Naming Conventions¶

For config file naming conventions (filename patterns, discriminator segments), see Configuration Reference.

All naming conventions are derived directly from src/ml_provisioner/generators/cfn_generator.py.

Table of Contents¶

ML Product Name
Physical Resource Names
CloudFormation Logical IDs
SSM Parameter Store Paths
KMS Key Alias
CloudFormation Stack Name
Tags
Name Length Limits

ML Product Name¶

The ml_name is the central identifier that flows through all resource names, SSM paths, and stack names.

Without workload:

{company_prefix}-{env}-{tenant_id}-{region}-{use_case}-ml

With workload:

{company_prefix}-{env}-{tenant_id}-{region}-{use_case}-{workload}-ml

Examples:

globalbank-prod-c001-us-west-2-fraud-detection-ml
globalbank-prod-c001-us-west-2-fraud-detection-realtime-ml
techcorp-prod-a001-us-west-2-customer-churn-ml

Config fields:

Field	Config Key
`company_prefix`	`client.company_prefix`
`env`	`environment.env`
`tenant_id`	`client.tenant_id`
`region`	`environment.region`
`use_case`	`ml_product.use_case`
`workload`	`ml_product.workload` (optional)

Physical Resource Names¶

Most physical names follow the same base pattern as ml_name with a resource-specific suffix appended.

Without workload:

{company_prefix}-{env}-{tenant_id}-{region}-{use_case}-{suffix}

With workload:

{company_prefix}-{env}-{tenant_id}-{region}-{use_case}-{workload}-{suffix}

Two resource types use a different pattern due to AWS service name length constraints — see the notes in the table below.

Resource Suffixes¶

Resource Type	Suffix	Pattern	Example Physical Name
`AWS::SageMaker::ModelPackageGroup`	`models`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-models`
`AWS::CodeCommit::Repository`	`model-build` / `model-deploy`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-model-build`
`AWS::CodeBuild::Project`	`build` / `deploy`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-build`
`AWS::CodePipeline::Pipeline`	`build-pipeline` / `deploy-pipeline`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-build-pipeline`
`AWS::IAM::Role`	`codebuild-role` / `codepipeline-role` / `sagemaker-execution-role` / `pipe-execution-role`	IAM (see note 2)	`globalbank-prod-c001-fraud-detection-codebuild-role`
`AWS::IAM::ManagedPolicy`	`enhanced-build-policy` / `enhanced-deploy-policy` / `permission-boundary`	IAM (see note 2)	`globalbank-prod-c001-fraud-detection-enhanced-build-policy`
`AWS::S3::Bucket`	`artifacts`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-artifacts`
`AWS::Events::Rule`	`event-rule`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-event-rule`
`AWS::CloudWatch::Dashboard`	`dashboard`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-dashboard`
`AWS::Logs::LogGroup`	`compliance-logs`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-compliance-logs`
`AWS::CloudWatch::Alarm`	`unauthorized-api-calls` / `root-account-usage`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-unauthorized-api-calls`
`AWS::SNS::Topic`	`security-alerts`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-security-alerts`
`AWS::EC2::SecurityGroup`	`endpoint-sg`	Standard	`globalbank-prod-c001-us-west-2-fraud-detection-endpoint-sg`

Note 1 — IAM resources (region omitted):

IAM is a global AWS service — role and policy names are unique per AWS account, not per region. Region is therefore omitted from IAM names to stay within the 64-character IAM role name limit.

The IAM naming pattern is:

{company_prefix}-{env}-{tenant_id}-{use_case}-{suffix} (without workload)

{company_prefix}-{env}-{tenant_id}-{use_case}-{workload}-{suffix} (with workload).

Note 2:

AWS::KMS::Key and AWS::SNS::Subscription do not have physical names — KMS keys are referenced by ARN, subscriptions have no name property.

CloudFormation Logical IDs¶

Logical IDs are used internally within the CloudFormation template to reference resources.

Pattern:

{PascalCase(company_prefix)}{PascalCase(use_case)}{PascalCase(resource_key)}

company_prefix and use_case are converted from kebab-case to PascalCase
resource_key is converted from snake_case to PascalCase

Examples:

Blueprint Key	Logical ID
`model_registry`	`GlobalbankFraudDetectionModelRegistry`
`repositories_model_build`	`GlobalbankFraudDetectionRepositoriesModelBuild`
`repositories_model_deploy`	`GlobalbankFraudDetectionRepositoriesModelDeploy`
`codebuild_projects_build`	`GlobalbankFraudDetectionBuildProjectsBuild`
`codebuild_projects_deploy`	`GlobalbankFraudDetectionBuildProjectsDeploy`
`pipelines_build_pipeline`	`GlobalbankFraudDetectionPipelinesBuildPipeline`
`pipelines_deploy_pipeline`	`GlobalbankFraudDetectionPipelinesDeployPipeline`
`iam_roles_codebuild_role`	`GlobalbankFraudDetectionIamRolesCodebuildRole`
`iam_roles_codepipeline_role`	`GlobalbankFraudDetectionIamRolesCodepipelineRole`
`iam_roles_sagemaker_execution_role`	`GlobalbankFraudDetectionIamRolesSagemakerExecutionRole`
`pipe_role_pipe_execution_role`	`GlobalbankFraudDetectionPipeRolePipeExecutionRole`
`artifacts_bucket`	`GlobalbankFraudDetectionArtifactsBucket`
`eventbridge_rule`	`GlobalbankFraudDetectionEventbridgeRule`
`eventbridge_pipe`	`GlobalbankFraudDetectionEventbridgePipe`
`dashboard`	`GlobalbankFraudDetectionDashboard`
`kms_key`	`GlobalbankFraudDetectionKmsKey`
`kms_alias`	`GlobalbankFraudDetectionKmsAlias`
`compliance_log_group`	`GlobalbankFraudDetectionComplianceLogGroup`
`alerts_topic`	`GlobalbankFraudDetectionAlertsTopic`
`endpoint_security_group`	`GlobalbankFraudDetectionEndpointSecurityGroup`

SSM Parameter Store Paths¶

All deployed resource identifiers are stored in SSM Parameter Store at deployment time.

Standard outputs:

/ml/{ml_name}/{OutputKey}

VPC endpoint outputs (one per service):

/ml/{ml_name}/VpcEndpointId{Service}

Full Path Reference¶

Output Key	SSM Path	Tier
`ModelPackageGroupArn`	`/ml/{ml_name}/ModelPackageGroupArn`	All
`RepositoryUrl`	`/ml/{ml_name}/RepositoryUrl`	All (codecommit only)
`BucketName`	`/ml/{ml_name}/BucketName`	Professional + Enterprise
`DashboardName`	`/ml/{ml_name}/DashboardName`	Professional + Enterprise
`KmsKeyArn`	`/ml/{ml_name}/KmsKeyArn`	Enterprise
`LogGroupName`	`/ml/{ml_name}/LogGroupName`	Enterprise
`SecurityGroupId`	`/ml/{ml_name}/SecurityGroupId`	Enterprise (standalone mode only)
`VpcEndpointIdSagemakerApi`	`/ml/{ml_name}/VpcEndpointIdSagemakerApi`	Enterprise
`VpcEndpointIdSagemakerRuntime`	`/ml/{ml_name}/VpcEndpointIdSagemakerRuntime`	Enterprise
`VpcEndpointIdS3`	`/ml/{ml_name}/VpcEndpointIdS3`	Enterprise
`VpcEndpointIdSts`	`/ml/{ml_name}/VpcEndpointIdSts`	Enterprise

Example paths for ml_name globalbank-prod-c001-us-west-2-fraud-detection-ml:

/ml/globalbank-prod-c001-us-west-2-fraud-detection-ml/ModelPackageGroupArn
/ml/globalbank-prod-c001-us-west-2-fraud-detection-ml/BucketName
/ml/globalbank-prod-c001-us-west-2-fraud-detection-ml/KmsKeyArn
/ml/globalbank-prod-c001-us-west-2-fraud-detection-ml/VpcEndpointIdSagemakerApi

KMS Key Alias¶

alias/{ml_name}-key

Example:

alias/globalbank-prod-c001-us-west-2-fraud-detection-ml-key

CloudFormation Stack Name¶

The stack name is derived from ml_name with a -stack suffix appended by the deployment logic in ml_manager.py:

{ml_name}-stack

Example:

globalbank-prod-c001-us-west-2-fraud-detection-ml-stack

Tags¶

All taggable resources receive the following tags:

Tag Key	Value	Source
`Name`	Physical resource name	Auto-generated
`Environment`	`{env}`	`environment.env`
`ManagedBy`	`ml-provisioner-tool`	Hardcoded
(custom tags)	(from config)	`tags.*` in config

Custom tags from the tags section of the config file are merged in after the mandatory base tags.

Note: AWS::KMS::Alias does not support tags — AWS limitation.

Name Length Limits¶

The generator validates physical names against AWS service limits at generation time. If a name exceeds the limit a ValueError is raised with guidance to shorten company_prefix, use_case, or tenant_id.

Limits are defined in common/src/common/utils/aws_helpers.py under NAME_LENGTH_LIMITS:

Resource Type	Max Length
`AWS::SageMaker::ModelPackageGroup`	63
`AWS::CodeCommit::Repository`	100
`AWS::CodeBuild::Project`	255
`AWS::CodePipeline::Pipeline`	100
`AWS::S3::Bucket`	63
`AWS::IAM::Role`	64
`AWS::IAM::ManagedPolicy`	128
`AWS::Events::Rule`	64
`AWS::CloudWatch::Dashboard`	255
`AWS::CloudWatch::Alarm`	256
`AWS::Logs::LogGroup`	512
`AWS::SNS::Topic`	256
`AWS::EC2::SecurityGroup`	255
`AWS::EC2::VPCEndpoint`	1000
`AWS::KMS::Alias`	256
`AWS::SSM::Parameter`	1011

use_case maximum length — 20 characters

AWS::IAM::Role has the tightest AWS name limit at 64 characters

With typical config values, a use_case longer than 20 characters causes IAM role names to exceed this limit

The validation schema enforces the 20-character maximum on ml_product.use_case

Use cases exceeding this limit are rejected at validate-config time