template.sam.yaml

---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Description: >-
  Workshop event template - Provision SageMaker Notebook (Instance + Studio environment alternatives) and
  related IAM configuration. Clone the workshop codebase into the notebook to get started.

Parameters:
  NotebookName:
    Type: String
    Default: SM101Notebook
    Description: Enter the name of the SageMaker notebook instance. Default is SM101Notebook.

  DefaultCodeRepo:
    Type: String
    Default: https://github.com/aws-samples/sagemaker-101-workshop
    Description: URL of the git code repository to clone in to the SageMaker notebook.

  EnableExtras:
    Type: String
    Default: 'yes'
    Description: >-
      Set 'yes' to auto-configure SageMaker Service Roles (for SM Projects) and SageMaker Default
      Bucket CORS (for SM Canvas) in this stack: But stack deployment will fail if these already
      exist.
    AllowedValues:
      - 'yes'
      - 'no'

  VpcId:
    Type: String
    Description: VPC ID to use (e.g. vpc-xxxxxx), or blank to use default.
    Default: ''

  SubnetIds:
    Type: String
    Description: >-
      Comma-separated list of subnet IDs to use (e.g. subnet-xxxxxx), or blank to use all default subnets.
    Default: ''

Conditions:
  DeployExtras: !Equals [!Ref EnableExtras, 'yes']

Mappings:
  RegionMap:
    us-east-1:
      datascience: 'arn:aws:sagemaker:us-east-1:081325390199:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:us-east-1:081325390199:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:us-east-1:081325390199:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:us-east-1:081325390199:image/jupyter-server-3'
    us-east-2:
      datascience: 'arn:aws:sagemaker:us-east-2:429704687514:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:us-east-2:429704687514:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:us-east-2:429704687514:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:us-east-2:429704687514:image/jupyter-server-3'
    us-west-1:
      datascience: 'arn:aws:sagemaker:us-west-1:742091327244:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:us-west-1:742091327244:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:us-west-1:742091327244:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:us-west-1:742091327244:image/jupyter-server-3'
    us-west-2:
      datascience: 'arn:aws:sagemaker:us-west-2:236514542706:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:us-west-2:236514542706:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:us-west-2:236514542706:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:us-west-2:236514542706:image/jupyter-server-3'
    af-south-1:
      datascience: 'arn:aws:sagemaker:af-south-1:559312083959:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:af-south-1:559312083959:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:af-south-1:559312083959:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:af-south-1:559312083959:image/jupyter-server-3'
    ap-east-1:
      datascience: 'arn:aws:sagemaker:ap-east-1:493642496378:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-east-1:493642496378:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-east-1:493642496378:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-east-1:493642496378:image/jupyter-server-3'
    ap-south-1:
      datascience: 'arn:aws:sagemaker:ap-south-1:394103062818:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-south-1:394103062818:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-south-1:394103062818:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-south-1:394103062818:image/jupyter-server-3'
    ap-northeast-2:
      datascience: 'arn:aws:sagemaker:ap-northeast-2:806072073708:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-northeast-2:806072073708:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-northeast-2:806072073708:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-northeast-2:806072073708:image/jupyter-server-3'
    ap-southeast-1:
      datascience: 'arn:aws:sagemaker:ap-southeast-1:492261229750:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-southeast-1:492261229750:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-southeast-1:492261229750:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-southeast-1:492261229750:image/jupyter-server-3'
    ap-southeast-2:
      datascience: 'arn:aws:sagemaker:ap-southeast-2:452832661640:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-southeast-2:452832661640:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-southeast-2:452832661640:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-southeast-2:452832661640:image/jupyter-server-3'
    ap-southeast-3:
      datascience: 'arn:aws:sagemaker:ap-southeast-3:276181064229:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-southeast-3:276181064229:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-southeast-3:276181064229:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-southeast-3:276181064229:image/jupyter-server-3'
    ap-northeast-1:
      datascience: 'arn:aws:sagemaker:ap-northeast-1:102112518831:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ap-northeast-1:102112518831:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ap-northeast-1:102112518831:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ap-northeast-1:102112518831:image/jupyter-server-3'
    # TODO: ap-northeast-2 and ap-northeast-3 if available?
    ca-central-1:
      datascience: 'arn:aws:sagemaker:ca-central-1:310906938811:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:ca-central-1:310906938811:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:ca-central-1:310906938811:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:ca-central-1:310906938811:image/jupyter-server-3'
    eu-central-1:
      datascience: 'arn:aws:sagemaker:eu-central-1:936697816551:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-central-1:936697816551:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-central-1:936697816551:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-central-1:936697816551:image/jupyter-server-3'
    # TODO: eu-central-2 if available?
    eu-west-1:
      datascience: 'arn:aws:sagemaker:eu-west-1:470317259841:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-west-1:470317259841:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-west-1:470317259841:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-west-1:470317259841:image/jupyter-server-3'
    eu-west-2:
      datascience: 'arn:aws:sagemaker:eu-west-2:712779665605:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-west-2:712779665605:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-west-2:712779665605:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-west-2:712779665605:image/jupyter-server-3'
    eu-west-3:
      datascience: 'arn:aws:sagemaker:eu-west-3:615547856133:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-west-3:615547856133:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-west-3:615547856133:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-west-3:615547856133:image/jupyter-server-3'
    eu-north-1:
      datascience: 'arn:aws:sagemaker:eu-north-1:243637512696:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-north-1:243637512696:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-north-1:243637512696:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-north-1:243637512696:image/jupyter-server-3'
    eu-south-1:
      datascience: 'arn:aws:sagemaker:eu-south-1:592751261982:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:eu-south-1:592751261982:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:eu-south-1:592751261982:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:eu-south-1:592751261982:image/jupyter-server-3'
    # TODO: me-central-1 and me-south-1 if available?
    sa-east-1:
      datascience: 'arn:aws:sagemaker:sa-east-1:782484402741:image/datascience-1.0'
      datascience2: 'arn:aws:sagemaker:sa-east-1:782484402741:image/sagemaker-data-science-38'
      datascience3: 'arn:aws:sagemaker:sa-east-1:782484402741:image/sagemaker-data-science-310-v1'
      jlabv3: 'arn:aws:sagemaker:sa-east-1:782484402741:image/jupyter-server-3'

Resources:

########  THE BASICS: SageMaker perms & notebook instance  ########

  # Permissions for the SageMaker notebook environment:
  SageMakerExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - glue.amazonaws.com
                - sagemaker.amazonaws.com
            Action: sts:AssumeRole
      Path: '/'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSageMakerFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AwsGlueSessionUserRestrictedServiceRole'
        - 'arn:aws:iam::aws:policy/IAMFullAccess'
      Policies:
        - PolicyName: GlueInteractiveSessions
          PolicyDocument: {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Sid": "CodeWhispererPermissions",
                "Effect": "Allow",
                "Action": ["codewhisperer:GenerateRecommendations"],
                "Resource": "*"
              },
              {
                "Sid": "GlueSessionsIAMPerms",
                "Effect": "Allow",
                "Action": ["iam:GetRole", "iam:PassRole", "sts:GetCallerIdentity"],
                "Resource": "*"
              }
            ]
          }

  # If running on classic notebook instances, make sure widgets library is installed:
  NotebookConfig:
    Type: 'AWS::SageMaker::NotebookInstanceLifecycleConfig'
    Properties:
      NotebookInstanceLifecycleConfigName: !Sub '${AWS::StackName}-LifecycleConfig'
      OnStart:
        - Content:
            Fn::Base64: !Sub |
              #!/bin/bash
              set -e

              # Install extension for interactive canvas drawing:
              # ipywidgets is already present on al2-v2 NBIs. Pin versions to avoid reinstallations
              sudo -u ec2-user -i <<'EOF'
              source /home/ec2-user/anaconda3/bin/activate JupyterSystemEnv
              JUPYTERSERVER_VER=`pip show jupyter-server | grep 'Version:' | sed 's/Version: //'`
              IPYWIDGETS_VER=`pip show ipywidgets | grep 'Version:' | sed 's/Version: //'`
              pip install \
                jupyter-server==$JUPYTERSERVER_VER \
                ipywidgets==$IPYWIDGETS_VER \
                'ipycanvas<0.13'
              source /home/ec2-user/anaconda3/bin/deactivate
              EOF

  # Classic notebook instance in case you want to run the workshop there:
  NotebookInstance:
    Type: 'AWS::SageMaker::NotebookInstance'
    Properties:
      InstanceType: ml.t3.medium
      LifecycleConfigName: !GetAtt NotebookConfig.NotebookInstanceLifecycleConfigName
      NotebookInstanceName: !Ref NotebookName
      PlatformIdentifier: notebook-al2-v2
      RoleArn: !GetAtt SageMakerExecutionRole.Arn
      VolumeSizeInGB: 20
      DefaultCodeRepository: !Ref DefaultCodeRepo


########  SAGEMAKER STUDIO SETUP & USER CREATION  ########
  LambdaExecutionPolicy:
    # TODO: Scope setup Lambda permissions down further
    # Would be good to scope more perms down to the current region & account ID for e.g.
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      Path: /
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: CloudWatchLogsPermissions
            Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource: !Sub 'arn:${AWS::Partition}:logs:*:*:*'
            # Could we scope this to specific region/accountID?
          - Sid: GetVPCsAndSubnets
            Effect: Allow
            Action:
              - ec2:AssignPrivateIpAddresses  # (Only needed for user post-setup)
              - ec2:CreateNetworkInterface  # (Only needed for user post-setup)
              - ec2:DeleteNetworkInterface  # (Only needed for user post-setup)
              - ec2:DescribeNetworkInterfaces  # (Only needed for user post-setup)
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - ec2:UnassignPrivateIpAddresses  # (Only needed for user post-setup)
            Resource:
              - '*'
          - Sid: StudioEFSWrite  # (Only needed for user post-setup)
            Effect: Allow
            Action:
              - elasticfilesystem:ClientMount
              - elasticfilesystem:ClientRootAccess
              - elasticfilesystem:ClientWrite
              - elasticfilesystem:DescribeMountTargets
            Resource: '*'  # TODO: Restrict
          - Sid: SageMakerDomainPermission
            Effect: Allow
            Action:
              - sagemaker:CreateDomain
              - sagemaker:DeleteDomain
              - sagemaker:DescribeDomain
              - sagemaker:UpdateDomain
              - sagemaker:CreateUserProfile
              - sagemaker:CreateStudioLifecycleConfig
              - sagemaker:DeleteStudioLifecycleConfig
              - sagemaker:DeleteUserProfile
              - sagemaker:DescribeUserProfile
              - sagemaker:UpdateUserProfile
            Resource:
              - !Sub 'arn:${AWS::Partition}:sagemaker:*:*:domain/*'
              - !Sub 'arn:${AWS::Partition}:sagemaker:*:*:user-profile/*'
              - !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:studio-lifecycle-config/*'
          - Sid: CreateSageMakerServiceLinkedRole
            Effect: Allow
            Action:
              - iam:CreateServiceLinkedRole
            Resource:
              - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks'
          - Sid: SageMakerExecPassRole
            Effect: Allow
            Action:
              - iam:PassRole
            Resource: !GetAtt SageMakerExecutionRole.Arn
          - Sid: GetSageMakerUserRole  # Required on SM role for AssociatePrincipalWithPortfolio
            Effect: Allow
            Action:
              - iam:GetRole
            Resource:
              - '*' # TODO: Could scope this down if we were more explicit about SM exec role/path
          - Sid: SageMakerProjectsPermission  # For enabling SM Projects
            Effect: Allow
            Action:
              - servicecatalog:AcceptPortfolioShare
              - servicecatalog:AssociatePrincipalWithPortfolio
              - sagemaker:EnableSagemakerServicecatalogPortfolio
              - sagemaker:DisableSagemakerServicecatalogPortfolio
            Resource: '*'
          - Sid: ServiceCatalogPermission  # TODO: Can this be scoped down? For enabling SM Projects
            Effect: Allow
            Action:
              - servicecatalog:*
            Resource: '*'

  # Permissions for the Lambda functions implementing our custom CFN resources:
  LambdaExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - !Ref LambdaExecutionPolicy
      Path: /

  # Shared layer loading the cfn-response module (doesn't seem to auto-import with SAM Lambdas)
  LambdaCommonLayer:
    Type: 'AWS::Serverless::LayerVersion'
    Properties:
      ContentUri: ./lambda-common/
      CompatibleRuntimes:
        - python3.10
        - python3.9
        - python3.8
    Metadata:
      BuildMethod: python3.10

  # Custom resource implementation for creating SMStudio domains
  StudioDomainFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Description: CloudFormation custom resource implementation for SageMaker Studio domain
      CodeUri: ./fn-domain/
      Handler: main.lambda_handler
      MemorySize: 128
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.10
      Timeout: 900
      Layers:
        - !Ref LambdaCommonLayer

  # Custom resource implementation for creating SMStudio lifecycle config scripts
  StudioLifecycleConfigFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Description: >-
        CloudFormation custom resource implementation for SageMaker Studio lifecycle config scripts
      CodeUri: ./fn-studio-lcconfig/
      Handler: main.lambda_handler
      MemorySize: 128
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.10
      Timeout: 900
      Layers:
        - !Ref LambdaCommonLayer

  # Custom resource implementation for creating SMStudio users
  UserProfileFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Description: CloudFormation custom resource implementation for SageMaker Studio users
      CodeUri: ./fn-user/
      Handler: main.lambda_handler
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.10
      Timeout: 900
      Layers:
        - !Ref LambdaCommonLayer

  StudioDomain:
    Type: 'Custom::StudioDomain'
    Properties:
      ServiceToken: !GetAtt StudioDomainFunction.Arn
      VPC: !Ref VpcId
      SubnetIds: !Ref SubnetIds
      DomainName: 'PoCDomain'
      DomainSettings:
        DockerSettings:
          EnableDockerAccess: ENABLED
      DefaultUserSettings:
        ExecutionRole: !GetAtt SageMakerExecutionRole.Arn
      EnableProjects: true

  # Install extra assistive coding tools to provide features like autocomplete in Studio Classic:
  StudioClassicLifecycleConfig:
    Type: 'Custom::StudioLifecycleConfig'
    Properties:
      ServiceToken: !GetAtt StudioLifecycleConfigFunction.Arn
      AppType: JupyterServer
      DomainId: !GetAtt StudioDomain.DomainId
      Name: install-lsp-features
      Content:
        Fn::Base64: |
          #!/bin/bash
          set -eu

          echo "Checking conda environments"
          if conda info --envs | grep ^studio; then
              # Standard on JLv3 image at time of writing
              CONDA_ENV=studio
          else
              # Standard on JLv1 image at time of writing
              exit 0
          fi
          echo "Activating conda env $CONDA_ENV"
          source activate $CONDA_ENV

          BOTO3_VER=`pip show boto3 | grep 'Version:' | sed 's/Version: //'`
          BOTOCORE_VER=`pip show botocore | grep 'Version:' | sed 's/Version: //'`
          JUPYTERSERVER_VER=`pip show jupyter-server | grep 'Version:' | sed 's/Version: //'`

          echo "Installing CodeWhisperer, jupyterlab-lsp, language tools, canvas widget"
          pip install amazon-codewhisperer-jupyterlab-ext \
              jupyterlab-lsp \
              'python-lsp-server[flake8,mccabe,pycodestyle,pydocstyle,pyflakes,pylint,rope]' \
              jupyterlab-spellchecker \
              jupyterlab-code-formatter black isort \
              jupyterlab-s3-browser \
              boto3==$BOTO3_VER \
              botocore==$BOTOCORE_VER \
              jupyter-server==$JUPYTERSERVER_VER \
              'ipycanvas<0.13'
          # bash-language-server v5+ requires Node v16+ (not yet available):
          jlpm add --dev bash-language-server@"<5.0.0" dockerfile-language-server-nodejs

          # CodeWhisperer should be specifically enabled:
          jupyter server extension enable amazon_codewhisperer_jupyterlab_ext

          CMP_CONFIG_DIR=.jupyter/lab/user-settings/@krassowski/jupyterlab-lsp/
          CMP_CONFIG_FILE=completion.jupyterlab-settings
          CMP_CONFIG_PATH="$CMP_CONFIG_DIR/$CMP_CONFIG_FILE"
          if test -f $CMP_CONFIG_PATH; then
              echo "jupyterlab-lsp config file already exists: Skipping default config setup"
          else
              echo "Setting continuous hinting to enabled by default"
              mkdir -p $CMP_CONFIG_DIR
              echo '{ "continuousHinting": true }' > $CMP_CONFIG_PATH
          fi

          FMT_CONFIG_DIR=~/.jupyter/lab/user-settings/@ryantam626/jupyterlab_code_formatter
          FMT_CONFIG_FILE=settings.jupyterlab-settings
          FMT_CONFIG_PATH="$FMT_CONFIG_DIR/$FMT_CONFIG_FILE"
          if test -f $FMT_CONFIG_PATH; then
              echo "jupyterlab-code-formatter config file already exists: Skipping default config setup"
          else
              echo "Configuring jupyterlab-code-formatter format on save and line width"
              mkdir -p $FMT_CONFIG_DIR
              # Could turn on "formatOnSave": true here, but would raise error messages for partial nbks
              cat > $FMT_CONFIG_PATH <<EOF
          {"black": {"line_length": 100}, "isort": {"line_length": 100}}
          EOF
          fi
          echo "Configuring pycodestyle linter max line width"
          mkdir -p ~/.config
          cat > ~/.config/pycodestyle <<EOF
          [pycodestyle]
          max-line-length = 100
          EOF

          echo "Restarting Jupyter server..."
          nohup supervisorctl -c /etc/supervisor/conf.d/supervisord.conf restart jupyterlabserver \
              > /dev/null 2>&1

  # Install ipycanvas and Docker in Studio JupyterLab
  StudioJLabLifecycleConfig:
    Type: 'Custom::StudioLifecycleConfig'
    Properties:
      ServiceToken: !GetAtt StudioLifecycleConfigFunction.Arn
      AppType: JupyterLab
      DomainId: !GetAtt StudioDomain.DomainId
      Name: install-docker-ipycanvas
      Content:
        Fn::Base64: |
          #!/bin/bash
          set -ex

          # As per: https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository
          # Add Docker's official GPG key:
          sudo apt-get update
          sudo apt-get -y install ca-certificates curl
          sudo install -m 0755 -d /etc/apt/keyrings
          sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
          sudo chmod a+r /etc/apt/keyrings/docker.asc

          # Add the repository to Apt sources:
          echo \
            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
            $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
            sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
          sudo apt-get update

          sudo apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

          # SageMaker Python SDK introduced support for Local Mode in Studio at v2.203.0.
          # MNIST exercises require ipycanvas
          pip install "ipycanvas<0.13" "sagemaker>=2.203.0,<3"

          echo "Restarting Jupyter server..."
          nohup supervisorctl -c /etc/supervisor/conf.d/supervisord.conf restart jupyterlabserver \
              > /dev/null 2>&1

  UserProfile:
    Type: 'Custom::UserProfile'
    DependsOn:
      - StudioDomain
    Properties:
      ServiceToken: !GetAtt UserProfileFunction.Arn
      DomainId: !GetAtt StudioDomain.DomainId
      UserProfileName: 'workshop-user'
      UserSettings:
        ExecutionRole: !GetAtt SageMakerExecutionRole.Arn
        JupyterLabAppSettings:
          DefaultResourceSpec:
            InstanceType: ml.t3.medium
            LifecycleConfigArn: !Ref StudioJLabLifecycleConfig
        # Set JupyterLabv3 default and attach the lifecycle configuration script:
        JupyterServerAppSettings:
          DefaultResourceSpec:
            SageMakerImageArn: !FindInMap
              - RegionMap
              - !Ref 'AWS::Region'
              - jlabv3
            InstanceType: system
            LifecycleConfigArn: !Ref StudioClassicLifecycleConfig

  # Pre-warm the JupyterServer app to make initially opening Studio faster for participants:
  SMJupyterApp:
    Type: 'AWS::SageMaker::App'
    DependsOn: UserProfile
    Properties: 
      AppName: default
      AppType: JupyterServer
      DomainId: !GetAtt StudioDomain.DomainId
      UserProfileName: !GetAtt UserProfile.UserProfileName

  # Pre-warm the Data Science 3.0 kernel to make first exercise start-up faster:
  SMDataScience3App:
    Type: 'AWS::SageMaker::App'
    DependsOn: UserProfile
    Properties: 
      AppName: instance-prewarm-datascience3-ml-t3-medium
      AppType: KernelGateway
      DomainId: !GetAtt StudioDomain.DomainId
      ResourceSpec: 
        InstanceType: ml.t3.medium
        SageMakerImageArn: !FindInMap
          - RegionMap
          - !Ref 'AWS::Region'
          - datascience3
      UserProfileName: !GetAtt UserProfile.UserProfileName

  # New-Studio JupyterLab Space:
  PersonalSpace:
    Type: AWS::SageMaker::Space
    Properties:
      DomainId: !GetAtt StudioDomain.DomainId
      OwnershipSettings: 
        OwnerUserProfileName: !GetAtt UserProfile.UserProfileName
      SpaceName: !Sub '${UserProfile.UserProfileName}-space'
      SpaceSettings: 
        AppType: JupyterLab
        JupyterLabAppSettings:
          CodeRepositories:
            - RepositoryUrl: !Ref DefaultCodeRepo
          DefaultResourceSpec:
            InstanceType: ml.t3.medium
        SpaceStorageSettings:
          EbsStorageSettings:
            EbsVolumeSizeInGb: 20
      SpaceSharingSettings: 
        SharingType: Private

########  PRE-CLONING GIT REPO TO SAGEMAKER STUDIO ENVIRONMENT  ########
## This is easy on a notebook instance (see above) but requires a few more steps for Studio

  # First we'll need to set up an access point for the EFS filesystem backing our Studio domain:
  StudioEFSAccessPoint:
    Type: 'AWS::EFS::AccessPoint'
    Properties:
      FileSystemId: !GetAtt StudioDomain.HomeEfsFileSystemId
      PosixUser:
        Gid: '0'
        Uid: '0'

  # - To access EFS a Lambda function needs to be deployed in VPC.
  # - VPC-deployed Lambdas do not get public IP addresses by default, so can't reach internet even if an
  #   internet gateway / relevant security groups are in place: so we need a NAT Gateway.
  # Hence all this VPC stuff...
  # (We'll create just a single-AZ deployment for our user setup Lambda to keep things simple)
  LambdaSubnet:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: !GetAtt StudioDomain.ProposedAdminSubnetCidr
      # TODO: Support IPv6
      #AssignIpv6AddressOnCreation: false
      #Ipv6CidrBlock: !Select [3, !Cidr [!Select [0, !GetAtt 'VPC.Ipv6CidrBlocks'], 4, 64]]
      VpcId: !GetAtt StudioDomain.VpcId
      Tags:
      - Key: Name
        Value: 'StudioSetupLambdaSubnet'
  LambdaRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !GetAtt StudioDomain.VpcId
      Tags:
        - Key: Name
          Value: 'StudioSetupLambdaSubnet'
  LambdaRouteTableAssociation:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref LambdaSubnet
      RouteTableId: !Ref LambdaRouteTable
  NatGatewayEIP:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
  NatGateway:
    Type: 'AWS::EC2::NatGateway'
    Properties:
      AllocationId: !GetAtt NatGatewayEIP.AllocationId
      SubnetId: !Select [0, !Split [',', !GetAtt StudioDomain.SubnetIds]]
  LambdaNatGatewayRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref LambdaRouteTable
      DestinationCidrBlock: '0.0.0.0/0'
      NatGatewayId: !Ref NatGateway

  LambdaPublicAccessSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: >-
        Security group conferring public internet access to SageMaker Studio user setup Lambda
      SecurityGroupEgress:
        - CidrIp: '0.0.0.0/0'
          Description: All traffic
          IpProtocol: '-1'
      SecurityGroupIngress:
        - CidrIp: '0.0.0.0/0'
          Description: All traffic
          IpProtocol: '-1'
      VpcId: !GetAtt StudioDomain.VpcId

  # Now ready to define the implementation of our custom resource:
  SMUserContentFunction:
    Type: 'AWS::Serverless::Function'
    DependsOn:
      - StudioEFSAccessPoint
      - LambdaNatGatewayRoute
      - LambdaRouteTableAssociation
      - NatGateway
    Properties:
      Description: CloudFormation custom resource implementation for SageMaker Studio user content
      CodeUri: ./fn-usersetup/
      Handler: main.lambda_handler
      Role: !GetAtt LambdaExecutionRole.Arn
      Runtime: python3.10
      Timeout: 300
      Layers:
        # 3rd party layer to install Git binaries on Lambda function. 
        # See: https://github.com/lambci/git-lambda-layer
        - !Sub 'arn:aws:lambda:${AWS::Region}:553035198032:layer:git-lambda2:8'
        - !Ref LambdaCommonLayer
      FileSystemConfigs:
        - Arn: !GetAtt StudioEFSAccessPoint.Arn
          LocalMountPath: /mnt/efs
      VpcConfig:
        SecurityGroupIds:
          - !Ref LambdaPublicAccessSecurityGroup  # Public access for fetching from GitHub/etc
          - !GetAtt StudioDomain.OutboundEFSSecurityGroupId  # Access to connect to Studio home filesystem
          - !GetAtt StudioDomain.InboundEFSSecurityGroupId  # TODO: Is this actually needed?
        SubnetIds:
          - !Ref LambdaSubnet

  # Actual resource instantiation:
  # - Clone the DefaultCodeRepo into the user's SMStudio EFS home folder
  # - Enable their access to SageMaker Projects
  UserSetup:
    Type: 'Custom::SMUserContent'
    DependsOn:
      - UserProfile
    Properties:
      ServiceToken: !GetAtt SMUserContentFunction.Arn
      DomainId: !GetAtt StudioDomain.DomainId
      UserProfileName: !GetAtt UserProfile.UserProfileName
      HomeEfsFileSystemUid: !GetAtt UserProfile.HomeEfsFileSystemUid
      EnableProjects: true
      GitRepository: !Ref DefaultCodeRepo


########  OPTIONAL EXTRAS: SERVICE ROLES AND ETC  ########
## Extra resources set up when `EnableExtras` is turned on
  # Can only auto-create the various Service Roles required for SM Projects if they don't already
  # exist in the account:
  SageMakerServiceRoles:
    Type: 'AWS::Serverless::Application'
    Condition: DeployExtras
    Properties:
      Location: sagemaker-service-roles.cfn.yaml

  # Creating the SageMaker default bucket CORS configuration enables users to upload local files to
  # SM Canvas: https://docs.aws.amazon.com/sagemaker/latest/dg/canvas-set-up-local-upload.html
  # In addition to `POST`, `GET` is required for model quality reports to load in the SM Model
  # Registry UI.
  # ...But it does mean this template won't work in environments where the SM default bucket has
  # already been created!
  SageMakerDefaultBucket:
    Type: 'AWS::S3::Bucket'
    Condition: DeployExtras
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      BucketName: !Sub 'sagemaker-${AWS::Region}-${AWS::AccountId}'
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - '*'
            AllowedMethods:
              - 'GET'
              - 'HEAD'
              - 'POST'
            AllowedOrigins:
              - '*'
            ExposedHeaders: []
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Outputs:
  DomainId:
    Description: SageMaker Studio Domain ID
    Value: !GetAtt StudioDomain.DomainId
  UserProfileName:
    Description: SageMaker Studio Username
    Value: !GetAtt UserProfile.UserProfileName
  HomeEfsFileSystemUid:
    Description: SageMaker Studio EFS User ID
    Value: !GetAtt UserProfile.HomeEfsFileSystemUid
  SubnetIds:
    Description: VPC Subnet IDs
    Value: !GetAtt StudioDomain.SubnetIds