template.yml

Description: Toolchain template which provides the resources needed to represent infrastructure as code. The template creates a CI/CD pipeline using GitHub Actions to build a model using a SageMaker Pipeline and deploy the resulting trained ML Model from Model Registry to two stages in CD -- staging and production.

Parameters:
  SageMakerProjectName:
    Type: String
    Description: Name of the project
    NoEcho: true
    MinLength: 1
    MaxLength: 32
    AllowedPattern: ^[a-zA-Z](-*[a-zA-Z0-9])*

  SageMakerProjectId:
    Type: String
    NoEcho: true
    Description: Service generated ID of the project.

  CodeRepositoryName:
    Type: String
    MaxLength: 1024
    Description: Repository name of the Model Building, Training and Deployment in GitHub

  GitHubRepositoryOwnerName:
    Type: String
    MaxLength: 1024
    Description: GitHub Repository Owner Name

  CodestarConnectionUniqueId:
    Type: String
    MaxLength: 1024
    Description: Codestar connection unique identifier

  GitHubTokenSecretName:
    Type: String
    MaxLength: 1024
    Description: Name of GitHub Token in AWS Secret Manager. This is to call deploy github workflow.

  GitHubWorkflowNameForDeployment:
    Type: String
    MaxLength: 1024
    Description: GitHub workflow file name which runs the deployment steps.

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      -
        Label:
          default: "Code Repository Info"
        Parameters:
          - GitHubRepositoryOwnerName
          - CodeRepositoryName
          - CodestarConnectionUniqueId
          - GitHubTokenSecretName
          - GitHubWorkflowNameForDeployment

    ParameterLabels:
      GitHubRepositoryOwnerName:
        default: "GitHub Repository Owner Name (username or organization)"
      CodeRepositoryName:
        default: "GitHub Repository Name"
      CodestarConnectionUniqueId:
        default: "Codestar connection unique id"
      GitHubTokenSecretName:
        default: "Name of the secret in the Secrets Manager which stores GitHub token"
      GitHubWorkflowNameForDeployment:
        default: "GitHub workflow file for deployment. e.g. deploy.yml"

Resources:
  MlOpsArtifactsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub sagemaker-project-github-${SageMakerProjectId}-${AWS::Region}

  GitHubWorkflowTriggerLambda:
    Type: 'AWS::Lambda::Function'
    Properties:
      Description: To trigger the GitHub Workflow
      Handler: lambda_function.lambda_handler
      Runtime: python3.9
      FunctionName: !Sub sagemaker-${SageMakerProjectId}-github-trigger
      Timeout: 900
      Role: !GetAtt GitHubWorkflowTriggerLambdaExecutionRole.Arn
      Code:
        S3Bucket: mlops-sagemaker-github-example
        S3Key: lambda-github-workflow-trigger.zip
      Layers:
        - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:python39-github-arm64:1
      Architectures:
        - arm64
      Environment:
        Variables:
          DeployRepoName: !Sub ${CodeRepositoryName}
          GitHubWorkflowNameForDeployment: !Sub ${GitHubWorkflowNameForDeployment}
          GitHubTokenSecretName: !Sub ${GitHubTokenSecretName}
          Region: !Ref AWS::Region

  GitHubWorkflowTriggerLambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties: 
      RoleName: !Join ['-', ['SageMakerGithubWorkflowTriggerLambdaExecutionRole', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref 'AWS::StackId']]]]]]
      Description: lambda function to trigger GitHub workflow for deploying sagemaker model
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
          - PolicyName: GitHubWorkflowTriggerExecutionPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - 'secretsmanager:GetSecretValue'
                  Resource:
                    - !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${GitHubTokenSecretName}*

  ModelDeploySageMakerEventRule:
    Type: AWS::Events::Rule
    Properties:
      Name: !Sub sagemaker-${SageMakerProjectName}-${SageMakerProjectId}-event-rule
      Description: Rule to trigger a deployment when SageMaker Model is Approved.
      EventPattern:
        source:
          - "aws.sagemaker"
        detail-type:
          - "SageMaker Model Package State Change"
        detail:
          ModelPackageGroupName:
            - !Sub ${SageMakerProjectName}-${SageMakerProjectId}
          ModelApprovalStatus:
            - Approved
      State: "ENABLED"
      Targets:
        -
          Arn: !GetAtt GitHubWorkflowTriggerLambda.Arn
          Id: !Sub sagemaker-${SageMakerProjectName}-trigger

  PermissionForEventsToInvokeLambda:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt GitHubWorkflowTriggerLambda.Arn
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt ModelDeploySageMakerEventRule.Arn

  SagemakerCodeRepository:
    Type: 'AWS::SageMaker::CodeRepository'
    Properties:
      CodeRepositoryName: !Sub ${CodeRepositoryName}-${SageMakerProjectId}
      GitConfig:
        Branch: main
        RepositoryUrl: !Sub https://codestar-connections.${AWS::Region}.amazonaws.com/git-http/${AWS::AccountId}/${AWS::Region}/${CodestarConnectionUniqueId}/${GitHubRepositoryOwnerName}/${CodeRepositoryName}.git
      Tags:
        - Key: "sagemaker:project-id"
          Value: !Sub ${SageMakerProjectId}
        - Key: "sagemaker:project-name"
          Value: !Sub ${SageMakerProjectName}