Release NotesΒΆ

v1.0.1 (2026-06-15)ΒΆ

Bug FixesΒΆ

  • Fixed s3_prefix attribute not being set when source_control: s3 is configured β€” caused AttributeError during deploy-product validation (ALLOWED_ML_KEYS was missing s3_prefix)

v1.0.0 (2026-06-01)ΒΆ

Initial release of the ML Provisioner Tool.

FeaturesΒΆ

  • Tier-based provisioning β€” 3 tiers covering the full range of ML infrastructure needs:

    • Starter β€” foundation MLOps platform for small teams and proof-of-concept projects

    • Professional β€” enhanced monitoring, event-driven automation, and additional policies

    • Enterprise β€” VPC integration, KMS encryption, compliance monitoring, and permission boundaries

  • Dual source control β€” CodeCommit repositories or existing S3 bucket as pipeline source

  • Workload discriminator β€” deploy multiple independent ML products in the same environment without naming collisions

Note: Each stack provisions one ML use case. Use the workload field to deploy multiple independent ML products in the same environment without naming collisions.

  • VPC integration (enterprise) β€” attach to existing VPC via SSM Parameter Store paths or direct VPC ID

  • Two VPC modes (enterprise):

    • Standalone β€” ML Provisioner creates and manages its own endpoint Security Group

    • SG Provisioner β€” reads existing Security Group ID from SSM, no conflict with SG Provisioner

  • Route table support β€” optional route_table_ids for automatic S3 Gateway endpoint route associations

  • KMS encryption (enterprise) β€” Customer Managed Key applied to S3 artifacts bucket and CodePipeline artifact store

  • Compliance monitoring (enterprise) β€” CloudWatch Alarms for root account usage and unauthorized API calls, with SNS alerting

  • Parameter Store outputs β€” all deployed resource identifiers stored at /ml/{product-name}/ for downstream consumption

  • 12 CLI actions:

    • validate-config, list-products, show-product

    • create-policy, create-prov-template, validate-prov-template

    • create-review-report

    • test-deploy, deploy-product, delete-product

    • show-changes, check-drift

  • Least-privilege IAM policy generation β€” create-policy generates a scoped policy for the exact resources being deployed

  • Pre-deployment review report β€” HTML report summarising what will be deployed for stakeholder review

  • Post-deployment report β€” HTML deployment summary with stack outputs

  • Test deploy β€” isolated deployment with random suffix for safe pre-production validation

  • Drift detection β€” check-drift identifies resources modified outside of CloudFormation

  • Change preview β€” show-changes previews pending changes before updating a deployed stack

  • AWS Marketplace license validation β€” subscription validated on every action

ArchitectureΒΆ

  • Config-driven YAML provisioning β€” single config file per deployment scenario

  • Tier blueprint system β€” starter.yaml, professional.yaml, enterprise.yaml define resource structures

  • CfnGenerator β€” constructs CloudFormation templates as Python dicts, no string substitution

  • ProductValidator β€” security checks before template generation (IAM wildcards, public S3, open ports, missing KMS)

  • Docker container with Cython-compiled modules for IP protection

  • Three tier images: ml-provisioner:starter, ml-provisioner:professional, ml-provisioner:enterprise

  • Common package integration (BaseCLI, logger, utilities)

Supported ScenariosΒΆ

18 scenarios across 3 tiers β€” 4 starter, 4 professional, 10 enterprise. See Configuration Guide for the full scenario matrix.

Known LimitationsΒΆ

  • CodeCommit repositories are created per stack β€” no sharing across stacks (planned for v1.1.0 β€” see Roadmap)

  • AWS::SageMaker::Project provisioning deferred to SageMaker Provisioner (see Roadmap)

  • No cost estimation (planned for v1.2.0 β€” see Roadmap)