AWSTemplateFormatVersion: 2010-09-09
Description: SageMaker Service Catalog Setup (qs-1qojf6qen) 
Metadata:
  "AWS::CloudFormation::Interface":
    ParameterGroups:
      - Label:
          default: Environment Details
        Parameters:
          - ENVName
          - RandomStringArn
      - Label:
          default: AWS Quick Start Configuration
        Parameters:
          - QSS3BucketName
          - QSS3KeyPrefix
          - QSS3BucketRegion
      - Label:
          default: Access to Service Catalog for DataScientist to launch SageMaker Product [By default IAM role will be enabled for launching SageMaker product]
        Parameters:
          - EnableIAMGroup
    ParameterLabels:
      EnableIAMGroup:
        default: Enable IAM group access for Service catalog
      RandomStringArn:
        default: Random String Generator
      ENVName:
        default: Environment Name
      QSS3BucketName:
        default: Quick Start S3 Bucket Name
      QSS3BucketRegion:
        default: Quick Start S3 bucket region
      QSS3KeyPrefix:
        default: Quick Start S3 Key Prefix
Parameters:
  ENVName:
    Description: SageMaker Project name
    Type: String
  RandomStringArn:
    Description: The ARN for the function that will generate the random value to be used in the naming of the S3 Buckets
    Type: String
  QSS3BucketName:
    AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$"
    ConstraintDescription: >-
      Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Description: S3 bucket name for the Quick Start assets.
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: "^[0-9a-zA-Z-/]*$"
    ConstraintDescription: >-
      Quick Start key prefix can include numbers, lowercase letters, uppercase
      letters, hyphens (-), and forward slash (/).
    Description: "The S3 key prefix for the Quick Start assets. The Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)."
    Type: String
  QSS3BucketRegion:
    Default: 'us-east-2'
    Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.
    Type: String
  EnableIAMGroup:
    Description: IAM Group for launching the SageMaker product (Optional)
    Default: 'NO'
    Type: String
    AllowedValues:
      - 'YES'
      - 'NO'
Conditions:
  UsingDefaultBucket: !Equals
    - !Ref QSS3BucketName
    - 'aws-quickstart'
  IAMGroupCondition: !Not 
    - !Equals 
      - "NO"
      - !Ref EnableIAMGroup
Resources:
  RandomString:
    Type: Custom::RandomString
    Properties:
      ServiceToken: !Ref RandomStringArn
      Number: 8
  SCEndUserRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Description: Provides full access to service catalog enduser capabilities
      Tags:
        - Key: Environment
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
        - Key: Name
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
              - SCEndUserRole
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - sagemaker.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - !Join 
          - ''
          - - 'arn:aws:iam::'
            - 'aws'
            - ':policy/AWSServiceCatalogEndUserFullAccess'
  SCLaunchRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Description: Provides full access to service catalog to launch product
      Tags:
        - Key: Environment
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
        - Key: Name
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
              - SCLaunchRole
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - servicecatalog.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
              - SCLaunchPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: LambdaInvokePermission
                Effect: Allow
                Action:
                  - 'lambda:InvokeFunction'
                Resource:
                  - !Join 
                      - ''
                      - - 'arn:aws:lambda:'
                        - !Ref 'AWS::Region'
                        - ':'
                        - !Ref 'AWS::AccountId'
                        - ':function:*'
      ManagedPolicyArns:
        - !Join 
          - ''
          - - 'arn:aws:iam::'
            - 'aws'
            - ':policy/IAMFullAccess'
        - !Join 
          - ''
          - - 'arn:aws:iam::'
            - 'aws'
            - ':policy/AmazonS3FullAccess'
        - !Join 
          - ''
          - - 'arn:aws:iam::'
            - 'aws'
            - ':policy/AWSCloudFormationFullAccess'
  SCUserGroup:
    Type: 'AWS::IAM::Group'
    Condition: IAMGroupCondition
    Properties:
      ManagedPolicyArns:
        - !Join 
          - ''
          - - 'arn:aws:iam::'
            - 'aws'
            - ':policy/AWSServiceCatalogEndUserFullAccess'
  SageMakerPortfolio:
    Type: 'AWS::ServiceCatalog::Portfolio'
    Properties:
      AcceptLanguage: en
      Description: Sagemaker Portfolio with all Guardrails
      DisplayName: !Join 
        - ''
        - - !Ref ENVName
          - !Sub ${RandomString}
          - SageMakerPortfolio
      ProviderName: Brillio
      Tags:
        - Key: Name
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
              - SageMakerPortfolio
        - Key: ENVName
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
  SageMakerProduct:
    Type: 'AWS::ServiceCatalog::CloudFormationProduct'
    Properties:
      AcceptLanguage: en
      Description: This product creates SageMaker Product with provided parameter values.
      Distributor: Amazon
      Name: !Join 
        - ''
        - - !Ref ENVName
          - !Sub ${RandomString}
          - SageMakerProduct
      Owner: Brillio
      ProvisioningArtifactParameters:
        - Description: >-
            This product creates SageMaker Product with provided parameter
            values.
          Info:
            LoadTemplateFromURL: !Sub
              - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/sagemakerproduct.template.yaml
              - S3Region: !If
                  - UsingDefaultBucket
                  - !Ref 'AWS::Region'
                  - !Ref 'QSS3BucketRegion'
                S3Bucket: !If
                  - UsingDefaultBucket
                  - !Sub '${QSS3BucketName}-${AWS::Region}'
                  - !Ref 'QSS3BucketName'
          Name: Version 1
      SupportDescription: Brillio DI Team
      SupportEmail: aws-brillio@brillio.com
      SupportUrl: >-
        https://www.brillio.com/what-we-do/digital-infrastructure/cloud-infrastructure/
      Tags:
        - Key: Name
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
              - SageMakerProduct
        - Key: ENVName
          Value: !Join 
            - ''
            - - !Ref ENVName
              - !Sub ${RandomString}
  SageMakerProductAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioProductAssociation'
    Properties:
      PortfolioId: !Ref SageMakerPortfolio
      ProductId: !Ref SageMakerProduct
  PortfolioRoleAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
    Properties:
      PortfolioId: !Ref SageMakerPortfolio
      PrincipalARN: !GetAtt 
        - SCEndUserRole
        - Arn
      PrincipalType: IAM
  PortfolioGroupAssociation:
    Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation'
    Condition: IAMGroupCondition
    Properties:
      PortfolioId: !Ref SageMakerPortfolio
      PrincipalARN: !GetAtt 
        - SCUserGroup
        - Arn
      PrincipalType: IAM
  SCLaunchRoleConstraint:
    Type: AWS::ServiceCatalog::LaunchRoleConstraint
    Properties: 
      AcceptLanguage: en
      Description: Role to create SageMaker product
      PortfolioId: !Ref SageMakerPortfolio
      ProductId: !Ref SageMakerProduct
      RoleArn: !GetAtt 
        - SCLaunchRole
        - Arn
Outputs:
  SageMakerPortfolio:
    Value: !Ref SageMakerPortfolio
    Description: SageMaker Portfolio ID
  SageMakerProduct:
    Value: !Ref SageMakerProduct
    Description: SageMaker Product ID
  SCEndUserRole:
    Value: !Ref SCEndUserRole
    Description: Provides access to enduser for launching the SageMaker product
  SCUserGroup:
    Value: !Ref SCUserGroup
    Condition: IAMGroupCondition
    Description: IAM Group for launching the SageMaker product
  SCLaunchRole:
    Value: !Ref SCLaunchRole
    Description: Provides full access to service catalog to launch product