AWSTemplateFormatVersion: 2010-09-09 Description: SageMaker Service Catalog Setup (qs-1qojf6qen) Metadata: "AWS::CloudFormation::Interface": ParameterGroups: - Label: default: Environment Details Parameters: - ENVName - RandomStringArn - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion - Label: default: Access to Service Catalog for DataScientist to launch SageMaker Product [By default IAM role will be enabled for launching SageMaker product] Parameters: - EnableIAMGroup ParameterLabels: EnableIAMGroup: default: Enable IAM group access for Service catalog RandomStringArn: default: Random String Generator ENVName: default: Environment Name QSS3BucketName: default: Quick Start S3 Bucket Name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 Key Prefix Parameters: ENVName: Description: SageMaker Project name Type: String RandomStringArn: Description: The ARN for the function that will generate the random value to be used in the naming of the S3 Buckets Type: String QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: S3 bucket name for the Quick Start assets. Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Description: "The S3 key prefix for the Quick Start assets. The Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." Type: String QSS3BucketRegion: Default: 'us-east-2' Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. Type: String EnableIAMGroup: Description: IAM Group for launching the SageMaker product (Optional) Default: 'NO' Type: String AllowedValues: - 'YES' - 'NO' Conditions: UsingDefaultBucket: !Equals - !Ref QSS3BucketName - 'aws-quickstart' IAMGroupCondition: !Not - !Equals - "NO" - !Ref EnableIAMGroup Resources: RandomString: Type: Custom::RandomString Properties: ServiceToken: !Ref RandomStringArn Number: 8 SCEndUserRole: Type: 'AWS::IAM::Role' Properties: Description: Provides full access to service catalog enduser capabilities Tags: - Key: Environment Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - Key: Name Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SCEndUserRole AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - sagemaker.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - !Join - '' - - 'arn:aws:iam::' - 'aws' - ':policy/AWSServiceCatalogEndUserFullAccess' SCLaunchRole: Type: 'AWS::IAM::Role' Properties: Description: Provides full access to service catalog to launch product Tags: - Key: Environment Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - Key: Name Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SCLaunchRole AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SCLaunchPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: LambdaInvokePermission Effect: Allow Action: - 'lambda:InvokeFunction' Resource: - !Join - '' - - 'arn:aws:lambda:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - ':function:*' ManagedPolicyArns: - !Join - '' - - 'arn:aws:iam::' - 'aws' - ':policy/IAMFullAccess' - !Join - '' - - 'arn:aws:iam::' - 'aws' - ':policy/AmazonS3FullAccess' - !Join - '' - - 'arn:aws:iam::' - 'aws' - ':policy/AWSCloudFormationFullAccess' SCUserGroup: Type: 'AWS::IAM::Group' Condition: IAMGroupCondition Properties: ManagedPolicyArns: - !Join - '' - - 'arn:aws:iam::' - 'aws' - ':policy/AWSServiceCatalogEndUserFullAccess' SageMakerPortfolio: Type: 'AWS::ServiceCatalog::Portfolio' Properties: AcceptLanguage: en Description: Sagemaker Portfolio with all Guardrails DisplayName: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SageMakerPortfolio ProviderName: Brillio Tags: - Key: Name Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SageMakerPortfolio - Key: ENVName Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} SageMakerProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: AcceptLanguage: en Description: This product creates SageMaker Product with provided parameter values. Distributor: Amazon Name: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SageMakerProduct Owner: Brillio ProvisioningArtifactParameters: - Description: >- This product creates SageMaker Product with provided parameter values. Info: LoadTemplateFromURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/sagemakerproduct.template.yaml - S3Region: !If - UsingDefaultBucket - !Ref 'AWS::Region' - !Ref 'QSS3BucketRegion' S3Bucket: !If - UsingDefaultBucket - !Sub '${QSS3BucketName}-${AWS::Region}' - !Ref 'QSS3BucketName' Name: Version 1 SupportDescription: Brillio DI Team SupportEmail: aws-brillio@brillio.com SupportUrl: >- https://www.brillio.com/what-we-do/digital-infrastructure/cloud-infrastructure/ Tags: - Key: Name Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} - SageMakerProduct - Key: ENVName Value: !Join - '' - - !Ref ENVName - !Sub ${RandomString} SageMakerProductAssociation: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' Properties: PortfolioId: !Ref SageMakerPortfolio ProductId: !Ref SageMakerProduct PortfolioRoleAssociation: Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation' Properties: PortfolioId: !Ref SageMakerPortfolio PrincipalARN: !GetAtt - SCEndUserRole - Arn PrincipalType: IAM PortfolioGroupAssociation: Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation' Condition: IAMGroupCondition Properties: PortfolioId: !Ref SageMakerPortfolio PrincipalARN: !GetAtt - SCUserGroup - Arn PrincipalType: IAM SCLaunchRoleConstraint: Type: AWS::ServiceCatalog::LaunchRoleConstraint Properties: AcceptLanguage: en Description: Role to create SageMaker product PortfolioId: !Ref SageMakerPortfolio ProductId: !Ref SageMakerProduct RoleArn: !GetAtt - SCLaunchRole - Arn Outputs: SageMakerPortfolio: Value: !Ref SageMakerPortfolio Description: SageMaker Portfolio ID SageMakerProduct: Value: !Ref SageMakerProduct Description: SageMaker Product ID SCEndUserRole: Value: !Ref SCEndUserRole Description: Provides access to enduser for launching the SageMaker product SCUserGroup: Value: !Ref SCUserGroup Condition: IAMGroupCondition Description: IAM Group for launching the SageMaker product SCLaunchRole: Value: !Ref SCLaunchRole Description: Provides full access to service catalog to launch product