Prerequisites

Resources and conditions that must exist before deploying an ML Provisioner provisioning template. The ML Provisioner does not create these — they are the client’s responsibility.

Table of Contents

• S3 Source Control Bucket

• SNS Email Confirmation

• VPC

• SG Provisioner

---

S3 Source Control Bucket (source_control: s3)

When ml_product.source_control is set to s3 in the YAML config, no AWS::CodeCommit::Repository resources are created. Instead, CodeBuild and CodePipeline resources reference an existing S3 bucket as their source.

Requirements

Requirement	Detail
Bucket must exist	The bucket referenced by ml_product.s3_prefix must be created before deploying
Versioning must be enabled	CodePipeline S3 source requires bucket versioning — pipelines will fail to execute if versioning is off
Expected prefixes must be present	The bucket must contain the model-build and model-deploy source archives under the configured prefix before the first pipeline run

Why the ML Provisioner does not validate this

The S3 bucket is not a CloudFormation-level dependency — the stack will deploy successfully even if the bucket is absent or empty. The failure only surfaces later when a pipeline is triggered for the first time. For this reason, the ML Provisioner emits a warning during validation rather than blocking the deploy with a hard error.

This is intentionally different from VPC validation (which is a hard error) because a missing VPC causes an immediate CFN deploy failure, whereas a missing S3 bucket causes a silent pipeline execution failure.

Recommended setup checklist (client)

1. Create the S3 bucket in the same region as the ML stack

2. Enable versioning

3. Upload initial source archives to the expected prefixes

4. Set ml_product.s3_prefix in the YAML config to the correct bucket-name/optional/prefix value

5. Deploy the ML Provisioner template

Example (techcorp starter scenario, us-west-2):

# 1. Create the S3 bucket
aws s3api create-bucket \
  --bucket techcorp-a001-ml-source \
  --region us-west-2 \
  --create-bucket-configuration LocationConstraint=us-west-2

# 2. Enable versioning
aws s3api put-bucket-versioning \
  --bucket techcorp-a001-ml-source \
  --versioning-configuration Status=Enabled

# 3. Block public access
aws s3api put-public-access-block \
  --bucket techcorp-a001-ml-source \
  --public-access-block-configuration \
  BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

# 4. Upload initial source archives (placeholder zip files to allow first pipeline run)
aws s3 cp model-build.zip s3://techcorp-a001-ml-source/customer-churn/model-build.zip
aws s3 cp model-deploy.zip s3://techcorp-a001-ml-source/customer-churn/model-deploy.zip

Then set in your config:

ml_product:
  source_control: s3
  s3_prefix: techcorp-a001-ml-source/customer-churn

---

SNS Email Confirmation (professional + enterprise)

When ml_product.alerts_email is set, an AWS::SNS::Subscription is created that sends security alert notifications to that email address. AWS requires the recipient to confirm the subscription before any notifications are delivered.

What happens

• On first deploy-product, the SNS subscription is created with status PendingConfirmation

• AWS sends a confirmation email to alerts_email

• The recipient must click Confirm subscription in the email

• Until confirmed, no alerts are delivered — the stack deploys successfully regardless

Recommended setup

1. Ensure alerts_email in the config is a valid, monitored email address

2. After deploying, check the inbox for a confirmation email from no-reply@sns.amazonaws.com

3. Click the confirmation link

4. Verify subscription status:

aws sns list-subscriptions-by-topic \
  --topic-arn $(aws ssm get-parameter \
    --name /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/AlertsTopicArn \
    --query Parameter.Value --output text) \
  --query 'Subscriptions[0].SubscriptionArn'

---

SG Provisioner (enterprise + sgprov mode)

When ml_product.vpc_integration.mode is set to sgprov, the ML Provisioner reads an existing Security Group ID from SSM Parameter Store instead of creating one. The SG Provisioner must be deployed first and the SecurityGroupId must be available in SSM.

Requirements

Requirement	Detail
SG Provisioner deployed	The SG Provisioner stack must exist and be in CREATE_COMPLETE state
SecurityGroupId in SSM	The path /sg/{sg-name}/{tier}/SecurityGroupId must be populated

Verify SG Provisioner is ready

# Check SG Provisioner stack status
aws cloudformation describe-stacks \
  --stack-name globalbank-prod-c001-us-west-2-sg-stack \
  --query 'Stacks[0].StackStatus' --output text

# Verify SecurityGroupId is in SSM
aws ssm get-parameter \
  --name /sg/globalbank-prod-c001-us-west-2-sg/app/SecurityGroupId \
  --query Parameter.Value --output text

---

VPC (enterprise tier only)

When ml_product.vpc_integration.mode is set to standalone or sgprov, the VPC and private subnets referenced in the config must exist before deploying. The ML Provisioner validates this at deploy time and will raise a hard error if the VPC cannot be resolved.

Route tables for S3 Gateway endpoint

The S3 VPC endpoint uses the Gateway type. Unlike Interface endpoints, Gateway endpoints work by injecting a route into one or more route tables — without this, traffic from the VPC to S3 will not flow through the endpoint.

The route_table_ids config field accepts a list of route table IDs and defaults to empty. Two deployment scenarios:

Scenario	What to do
With VPC Provisioner	VPC Provisioner knows the route table IDs — populate route_table_ids in the config. Fully self-contained.
Without VPC Provisioner	Leave route_table_ids empty. The networking team must manually associate the S3 Gateway endpoint with the correct route tables post-deploy, or populate the IDs before deploying.

Manual association (after deploy)

After deploying, the networking team can associate the endpoint with route tables:

# Get the VPC endpoint ID from SSM
aws ssm get-parameter \
  --name /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdS3 \
  --query Parameter.Value --output text

# Associate the endpoint with route tables
aws ec2 modify-vpc-endpoint \
  --vpc-endpoint-id vpce-0abc123def456789a \
  --add-route-table-ids rtb-0123456789abcdef0 rtb-0fedcba9876543210