AWSTemplateFormatVersion: 2010-09-09 Description: ' This cloudformation template creates resources for the ADX Workshop(fdp-workshop-mlmpadx-meta)' Resources: Portfolio: Type: 'AWS::ServiceCatalog::Portfolio' Properties: AcceptLanguage: en Description: AWS Data and ML module DisplayName: AWS Data and ML module ProviderName: CCOE ADXProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Owner: MP Team SupportDescription: Support Description Description: AWS Data Exchange product Distributor: AWS MP Team SupportEmail: awsmp@example.com AcceptLanguage: en SupportUrl: 'https://support.com' Name: AWS Data Exchange product (Shutterstock dataset) ProvisioningArtifactParameters: - Description: Base Version Info: LoadTemplateFromURL: 'https://marketplace-sa-resources.s3.amazonaws.com/activation_day/DataExchangeDownloadDataSet-v0.8.yaml' Name: v2.0 MLProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Owner: MP Team SupportDescription: Support Description Description: A Machine Learning Model Package. Distributor: AWS MP Team SupportEmail: awsmp@example.com AcceptLanguage: en SupportUrl: 'https://support.com' Name: AWS Marketplace - Machine Learning Model (CV) ProvisioningArtifactParameters: - Description: Base Version Info: LoadTemplateFromURL: 'https://marketplace-sa-resources.s3.amazonaws.com/activation_day/resnet18.yml' Name: v2.0 IAMProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Owner: MP Team SupportDescription: Support Description Description: IAM roles Distributor: AWS MP Team SupportEmail: awsmp@example.com AcceptLanguage: en SupportUrl: 'https://support.com' Name: IAM roles ProvisioningArtifactParameters: - Description: Base Version Info: LoadTemplateFromURL: 'https://marketplace-sa-resources.s3.amazonaws.com/activation_day/s3_and_iam_roles.yaml' Name: v2.0 AssociateIAMProduct: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' DependsOn: - Portfolio - IAMProduct Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref IAMProduct NotebookProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Owner: MP Team SupportDescription: Support Description Description: A classic SageMaker notebook instance Distributor: AWS MP Team SupportEmail: awsmp@example.com AcceptLanguage: en SupportUrl: 'https://support.com' Name: Amazon SageMaker Notebook Instance ProvisioningArtifactParameters: - Description: Base Version Info: LoadTemplateFromURL: 'https://marketplace-sa-resources.s3.amazonaws.com/activation_day/sc-sagemaker.yaml' Name: v2.0 AssociateADXProduct: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' DependsOn: - Portfolio - ADXProduct - ADXLaunchRole Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref ADXProduct AppProduct: Type: 'AWS::ServiceCatalog::CloudFormationProduct' Properties: Owner: MP Team SupportDescription: Support Description Description: An application product Distributor: AWS MP Team SupportEmail: awsmp@example.com AcceptLanguage: en SupportUrl: 'https://support.com' Name: An application product ProvisioningArtifactParameters: - Description: Base Version Info: LoadTemplateFromURL: 'https://marketplace-sa-resources.s3.amazonaws.com/activation_day/app_2.yaml' Name: v2.0 AssociateAppProduct: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' DependsOn: - Portfolio - AppProduct Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref AppProduct ADXProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' DependsOn: - Portfolio - AssociateADXProduct Properties: Description: >- Launch role associated has permissions to create, manage, and terminate ADX Product AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref ADXProduct RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ADXLaunchRole' AssociateMLProduct: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' DependsOn: - Portfolio - MLProduct Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref MLProduct MLProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' DependsOn: - Portfolio - AssociateMLProduct - MLModelLaunchRole Properties: Description: >- Launch role associated has permissions to create, manage, and terminate ML Product AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref MLProduct RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/MLModelLaunchRole' AssociateNotebookProduct: Type: 'AWS::ServiceCatalog::PortfolioProductAssociation' DependsOn: - Portfolio - NotebookProduct Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref NotebookProduct NotebookProductLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' DependsOn: - Portfolio - AssociateNotebookProduct - NotebookLaunchRole Properties: Description: >- Launch role associated has permissions to create, manage, and terminate Notebook Product AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref NotebookProduct RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/NotebookLaunchRole' IAMLaunchRoleConstraint: Type: 'AWS::ServiceCatalog::LaunchRoleConstraint' DependsOn: - Portfolio - IAMLaunchRole - IAMProduct Properties: Description: >- Launch role associated has permissions to create, manage, kms and IAM product AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref IAMProduct RoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/IAMLaunchRole' LabTagoption: DependsOn: Portfolio Type: 'AWS::ServiceCatalog::TagOption' Properties: Active: 'True' Value: '2001' Key: cost-center TagAssoPort: DependsOn: LabTagoption Type: 'AWS::ServiceCatalog::TagOptionAssociation' Properties: TagOptionId: !Ref LabTagoption ResourceId: !Ref Portfolio ADXLaunchRole: Type: 'AWS::IAM::Role' Properties: RoleName: ADXLaunchRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSDataExchangeSubscriberFullAccess' - 'arn:aws:iam::aws:policy/AWSLambda_FullAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: ServiceActionsPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3LaunchPolicySID Effect: Allow Action: - 'serverlessrepo:*' - 'events:*' - 'logs:*' - 'cloudformation:*ChangeSet' Resource: '*' - Sid: GetAndPassRole Effect: Allow Action: iam:* Resource: - arn:aws:iam::*:role/SC-* MLModelLaunchRole: Type: 'AWS::IAM::Role' Properties: RoleName: MLModelLaunchRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / NotebookLaunchRole: Type: 'AWS::IAM::Role' Properties: RoleName: NotebookLaunchRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: ServiceActionsPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3LaunchPolicySID Effect: Allow Action: - 'kms:CreateGrant' - 'kms:RevokeGrant' Resource: '*' LaunchRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: SCLaunchRolePolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - catalog-user:* - cloudformation:CreateStack - cloudformation:DeleteStack - cloudformation:DescribeStackEvents - cloudformation:DescribeStacks - cloudformation:GetTemplateSummary - cloudformation:SetStackPolicy - cloudformation:ValidateTemplate - cloudformation:UpdateStack - s3:GetObject Resource: '*' Roles: - !Ref IAMLaunchRole - !Ref NotebookLaunchRole - !Ref ADXLaunchRole - !Ref MLModelLaunchRole IAMLaunchRole: Type: 'AWS::IAM::Role' Properties: RoleName: IAMLaunchRole ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - servicecatalog.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: ServiceActionsPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3LaunchPolicySID Effect: Allow Action: - 'iam:*Role' - 'iam:*Policy' Resource: '*' - Sid: KMSAdmin Effect: Allow Action: - kms:* Resource: '*' EndUser: Type: 'AWS::IAM::Role' Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: '' Effect: Allow Principal: AWS: !Sub '${AWS::AccountId}' Action: 'sts:AssumeRole' RoleName: service_catalog_end_user Policies: - PolicyName: ServiceActionsPolicy PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3LaunchPolicySID Effect: Allow Action: - 'servicecatalog:GetProvisionedProductOutputs' - 'servicecatalog:ListRecordHistory' - 'cloudformation:DescribeStacks' - 'sagemaker:CreatePresignedNotebookInstanceUrl' - 'servicecatalog:DescribeProvisionedProduct' Resource: '*' - PolicyName: S3Policy PolicyDocument: Version: 2012-10-17 Statement: - Sid: S3LaunchPolicySID Effect: Allow Action: - 's3:GetObject*' Resource: '*' Condition: StringEquals: "s3:ExistingObjectTag/servicecatalog:provisioning" : "true" EndUserPortfolioPrincipalAssociation: Type: 'AWS::ServiceCatalog::PortfolioPrincipalAssociation' Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio PrincipalARN: !GetAtt - EndUser - Arn PrincipalType: IAM Outputs: SwitchRoleAwsStudent: Value: !Sub >- https://signin.aws.amazon.com/switchrole?account=${AWS::AccountId}&roleName=service_catalog_end_user&displayName=Student