:iam::'
- 'aws'
- ':policy/AmazonS3FullAccess'
- !Join
- ''
- - 'arn:aws:iam::'
- 'aws'
- ':policy/AWSCloudFormationFullAccess'
SCUserGroup:
Type: 'AWS::IAM::Group'
Condition: IAMGroupCondition
Properties:
ManagedPolicyArns:
- !Join
- ''
- - 'arn:aws:iam::'
- 'aws'
- ':policy/AWSServiceCatalogEndUserFullAccess'
SageMakerPortfolio:
Type: 'AWS::ServiceCatalog::Portfolio'
Properties:
AcceptLanguage: en
Description: Sagemaker Portfolio with all Guardrails
DisplayName: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SageMakerPortfolio
ProviderName: Brillio
Tags:
- Key: Name
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SageMakerPortfolio
- Key: ENVName
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
SageMakerProduct:
Type: 'AWS::ServiceCatalog::CloudFormationProduct'
Properties:
AcceptLanguage: en
Description: This product creates SageMaker Product with provided parameter values.
Distributor: Amazon
Name: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SageMakerProduct
Owner: Brillio
ProvisioningArtifactParameters:
- Description: >-
This product creates SageMaker Product with provided parameter
values.
Info:
LoadTemplateFromURL: !Sub
- https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/sagemakerproduct.template.yaml
- S3Region: !If
- UsingDefaultBucket
- !Ref 'AWS::Region'
- !Ref 'QSS3BucketRegion'
S3Bucket: !If
- UsingDefaultBucket
- !Sub '${QSS3BucketName}-${AWS::Region}'
- !Ref 'QSS3BucketName'
Name: Version 1
SupportDescription: Brillio DI Team
SupportEmail: aws-brillio@brillio.com
SupportUrl: >-
https://www.brillio.com/what-we-do/digital-infrastructure/cloud-infrastructure/
Tags:
- Key: Name
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
- SageMakerProduct
- Key: ENVName
Value: !Join
- ''
- - !Ref ENVName
- !Sub ${RandomString}
SageMakerProductAssociation:
Type: 'AWS::ServiceCatalog::PortfolioProductAssociation'
Properties:
PortfolioId: !Ref SageMakerPortfolio
ProductId: !Ref SageMakerProduct
PortfolioRoleAssociation:
Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
Properties:
PortfolioId: !Ref SageMakerPortfolio
PrincipalARN: !GetAtt
- SCEndUserRole
- Arn
PrincipalType: IAM
PortfolioGroupAssociation:
Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
Condition: IAMGroupCondition
Properties:
PortfolioId: !Ref SageMakerPortfolio
PrincipalARN: !GetAtt
- SCUserGroup
- Arn
PrincipalType: IAM
SCLaunchRoleConstraint:
Type: AWS::ServiceCatalog::LaunchRoleConstraint
Properties:
AcceptLanguage: en
Description: Role to create SageMaker product
PortfolioId: !Ref SageMakerPortfolio
ProductId: !Ref SageMakerProduct
RoleArn: !GetAtt
- SCLaunchRole
- Arn
Outputs:
SageMakerPortfolio:
Value: !Ref SageMakerPortfolio
Description: SageMaker Portfolio ID
SageMakerProduct:
Value: !Ref SageMakerProduct
Description: SageMaker Product ID
SCEndUserRole:
Value: !Ref SCEndUserRole
Description: Provides access to enduser for launching the SageMaker product
SCUserGroup:
Value: !Ref SCUserGroup
Condition: IAMGroupCondition
Description: IAM Group for launching the SageMaker product
SCLaunchRole:
Value: !Ref SCLaunchRole
Description: Provides full access to service catalog to launch product